Talos Rules 2016-06-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-other, indicator-compromise, malware-cnc, protocol-scada, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-06-30 22:20:16 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)

2016-06-30 22:20:15 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)

2016-06-30 22:20:15 UTC

Snort Subscriber Rules Update

Date: 2016-06-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39432 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39431 <-> ENABLED <-> FILE-OTHER Symantec TNEF decoder integer overflow attempt (file-other.rules)
 * 1:39430 <-> ENABLED <-> MALWARE-CNC Win.Malware.Furtim variant outbound connection (malware-cnc.rules)
 * 1:39429 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim (blacklist.rules)
 * 1:39428 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39427 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39426 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39425 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39424 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39423 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39422 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39421 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39420 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39419 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39418 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39417 <-> ENABLED <-> FILE-OFFICE Symantec multiple product Dec2SS PowerPoint file buffer overflow attempt (file-office.rules)
 * 1:39416 <-> DISABLED <-> PUA-OTHER RMS rmansys remote management tool cnc communication (pua-other.rules)
 * 1:39415 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39414 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39413 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qbot variant outbound connection (malware-cnc.rules)
 * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules)
 * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules)
 * 1:39408 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39407 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39406 <-> DISABLED <-> SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt (server-other.rules)
 * 1:39405 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39404 <-> ENABLED <-> SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt (server-other.rules)
 * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules)
 * 1:39401 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39400 <-> ENABLED <-> SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt (server-webapp.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39397 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:39396 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:39395 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:39394 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:39393 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)
 * 1:39392 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:39391 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:39390 <-> DISABLED <-> SERVER-WEBAPP IntegraXOR SQL injection attempt (server-webapp.rules)
 * 1:39389 <-> DISABLED <-> SERVER-WEBAPP Wintr SQL injection attempt (server-webapp.rules)
 * 1:39388 <-> DISABLED <-> SERVER-WEBAPP ICSCADA SQL injection attempt (server-webapp.rules)
 * 1:39387 <-> DISABLED <-> SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt (server-webapp.rules)
 * 1:39386 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39385 <-> ENABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:39384 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39383 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39382 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39381 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Financial Management TList6 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)

Modified Rules:


 * 1:30096 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt (server-other.rules)
 * 1:30097 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt (server-other.rules)
 * 1:30095 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt (server-other.rules)
 * 1:27262 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt (server-other.rules)
 * 1:30094 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt (server-other.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)
 * 1:27261 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt (server-other.rules)