Talos Rules 2017-02-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-executable, file-flash, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-14 19:53:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41641 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41634 <-> DISABLED <-> DELETED JZUG1wVRPVZOLCvEyoHz (deleted.rules)
 * 1:41587 <-> DISABLED <-> DELETED v6YNZkcOtoUt4lazjOZg (deleted.rules)
 * 1:41590 <-> DISABLED <-> DELETED tB8in5OHkHx3L0ni1p1I (deleted.rules)
 * 1:41581 <-> DISABLED <-> DELETED lm06mVLIekQJco8ymvCj (deleted.rules)
 * 1:41583 <-> DISABLED <-> DELETED 2104Je8NeYdUapqjyLKN (deleted.rules)
 * 1:41579 <-> DISABLED <-> DELETED tYwrGluX5dObfE6sY3GA (deleted.rules)
 * 1:41580 <-> DISABLED <-> DELETED xozrA27GE3bw8z1WGapk (deleted.rules)
 * 1:41577 <-> DISABLED <-> DELETED 9G9ad7eS9ApSYjQCeMop (deleted.rules)
 * 1:41578 <-> DISABLED <-> DELETED JnY2cb8F710UF6d9lQSp (deleted.rules)
 * 1:41574 <-> DISABLED <-> DELETED 0GQx9qNGzD5JvIgsNsLU (deleted.rules)
 * 1:41575 <-> DISABLED <-> DELETED iXbkLX1dAAlk183HBDqc (deleted.rules)
 * 1:41572 <-> DISABLED <-> DELETED Jo29KjldkTlEL6ev8eBR (deleted.rules)
 * 1:41573 <-> DISABLED <-> DELETED AaEnRMGjoABYzg5s2InU (deleted.rules)
 * 1:41569 <-> DISABLED <-> DELETED SvuhTNxfofLNh6BDRK33 (deleted.rules)
 * 1:41570 <-> DISABLED <-> DELETED j9s3YbYVyYWsbrtQ3uIs (deleted.rules)
 * 1:41567 <-> DISABLED <-> DELETED pTXs7KUhQRGhaWTgKbb7 (deleted.rules)
 * 1:41568 <-> DISABLED <-> DELETED kF3nigJ4JNVVk6rUu4Y3 (deleted.rules)
 * 1:41564 <-> DISABLED <-> DELETED gTgCA88UF8renb5O9NNQ (deleted.rules)
 * 1:41565 <-> DISABLED <-> DELETED j1CGK1PYbr0q4ETiGl8i (deleted.rules)
 * 1:41562 <-> DISABLED <-> DELETED OAFbssmWYTUcAmr92XiO (deleted.rules)
 * 1:41563 <-> DISABLED <-> DELETED fK4NDvjETaezKM19vsBD (deleted.rules)
 * 1:41559 <-> DISABLED <-> DELETED vLuzJQZoy0uX2rfCGyX7 (deleted.rules)
 * 1:41560 <-> DISABLED <-> DELETED 2xy4LeeaJZxrNUR2Zrjn (deleted.rules)
 * 1:41557 <-> DISABLED <-> DELETED nsW9dVJiXbmLiVxuruv3 (deleted.rules)
 * 1:41558 <-> DISABLED <-> DELETED 0dSWPnm7dz6Fcf70zGIL (deleted.rules)
 * 1:41554 <-> DISABLED <-> DELETED oeXHcWOaoDqO97LWE3im (deleted.rules)
 * 1:41555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41553 <-> DISABLED <-> DELETED n0AKi5Jy0HRovEdANpIJ (deleted.rules)
 * 1:41550 <-> DISABLED <-> DELETED 9PiGK20daqQ4NG2yUmHJ (deleted.rules)
 * 1:41552 <-> DISABLED <-> DELETED j0lVhTQQnlFPNV8WbXjw (deleted.rules)
 * 1:41549 <-> DISABLED <-> DELETED 3KS9XNn1eqWy808Nag8X (deleted.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41606 <-> DISABLED <-> DELETED DyPtd537A4oTXII67lLY (deleted.rules)
 * 1:41608 <-> DISABLED <-> DELETED DlljTt5vFr4wpoNJnBJD (deleted.rules)
 * 1:41607 <-> DISABLED <-> DELETED rAZFmWHsPbKcUty7MgrA (deleted.rules)
 * 1:41610 <-> DISABLED <-> DELETED kOVvZrK2dixrCRdcdldP (deleted.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41640 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41584 <-> DISABLED <-> DELETED xQLvvhaNbAQnF8Jikc0m (deleted.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41602 <-> DISABLED <-> DELETED aw5zsD18HZVNLa9fNWB7 (deleted.rules)
 * 1:41551 <-> DISABLED <-> DELETED qS9HxX8E8ZuwjJmc2QYy (deleted.rules)
 * 1:41609 <-> DISABLED <-> DELETED Vehj0FCBGiPlqED8fNo1 (deleted.rules)
 * 1:41556 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41561 <-> DISABLED <-> DELETED WEJm6bj4v3duVaDCRGYl (deleted.rules)
 * 1:41566 <-> DISABLED <-> DELETED eh2wYUkuI278GyheZZwI (deleted.rules)
 * 1:41571 <-> DISABLED <-> DELETED HIFsM6I1zeAoJJ5Yf5li (deleted.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41576 <-> DISABLED <-> DELETED l77NiJB8YylQIdXeb6CM (deleted.rules)
