Talos Rules 2017-01-24
This release adds and modifies rules in several categories.

A vulnerability in Cisco WebEx Browser Extension was recently publicly disclosed. Information about this vulnerability can be found at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex and attempts to exploit this vulnerability are covered by SIDs 41407-41409.

Talos has also added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-other, file-flash, file-image, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-01-25 00:59:37 UTC

Snort Subscriber Rules Update

Date: 2017-01-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41406 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 1:41392 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41394 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41385 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41396 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules)
 * 1:41391 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41386 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41404 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:41389 <-> DISABLED <-> POLICY-OTHER Cisco Firepower Management Console rule import access detected (policy-other.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:41393 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41398 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41383 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules)
 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41397 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41379 <-> DISABLED <-> SERVER-OTHER Squid HTTP Vary response header denial of service attempt (server-other.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41395 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41366 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack server denial of service attempt (server-other.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41403 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Simda (blacklist.rules)
 * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules)
 * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41384 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41405 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 3:41371 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41410 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0229 attack attempt (server-webapp.rules)
 * 3:41367 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0260 attack attempt (server-other.rules)
 * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41369 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)
 * 3:41370 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41368 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)

Modified Rules:


 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:35676 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:35675 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf X-Forwarded-For header denial of service attempt (server-apache.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:21230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betad variant outbound connection (malware-cnc.rules)
 * 1:25358 <-> ENABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:21926 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file execution attempt (server-webapp.rules)
 * 1:21925 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BOT/0.1 (blacklist.rules)

2017-01-25 00:59:37 UTC

Snort Subscriber Rules Update

Date: 2017-01-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41384 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules)
 * 1:41383 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41386 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41385 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41389 <-> DISABLED <-> POLICY-OTHER Cisco Firepower Management Console rule import access detected (policy-other.rules)
 * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules)
 * 1:41393 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41366 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack server denial of service attempt (server-other.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41394 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41379 <-> DISABLED <-> SERVER-OTHER Squid HTTP Vary response header denial of service attempt (server-other.rules)
 * 1:41395 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41391 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:41397 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41398 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules)
 * 1:41396 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules)
 * 1:41403 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Simda (blacklist.rules)
 * 1:41404 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41392 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41406 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 1:41405 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 3:41410 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0229 attack attempt (server-webapp.rules)
 * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41370 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41371 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41368 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)
 * 3:41369 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)
 * 3:41367 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0260 attack attempt (server-other.rules)

Modified Rules:


 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf X-Forwarded-For header denial of service attempt (server-apache.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:35675 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:35676 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:25358 <-> ENABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:21926 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file execution attempt (server-webapp.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:21230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betad variant outbound connection (malware-cnc.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:21925 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BOT/0.1 (blacklist.rules)

2017-01-25 00:59:37 UTC

Snort Subscriber Rules Update

Date: 2017-01-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41406 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 1:41405 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object property change use after free attempt (browser-ie.rules)
 * 1:41404 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:41403 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Simda (blacklist.rules)
 * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules)
 * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41398 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41397 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41396 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41395 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41394 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41393 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41392 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41391 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt (file-image.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:41389 <-> DISABLED <-> POLICY-OTHER Cisco Firepower Management Console rule import access detected (policy-other.rules)
 * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules)
 * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules)
 * 1:41386 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41385 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:41384 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41383 <-> DISABLED <-> SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt (server-webapp.rules)
 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41379 <-> DISABLED <-> SERVER-OTHER Squid HTTP Vary response header denial of service attempt (server-other.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41366 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack server denial of service attempt (server-other.rules)
 * 3:41410 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0229 attack attempt (server-webapp.rules)
 * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
 * 3:41370 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41371 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0269 attack attempt (file-other.rules)
 * 3:41368 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)
 * 3:41369 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0273 attack attempt (file-other.rules)
 * 3:41367 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0260 attack attempt (server-other.rules)

Modified Rules:


 * 1:21926 <-> DISABLED <-> SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file execution attempt (server-webapp.rules)
 * 1:21925 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BOT/0.1 (blacklist.rules)
 * 1:25358 <-> ENABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:35675 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:35676 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt (browser-firefox.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:21230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betad variant outbound connection (malware-cnc.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf X-Forwarded-For header denial of service attempt (server-apache.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)