Talos Rules 2016-05-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-tools, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)

2016-05-24 22:04:35 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)