 * 1:41582 <-> DISABLED <-> DELETED A9MKNbvdALHvn3CdLpqv (deleted.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41601 <-> DISABLED <-> DELETED QFHU2S6OJHLagIz6pOvI (deleted.rules)
 * 1:41599 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41600 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41597 <-> DISABLED <-> DELETED bpYVBffSltC9snfZm375 (deleted.rules)
 * 1:41598 <-> DISABLED <-> DELETED tlGo6aXOokNuyU1LDLf2 (deleted.rules)
 * 1:41595 <-> DISABLED <-> DELETED YCkW8nqU9F5eK8z8YSbn (deleted.rules)
 * 1:41596 <-> DISABLED <-> DELETED 92rMZYmep1qp65DS5D1V (deleted.rules)
 * 1:41593 <-> DISABLED <-> DELETED 7ZUEraI3djmWkEg1YJQz (deleted.rules)
 * 1:41594 <-> DISABLED <-> DELETED QB7rs3Z2BDil1quuJNKT (deleted.rules)
 * 1:41591 <-> DISABLED <-> DELETED SZEKQhOGrioANnhLEW71 (deleted.rules)
 * 1:41592 <-> DISABLED <-> DELETED 0POZmpuYEnQ8DWiFvIqZ (deleted.rules)
 * 1:41588 <-> DISABLED <-> DELETED 2rR4CIpZQ1oZBLU01E4M (deleted.rules)
 * 1:41589 <-> DISABLED <-> DELETED BKyoksClYkHqRyMDLret (deleted.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41633 <-> DISABLED <-> DELETED sxNxlO0jW0maiNpR7aM4 (deleted.rules)
 * 1:41625 <-> DISABLED <-> DELETED 1Yn0o2sUhWRHdpZIYQCe (deleted.rules)
 * 1:41626 <-> DISABLED <-> DELETED A8bNNfsFmpiJzXVSVbt6 (deleted.rules)
 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41585 <-> DISABLED <-> DELETED xePvFEaRV1KmQNOzRGXH (deleted.rules)
 * 1:41586 <-> DISABLED <-> DELETED GXtNgBGUZsao7PElnBoI (deleted.rules)
 * 1:41637 <-> DISABLED <-> INDICATOR-COMPROMISE Writable SQL directories discovery attempt (indicator-compromise.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:41638 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:41639 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules)
 * 1:41605 <-> DISABLED <-> DELETED ILkVCsobqFaujNaEjEQV (deleted.rules)

Modified Rules:


 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:38681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:38607 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules)
 * 1:38610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:37091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37089 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37090 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37088 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:34842 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DownExecute outbound connection (malware-cnc.rules)
 * 1:35783 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:33756 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection (malware-cnc.rules)
 * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33757 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:32623 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules)
 * 1:29863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pirminay variant outbound connection (malware-cnc.rules)
 * 1:32622 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:31944 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tavdig outbound connection (malware-cnc.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:31682 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:28985 <-> DISABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules)
 * 1:28879 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Tavdig variant outbound connection (malware-cnc.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:27601 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection (malware-cnc.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mecifg variant outbound connection (malware-cnc.rules)
