Talos Rules 2015-07-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-office, file-other, file-pdf, malware-cnc, malware-other, protocol-tftp, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-22 18:17:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35346 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35345 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall click fraud response (malware-cnc.rules)
 * 1:35335 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35334 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt  (exploit-kit.rules)
 * 1:35333 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35330 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35329 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35328 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35327 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35326 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35325 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35324 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35323 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35322 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35321 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35320 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35319 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jemerr outbound connection (malware-cnc.rules)
 * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules)
 * 1:35316 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string EI Plugin updater (blacklist.rules)
 * 1:35315 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Downloader.Comsteal outbound connection (malware-cnc.rules)
 * 1:35314 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server mod_proxy denial of service attempt (server-apache.rules)
 * 1:35313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:35311 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35310 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35309 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35308 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35307 <-> DISABLED <-> SERVER-OTHER OpenSSL alternative chains certificate forgery attempt (server-other.rules)
 * 1:35306 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Cigamve request (malware-cnc.rules)
 * 3:35336 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35337 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35338 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35339 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35340 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35341 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35342 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35343 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35347 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified MeetingPlace password change policy bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:35114 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:28251 <-> DISABLED <-> SERVER-WEBAPP Zabbix httpmon.php SQL injection attempt (server-webapp.rules)

2015-07-22 18:17:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35307 <-> DISABLED <-> SERVER-OTHER OpenSSL alternative chains certificate forgery attempt (server-other.rules)
 * 1:35320 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35311 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35310 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:35314 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server mod_proxy denial of service attempt (server-apache.rules)
 * 1:35308 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35309 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35315 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Downloader.Comsteal outbound connection (malware-cnc.rules)
 * 1:35306 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Cigamve request (malware-cnc.rules)
 * 1:35316 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string EI Plugin updater (blacklist.rules)
 * 1:35318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jemerr outbound connection (malware-cnc.rules)
 * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules)
 * 1:35319 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35321 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35322 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35323 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35324 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35325 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35326 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35327 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35328 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35329 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35330 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35346 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35345 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall click fraud response (malware-cnc.rules)
 * 1:35335 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35333 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35334 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt  (exploit-kit.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 3:35343 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35338 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35337 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35339 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35340 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35342 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35347 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified MeetingPlace password change policy bypass attempt (server-webapp.rules)
 * 3:35341 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35336 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)

Modified Rules:


 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:35114 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:28251 <-> DISABLED <-> SERVER-WEBAPP Zabbix httpmon.php SQL injection attempt (server-webapp.rules)

2015-07-22 18:17:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35324 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35325 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35322 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35345 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35319 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35308 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35310 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules)
 * 1:35309 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35307 <-> DISABLED <-> SERVER-OTHER OpenSSL alternative chains certificate forgery attempt (server-other.rules)
 * 1:35320 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35306 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Cigamve request (malware-cnc.rules)
 * 1:35312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:35314 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server mod_proxy denial of service attempt (server-apache.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall click fraud response (malware-cnc.rules)
 * 1:35315 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Downloader.Comsteal outbound connection (malware-cnc.rules)
 * 1:35316 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string EI Plugin updater (blacklist.rules)
 * 1:35318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jemerr outbound connection (malware-cnc.rules)
 * 1:35334 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt  (exploit-kit.rules)
 * 1:35311 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35321 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35323 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35333 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35335 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35326 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35327 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35328 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35329 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35330 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35346 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 3:35339 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35338 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35340 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35343 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35337 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35347 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified MeetingPlace password change policy bypass attempt (server-webapp.rules)
 * 3:35336 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35342 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35341 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)

Modified Rules:


 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:35115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:35114 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:28251 <-> DISABLED <-> SERVER-WEBAPP Zabbix httpmon.php SQL injection attempt (server-webapp.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)

2015-07-22 18:17:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35310 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:35323 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35334 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt  (exploit-kit.rules)
 * 1:35314 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server mod_proxy denial of service attempt (server-apache.rules)
 * 1:35325 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35319 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35329 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35311 <-> DISABLED <-> SERVER-WEBAPP Centreon getStats.php command injection attempt (server-webapp.rules)
 * 1:35313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35324 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt (file-pdf.rules)
 * 1:35345 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35315 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Downloader.Comsteal outbound connection (malware-cnc.rules)
 * 1:35306 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Cigamve request (malware-cnc.rules)
 * 1:35327 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35309 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35307 <-> DISABLED <-> SERVER-OTHER OpenSSL alternative chains certificate forgery attempt (server-other.rules)
 * 1:35320 <-> ENABLED <-> FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt (file-pdf.rules)
 * 1:35321 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35316 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string EI Plugin updater (blacklist.rules)
 * 1:35308 <-> ENABLED <-> FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt (file-pdf.rules)
 * 1:35326 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF Control.TaskSymbol.1 heap corruption attempt - Win.Trojan.Sofacy (file-office.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall click fraud response (malware-cnc.rules)
 * 1:35328 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35330 <-> DISABLED <-> BROWSER-PLUGINS Agilent Technologies Feature Extraction ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35335 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35346 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt (file-pdf.rules)
 * 1:35333 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Flash download attempt (exploit-kit.rules)
 * 1:35322 <-> ENABLED <-> FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt (file-pdf.rules)
 * 1:35318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jemerr outbound connection (malware-cnc.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader format action use after free attempt (file-pdf.rules)
 * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules)
 * 3:35341 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35342 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35347 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified MeetingPlace password change policy bypass attempt (server-webapp.rules)
 * 3:35337 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35343 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35340 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35339 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35338 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)
 * 3:35336 <-> ENABLED <-> PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt (protocol-tftp.rules)

Modified Rules:


 * 1:35114 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:28251 <-> DISABLED <-> SERVER-WEBAPP Zabbix httpmon.php SQL injection attempt (server-webapp.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer replaceChild function memory corruption attempt (browser-ie.rules)
 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)