Talos Rules 2017-01-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-executable, file-flash, file-image, file-other, file-pdf, indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-01-17 21:43:49 UTC

Snort Subscriber Rules Update

Date: 2017-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules)
 * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules)
 * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules)
 * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules)
 * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules)
 * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules)
 * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules)
 * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules)
 * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules)
 * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules)
 * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules)
 * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules)
 * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules)
 * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules)
 * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules)
 * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules)
 * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules)
 * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules)
 * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules)
 * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules)
 * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules)
 * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules)
 * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules)
 * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules)
 * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules)
 * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules)
 * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules)
 * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules)
 * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules)
 * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules)
 * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules)
 * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules)
 * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules)
 * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules)
 * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules)
 * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules)
 * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules)
 * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules)
 * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules)
 * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules)
 * 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules)
 * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules)
 * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules)
 * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules)
 * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules)
 * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules)
 * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules)
 * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules)
 * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules)
 * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules)
 * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules)
 * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules)
 * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules)
 * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules)
 * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
 * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules)
 * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)

2017-01-17 21:43:49 UTC

Snort Subscriber Rules Update

Date: 2017-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules)
 * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules)
 * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules)
 * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules)
 * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules)
 * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules)
 * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules)
 * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules)
 * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules)
 * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules)
 * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules)
 * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules)
 * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules)
 * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules)
 * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules)
 * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules)
 * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules)
 * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules)
 * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules)
 * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules)
 * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules)
 * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules)
 * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules)
 * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules)
 * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules)
 * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules)
 * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules)
 * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules)
 * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules)
 * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules)
 * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules)
 * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules)
 * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules)
 * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules)
 * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules)
 * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules)
 * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules)
 * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules)
 * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules)
 * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules)
 * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules)
 * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules)
 * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules)
 * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules)
 * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules)
 * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules)
 * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules)
 * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules)
 * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules)
 * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules)
 * 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules)
 * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules)
 * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules)
 * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules)
 * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules)
 * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
 * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)

2017-01-17 21:43:49 UTC

Snort Subscriber Rules Update

Date: 2017-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules)
 * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules)
 * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules)
 * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules)
 * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules)
 * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules)
 * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules)
 * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules)
 * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules)
 * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules)
 * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules)
 * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules)
 * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules)
 * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules)
 * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules)
 * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules)
 * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules)
 * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules)
 * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules)
 * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules)
 * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules)
 * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules)
 * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules)
 * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules)
 * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules)
 * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules)
 * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules)
 * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules)
 * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules)
 * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules)
 * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules)
 * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules)
 * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules)
 * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules)
 * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules)
 * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules)
 * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules)
 * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules)
 * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules)
 * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules)
 * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules)
 * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules)
 * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules)
 * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules)
 * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules)
 * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules)
 * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules)
 * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules)
 * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules)
 * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules)
 * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules)
 * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules)
 * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules)
 * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules)
 * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules)
 * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules)
 * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules)
 * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules)
 * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules)
 * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules)
 * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules)
 * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules)
 * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules)
 * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules)
 * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules)
 * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules)
 * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules)
 * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules)
 * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules)
 * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules)
 * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules)
 * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules)
 * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules)
 * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
 * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules)
 * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules)
 * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
 * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)