 * 1:28315 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:24285 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules)
 * 1:27804 <-> DISABLED <-> MALWARE-CNC Win.Trojan.PRISM variant outbound connection (malware-cnc.rules)
 * 1:26777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:27057 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalbot variant outbound connection (malware-cnc.rules)
 * 1:26529 <-> DISABLED <-> MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt (malware-backdoor.rules)
 * 1:21074 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor (server-apache.rules)
 * 1:21555 <-> DISABLED <-> MALWARE-OTHER Horde javascript.php href backdoor (malware-other.rules)
 * 3:36228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36225 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36226 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:36227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)

2017-02-14 19:53:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41633 <-> DISABLED <-> DELETED sxNxlO0jW0maiNpR7aM4 (deleted.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41626 <-> DISABLED <-> DELETED A8bNNfsFmpiJzXVSVbt6 (deleted.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41625 <-> DISABLED <-> DELETED 1Yn0o2sUhWRHdpZIYQCe (deleted.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41599 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41600 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41598 <-> DISABLED <-> DELETED tlGo6aXOokNuyU1LDLf2 (deleted.rules)
 * 1:41596 <-> DISABLED <-> DELETED 92rMZYmep1qp65DS5D1V (deleted.rules)
 * 1:41597 <-> DISABLED <-> DELETED bpYVBffSltC9snfZm375 (deleted.rules)
 * 1:41594 <-> DISABLED <-> DELETED QB7rs3Z2BDil1quuJNKT (deleted.rules)
 * 1:41595 <-> DISABLED <-> DELETED YCkW8nqU9F5eK8z8YSbn (deleted.rules)
 * 1:41593 <-> DISABLED <-> DELETED 7ZUEraI3djmWkEg1YJQz (deleted.rules)
 * 1:41591 <-> DISABLED <-> DELETED SZEKQhOGrioANnhLEW71 (deleted.rules)
 * 1:41592 <-> DISABLED <-> DELETED 0POZmpuYEnQ8DWiFvIqZ (deleted.rules)
 * 1:41590 <-> DISABLED <-> DELETED tB8in5OHkHx3L0ni1p1I (deleted.rules)
 * 1:41583 <-> DISABLED <-> DELETED 2104Je8NeYdUapqjyLKN (deleted.rules)
 * 1:41584 <-> DISABLED <-> DELETED xQLvvhaNbAQnF8Jikc0m (deleted.rules)
 * 1:41586 <-> DISABLED <-> DELETED GXtNgBGUZsao7PElnBoI (deleted.rules)
 * 1:41601 <-> DISABLED <-> DELETED QFHU2S6OJHLagIz6pOvI (deleted.rules)
 * 1:41582 <-> DISABLED <-> DELETED A9MKNbvdALHvn3CdLpqv (deleted.rules)
 * 1:41581 <-> DISABLED <-> DELETED lm06mVLIekQJco8ymvCj (deleted.rules)
 * 1:41579 <-> DISABLED <-> DELETED tYwrGluX5dObfE6sY3GA (deleted.rules)
 * 1:41602 <-> DISABLED <-> DELETED aw5zsD18HZVNLa9fNWB7 (deleted.rules)
 * 1:41580 <-> DISABLED <-> DELETED xozrA27GE3bw8z1WGapk (deleted.rules)
 * 1:41577 <-> DISABLED <-> DELETED 9G9ad7eS9ApSYjQCeMop (deleted.rules)
 * 1:41578 <-> DISABLED <-> DELETED JnY2cb8F710UF6d9lQSp (deleted.rules)
 * 1:41575 <-> DISABLED <-> DELETED iXbkLX1dAAlk183HBDqc (deleted.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41576 <-> DISABLED <-> DELETED l77NiJB8YylQIdXeb6CM (deleted.rules)
 * 1:41574 <-> DISABLED <-> DELETED 0GQx9qNGzD5JvIgsNsLU (deleted.rules)
 * 1:41572 <-> DISABLED <-> DELETED Jo29KjldkTlEL6ev8eBR (deleted.rules)
 * 1:41573 <-> DISABLED <-> DELETED AaEnRMGjoABYzg5s2InU (deleted.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41570 <-> DISABLED <-> DELETED j9s3YbYVyYWsbrtQ3uIs (deleted.rules)
 * 1:41571 <-> DISABLED <-> DELETED HIFsM6I1zeAoJJ5Yf5li (deleted.rules)
 * 1:41568 <-> DISABLED <-> DELETED kF3nigJ4JNVVk6rUu4Y3 (deleted.rules)
 * 1:41569 <-> DISABLED <-> DELETED SvuhTNxfofLNh6BDRK33 (deleted.rules)
