Talos Rules 2017-01-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS17-002:

A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 41140 through 41141.

Microsoft Security Bulletin MS17-004: A coding deficiency exists in Local Security Authority Subsystem Service (LSASS) that may lead to a Denial of Service (DoS).

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 40759.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-executable, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, netbios, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-01-10 18:29:24 UTC

Snort Subscriber Rules Update

Date: 2017-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41191 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41189 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino srvnam.htm information disclosure attempt (server-webapp.rules)
 * 1:41188 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino NSF database information disclosure attempt (server-webapp.rules)
 * 1:41187 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino BOX mailbox information disclosure attempt (server-webapp.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.August (blacklist.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41139 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 1:41138 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41171 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.August (blacklist.rules)
 * 1:41167 <-> ENABLED <-> BLACKLIST DNS request for known malware domain himalayard.de - Win.Trojan.August (blacklist.rules)
 * 1:41157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41161 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41160 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41152 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41172 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thedragon318.com - Win.Trojan.August (blacklist.rules)
 * 1:41170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain overstockage.com - Win.Trojan.August (blacklist.rules)
 * 1:41168 <-> ENABLED <-> BLACKLIST DNS request for known malware domain krusingtheworld.de - Win.Trojan.August (blacklist.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41186 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41153 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41190 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41166 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41165 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41192 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 3:41137 <-> ENABLED <-> SERVER-OTHER Cisco IOS XR command line interface privilege escalation attempt (server-other.rules)

Modified Rules:


 * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:28240 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-100 User-Agent backdoor access attempt (server-webapp.rules)
 * 1:33419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:34479 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:34480 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:38081 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38225 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38226 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:39100 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39101 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39131 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39132 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:40431 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:40759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt (os-windows.rules)
 * 3:40935 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40934 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)

2017-01-10 18:29:23 UTC

Snort Subscriber Rules Update

Date: 2017-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41165 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41166 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41168 <-> ENABLED <-> BLACKLIST DNS request for known malware domain krusingtheworld.de - Win.Trojan.August (blacklist.rules)
 * 1:41167 <-> ENABLED <-> BLACKLIST DNS request for known malware domain himalayard.de - Win.Trojan.August (blacklist.rules)
 * 1:41169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.August (blacklist.rules)
 * 1:41172 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thedragon318.com - Win.Trojan.August (blacklist.rules)
 * 1:41170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain overstockage.com - Win.Trojan.August (blacklist.rules)
 * 1:41171 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.August (blacklist.rules)
 * 1:41180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41138 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 1:41139 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41186 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41152 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41153 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41187 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino BOX mailbox information disclosure attempt (server-webapp.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41188 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino NSF database information disclosure attempt (server-webapp.rules)
 * 1:41158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41160 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41161 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41189 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino srvnam.htm information disclosure attempt (server-webapp.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41190 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41192 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41191 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 3:41137 <-> ENABLED <-> SERVER-OTHER Cisco IOS XR command line interface privilege escalation attempt (server-other.rules)

Modified Rules:


 * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:28240 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-100 User-Agent backdoor access attempt (server-webapp.rules)
 * 1:33419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:34479 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:34480 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:38081 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38225 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38226 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:39100 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39101 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39131 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39132 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:40431 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:40759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt (os-windows.rules)
 * 3:40935 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:40934 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)

2017-01-10 18:29:23 UTC

Snort Subscriber Rules Update

Date: 2017-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41192 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41191 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41190 <-> DISABLED <-> POLICY-OTHER Adobe Flash SMTP MIME attachment detected (policy-other.rules)
 * 1:41189 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino srvnam.htm information disclosure attempt (server-webapp.rules)
 * 1:41188 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino NSF database information disclosure attempt (server-webapp.rules)
 * 1:41187 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino BOX mailbox information disclosure attempt (server-webapp.rules)
 * 1:41186 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant post compromise download attempt (malware-cnc.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection attempt (malware-cnc.rules)
 * 1:41172 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thedragon318.com - Win.Trojan.August (blacklist.rules)
 * 1:41171 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.August (blacklist.rules)
 * 1:41170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain overstockage.com - Win.Trojan.August (blacklist.rules)
 * 1:41169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.August (blacklist.rules)
 * 1:41168 <-> ENABLED <-> BLACKLIST DNS request for known malware domain krusingtheworld.de - Win.Trojan.August (blacklist.rules)
 * 1:41167 <-> ENABLED <-> BLACKLIST DNS request for known malware domain himalayard.de - Win.Trojan.August (blacklist.rules)
 * 1:41166 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41165 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41161 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41160 <-> ENABLED <-> FILE-FLASH Acrobat Flash FileReference class use-after-free memory corruption attempt (file-flash.rules)
 * 1:41159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player visual blend out of bounds read attempt (file-flash.rules)
 * 1:41157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length heap overflow attempt (file-flash.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41153 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41152 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41139 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 1:41138 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list structure memory corruption attempt (file-flash.rules)
 * 3:41137 <-> ENABLED <-> SERVER-OTHER Cisco IOS XR command line interface privilege escalation attempt (server-other.rules)

Modified Rules:


 * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:28240 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-100 User-Agent backdoor access attempt (server-webapp.rules)
 * 1:33419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:34479 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:34480 <-> DISABLED <-> FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt (file-executable.rules)
 * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:38081 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38225 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38226 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:39100 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39101 <-> DISABLED <-> FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt (file-pdf.rules)
 * 1:39131 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39132 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt (file-pdf.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt (file-flash.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:40431 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:40759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt (os-windows.rules)
 * 3:40935 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40934 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)