Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-01-19

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, deleted, exploit-kit, file-flash, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-icmp, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)

2976

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)

2980

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)