 * 1:41605 <-> DISABLED <-> DELETED ILkVCsobqFaujNaEjEQV (deleted.rules)
 * 1:41566 <-> DISABLED <-> DELETED eh2wYUkuI278GyheZZwI (deleted.rules)
 * 1:41567 <-> DISABLED <-> DELETED pTXs7KUhQRGhaWTgKbb7 (deleted.rules)
 * 1:41564 <-> DISABLED <-> DELETED gTgCA88UF8renb5O9NNQ (deleted.rules)
 * 1:41565 <-> DISABLED <-> DELETED j1CGK1PYbr0q4ETiGl8i (deleted.rules)
 * 1:41606 <-> DISABLED <-> DELETED DyPtd537A4oTXII67lLY (deleted.rules)
 * 1:41562 <-> DISABLED <-> DELETED OAFbssmWYTUcAmr92XiO (deleted.rules)
 * 1:41563 <-> DISABLED <-> DELETED fK4NDvjETaezKM19vsBD (deleted.rules)
 * 1:41560 <-> DISABLED <-> DELETED 2xy4LeeaJZxrNUR2Zrjn (deleted.rules)
 * 1:41561 <-> DISABLED <-> DELETED WEJm6bj4v3duVaDCRGYl (deleted.rules)
 * 1:41607 <-> DISABLED <-> DELETED rAZFmWHsPbKcUty7MgrA (deleted.rules)
 * 1:41558 <-> DISABLED <-> DELETED 0dSWPnm7dz6Fcf70zGIL (deleted.rules)
 * 1:41559 <-> DISABLED <-> DELETED vLuzJQZoy0uX2rfCGyX7 (deleted.rules)
 * 1:41556 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41557 <-> DISABLED <-> DELETED nsW9dVJiXbmLiVxuruv3 (deleted.rules)
 * 1:41608 <-> DISABLED <-> DELETED DlljTt5vFr4wpoNJnBJD (deleted.rules)
 * 1:41554 <-> DISABLED <-> DELETED oeXHcWOaoDqO97LWE3im (deleted.rules)
 * 1:41555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41552 <-> DISABLED <-> DELETED j0lVhTQQnlFPNV8WbXjw (deleted.rules)
 * 1:41553 <-> DISABLED <-> DELETED n0AKi5Jy0HRovEdANpIJ (deleted.rules)
 * 1:41550 <-> DISABLED <-> DELETED 9PiGK20daqQ4NG2yUmHJ (deleted.rules)
 * 1:41609 <-> DISABLED <-> DELETED Vehj0FCBGiPlqED8fNo1 (deleted.rules)
 * 1:41551 <-> DISABLED <-> DELETED qS9HxX8E8ZuwjJmc2QYy (deleted.rules)
 * 1:41549 <-> DISABLED <-> DELETED 3KS9XNn1eqWy808Nag8X (deleted.rules)
 * 1:41610 <-> DISABLED <-> DELETED kOVvZrK2dixrCRdcdldP (deleted.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41588 <-> DISABLED <-> DELETED 2rR4CIpZQ1oZBLU01E4M (deleted.rules)
 * 1:41587 <-> DISABLED <-> DELETED v6YNZkcOtoUt4lazjOZg (deleted.rules)
 * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules)
 * 1:41641 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41639 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41589 <-> DISABLED <-> DELETED BKyoksClYkHqRyMDLret (deleted.rules)
 * 1:41640 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41638 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41637 <-> DISABLED <-> INDICATOR-COMPROMISE Writable SQL directories discovery attempt (indicator-compromise.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:41585 <-> DISABLED <-> DELETED xePvFEaRV1KmQNOzRGXH (deleted.rules)
 * 1:41634 <-> DISABLED <-> DELETED JZUG1wVRPVZOLCvEyoHz (deleted.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)

Modified Rules:


 * 1:21074 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor (server-apache.rules)
 * 1:21555 <-> DISABLED <-> MALWARE-OTHER Horde javascript.php href backdoor (malware-other.rules)
 * 1:24285 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules)
 * 1:26529 <-> DISABLED <-> MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt (malware-backdoor.rules)
 * 1:26777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:27057 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalbot variant outbound connection (malware-cnc.rules)
 * 1:27601 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection (malware-cnc.rules)
 * 1:27804 <-> DISABLED <-> MALWARE-CNC Win.Trojan.PRISM variant outbound connection (malware-cnc.rules)
 * 1:28305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mecifg variant outbound connection (malware-cnc.rules)
