Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-06-30

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-other, indicator-compromise, malware-cnc, protocol-scada, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-06-30 22:20:16 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)

2982

2016-06-30 22:20:15 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)

2983

2016-06-30 22:20:15 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)

Modified Rules:


 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)