Talos Rules 2015-07-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-image, file-pdf, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-28 15:29:58 UTC

Snort Subscriber Rules Update

Date: 2015-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35369 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domain.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35366 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules)
 * 1:35380 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35381 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35360 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35357 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise.B variant outbound connection (malware-cnc.rules)
 * 1:35376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35373 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bbs.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35358 <-> DISABLED <-> SERVER-WEBAPP Wordpress RightNow theme file upload attempt (server-webapp.rules)
 * 1:35363 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35383 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Usteal outbound connection (malware-cnc.rules)
 * 1:35379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35362 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35382 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35350 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35349 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35365 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35364 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain img.lifesolves.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35371 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection (malware-backdoor.rules)
 * 1:35372 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35374 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35375 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35356 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35354 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs local_graph_id SQL injection attempt (server-webapp.rules)
 * 1:35361 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35351 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35352 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:24044 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24041 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:24039 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access (browser-plugins.rules)
 * 1:24043 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24040 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24042 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21064 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21063 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)

2015-07-28 15:29:57 UTC

Snort Subscriber Rules Update

Date: 2015-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35354 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs local_graph_id SQL injection attempt (server-webapp.rules)
 * 1:35353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise.B variant outbound connection (malware-cnc.rules)
 * 1:35378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35373 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bbs.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35363 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35358 <-> DISABLED <-> SERVER-WEBAPP Wordpress RightNow theme file upload attempt (server-webapp.rules)
 * 1:35369 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domain.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35375 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35382 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35383 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35381 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Usteal outbound connection (malware-cnc.rules)
 * 1:35349 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35380 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35350 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35357 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35356 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35360 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules)
 * 1:35361 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35364 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35362 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35365 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35366 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35352 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain img.lifesolves.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35371 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection (malware-backdoor.rules)
 * 1:35372 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35374 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35351 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:24041 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:24043 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24044 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24040 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24042 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24039 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access (browser-plugins.rules)
 * 1:21063 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21064 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)

2015-07-28 15:29:57 UTC

Snort Subscriber Rules Update

Date: 2015-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35373 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bbs.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35363 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35358 <-> DISABLED <-> SERVER-WEBAPP Wordpress RightNow theme file upload attempt (server-webapp.rules)
 * 1:35352 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35354 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs local_graph_id SQL injection attempt (server-webapp.rules)
 * 1:35356 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35357 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules)
 * 1:35360 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35361 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35362 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35364 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35365 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35366 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35369 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domain.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain img.lifesolves.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35371 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection (malware-backdoor.rules)
 * 1:35372 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35374 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35375 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise.B variant outbound connection (malware-cnc.rules)
 * 1:35383 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35382 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Usteal outbound connection (malware-cnc.rules)
 * 1:35381 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35380 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35349 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35350 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35351 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:24044 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:24042 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24043 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24040 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24041 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21064 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24039 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access (browser-plugins.rules)
 * 1:21063 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)

2015-07-28 15:29:57 UTC

Snort Subscriber Rules Update

Date: 2015-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35383 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35382 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35381 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35380 <-> ENABLED <-> FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt (file-pdf.rules)
 * 1:35379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-site file download attempt (file-flash.rules)
 * 1:35375 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35374 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35373 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35372 <-> DISABLED <-> SERVER-WEBAPP WebUI mainfile.php command injection attempt (server-webapp.rules)
 * 1:35371 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection (malware-backdoor.rules)
 * 1:35370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain img.lifesolves.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35369 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domain.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bbs.gokickes.com - Win.Backdoor.Bimteni (blacklist.rules)
 * 1:35367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35366 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35365 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35364 <-> ENABLED <-> FILE-FLASH Adobe Flash Player thread write double-free attempt (file-flash.rules)
 * 1:35363 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35362 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35361 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35360 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt (file-image.rules)
 * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules)
 * 1:35358 <-> DISABLED <-> SERVER-WEBAPP Wordpress RightNow theme file upload attempt (server-webapp.rules)
 * 1:35357 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35356 <-> DISABLED <-> SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt (server-webapp.rules)
 * 1:35355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Usteal outbound connection (malware-cnc.rules)
 * 1:35354 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs local_graph_id SQL injection attempt (server-webapp.rules)
 * 1:35353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise.B variant outbound connection (malware-cnc.rules)
 * 1:35352 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35351 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35350 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35349 <-> DISABLED <-> BROWSER-PLUGINS Oracle DcsXB onloadstatechange ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)

Modified Rules:


 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:24043 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24044 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24041 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24042 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24039 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access (browser-plugins.rules)
 * 1:24040 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21063 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21064 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access attempt (browser-plugins.rules)