 * 1:28315 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28879 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Tavdig variant outbound connection (malware-cnc.rules)
 * 1:28985 <-> DISABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules)
 * 1:29863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pirminay variant outbound connection (malware-cnc.rules)
 * 1:31682 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:31944 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tavdig outbound connection (malware-cnc.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:32622 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32623 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules)
 * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33756 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:33757 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection (malware-cnc.rules)
 * 1:34842 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DownExecute outbound connection (malware-cnc.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:35783 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37088 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37089 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37090 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38607 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules)
 * 1:38610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:36227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36225 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36226 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)

2017-02-14 19:53:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules)
 * 1:41641 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41640 <-> DISABLED <-> FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt (file-executable.rules)
 * 1:41639 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41638 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt (server-webapp.rules)
 * 1:41637 <-> DISABLED <-> INDICATOR-COMPROMISE Writable SQL directories discovery attempt (indicator-compromise.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:41634 <-> DISABLED <-> DELETED JZUG1wVRPVZOLCvEyoHz (deleted.rules)
 * 1:41633 <-> DISABLED <-> DELETED sxNxlO0jW0maiNpR7aM4 (deleted.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41626 <-> DISABLED <-> DELETED A8bNNfsFmpiJzXVSVbt6 (deleted.rules)
 * 1:41625 <-> DISABLED <-> DELETED 1Yn0o2sUhWRHdpZIYQCe (deleted.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41610 <-> DISABLED <-> DELETED kOVvZrK2dixrCRdcdldP (deleted.rules)
 * 1:41609 <-> DISABLED <-> DELETED Vehj0FCBGiPlqED8fNo1 (deleted.rules)
 * 1:41608 <-> DISABLED <-> DELETED DlljTt5vFr4wpoNJnBJD (deleted.rules)
 * 1:41607 <-> DISABLED <-> DELETED rAZFmWHsPbKcUty7MgrA (deleted.rules)
 * 1:41606 <-> DISABLED <-> DELETED DyPtd537A4oTXII67lLY (deleted.rules)
 * 1:41605 <-> DISABLED <-> DELETED ILkVCsobqFaujNaEjEQV (deleted.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41602 <-> DISABLED <-> DELETED aw5zsD18HZVNLa9fNWB7 (deleted.rules)
 * 1:41601 <-> DISABLED <-> DELETED QFHU2S6OJHLagIz6pOvI (deleted.rules)
 * 1:41600 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41599 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPeerHolder use after free attempt (browser-ie.rules)
 * 1:41598 <-> DISABLED <-> DELETED tlGo6aXOokNuyU1LDLf2 (deleted.rules)
 * 1:41597 <-> DISABLED <-> DELETED bpYVBffSltC9snfZm375 (deleted.rules)
 * 1:41596 <-> DISABLED <-> DELETED 92rMZYmep1qp65DS5D1V (deleted.rules)
 * 1:41595 <-> DISABLED <-> DELETED YCkW8nqU9F5eK8z8YSbn (deleted.rules)
 * 1:41594 <-> DISABLED <-> DELETED QB7rs3Z2BDil1quuJNKT (deleted.rules)
 * 1:41593 <-> DISABLED <-> DELETED 7ZUEraI3djmWkEg1YJQz (deleted.rules)
 * 1:41592 <-> DISABLED <-> DELETED 0POZmpuYEnQ8DWiFvIqZ (deleted.rules)
 * 1:41591 <-> DISABLED <-> DELETED SZEKQhOGrioANnhLEW71 (deleted.rules)
 * 1:41590 <-> DISABLED <-> DELETED tB8in5OHkHx3L0ni1p1I (deleted.rules)
 * 1:41589 <-> DISABLED <-> DELETED BKyoksClYkHqRyMDLret (deleted.rules)
 * 1:41588 <-> DISABLED <-> DELETED 2rR4CIpZQ1oZBLU01E4M (deleted.rules)
 * 1:41587 <-> DISABLED <-> DELETED v6YNZkcOtoUt4lazjOZg (deleted.rules)
 * 1:41586 <-> DISABLED <-> DELETED GXtNgBGUZsao7PElnBoI (deleted.rules)
 * 1:41585 <-> DISABLED <-> DELETED xePvFEaRV1KmQNOzRGXH (deleted.rules)
 * 1:41584 <-> DISABLED <-> DELETED xQLvvhaNbAQnF8Jikc0m (deleted.rules)
 * 1:41583 <-> DISABLED <-> DELETED 2104Je8NeYdUapqjyLKN (deleted.rules)
 * 1:41582 <-> DISABLED <-> DELETED A9MKNbvdALHvn3CdLpqv (deleted.rules)
 * 1:41581 <-> DISABLED <-> DELETED lm06mVLIekQJco8ymvCj (deleted.rules)
 * 1:41580 <-> DISABLED <-> DELETED xozrA27GE3bw8z1WGapk (deleted.rules)
 * 1:41579 <-> DISABLED <-> DELETED tYwrGluX5dObfE6sY3GA (deleted.rules)
 * 1:41578 <-> DISABLED <-> DELETED JnY2cb8F710UF6d9lQSp (deleted.rules)
 * 1:41577 <-> DISABLED <-> DELETED 9G9ad7eS9ApSYjQCeMop (deleted.rules)
 * 1:41576 <-> DISABLED <-> DELETED l77NiJB8YylQIdXeb6CM (deleted.rules)
 * 1:41575 <-> DISABLED <-> DELETED iXbkLX1dAAlk183HBDqc (deleted.rules)
 * 1:41574 <-> DISABLED <-> DELETED 0GQx9qNGzD5JvIgsNsLU (deleted.rules)
 * 1:41573 <-> DISABLED <-> DELETED AaEnRMGjoABYzg5s2InU (deleted.rules)
 * 1:41572 <-> DISABLED <-> DELETED Jo29KjldkTlEL6ev8eBR (deleted.rules)
 * 1:41571 <-> DISABLED <-> DELETED HIFsM6I1zeAoJJ5Yf5li (deleted.rules)
 * 1:41570 <-> DISABLED <-> DELETED j9s3YbYVyYWsbrtQ3uIs (deleted.rules)
 * 1:41569 <-> DISABLED <-> DELETED SvuhTNxfofLNh6BDRK33 (deleted.rules)
 * 1:41568 <-> DISABLED <-> DELETED kF3nigJ4JNVVk6rUu4Y3 (deleted.rules)
 * 1:41567 <-> DISABLED <-> DELETED pTXs7KUhQRGhaWTgKbb7 (deleted.rules)
 * 1:41566 <-> DISABLED <-> DELETED eh2wYUkuI278GyheZZwI (deleted.rules)
 * 1:41565 <-> DISABLED <-> DELETED j1CGK1PYbr0q4ETiGl8i (deleted.rules)
 * 1:41564 <-> DISABLED <-> DELETED gTgCA88UF8renb5O9NNQ (deleted.rules)
 * 1:41563 <-> DISABLED <-> DELETED fK4NDvjETaezKM19vsBD (deleted.rules)
 * 1:41562 <-> DISABLED <-> DELETED OAFbssmWYTUcAmr92XiO (deleted.rules)
 * 1:41561 <-> DISABLED <-> DELETED WEJm6bj4v3duVaDCRGYl (deleted.rules)
 * 1:41560 <-> DISABLED <-> DELETED 2xy4LeeaJZxrNUR2Zrjn (deleted.rules)
 * 1:41559 <-> DISABLED <-> DELETED vLuzJQZoy0uX2rfCGyX7 (deleted.rules)
 * 1:41558 <-> DISABLED <-> DELETED 0dSWPnm7dz6Fcf70zGIL (deleted.rules)
 * 1:41557 <-> DISABLED <-> DELETED nsW9dVJiXbmLiVxuruv3 (deleted.rules)
 * 1:41556 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use asm memory corruption attempt (browser-ie.rules)
 * 1:41554 <-> DISABLED <-> DELETED oeXHcWOaoDqO97LWE3im (deleted.rules)
 * 1:41553 <-> DISABLED <-> DELETED n0AKi5Jy0HRovEdANpIJ (deleted.rules)
 * 1:41552 <-> DISABLED <-> DELETED j0lVhTQQnlFPNV8WbXjw (deleted.rules)
 * 1:41551 <-> DISABLED <-> DELETED qS9HxX8E8ZuwjJmc2QYy (deleted.rules)
 * 1:41550 <-> DISABLED <-> DELETED 9PiGK20daqQ4NG2yUmHJ (deleted.rules)
 * 1:41549 <-> DISABLED <-> DELETED 3KS9XNn1eqWy808Nag8X (deleted.rules)

Modified Rules:


 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:38610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38607 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37090 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37088 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37089 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJob object use-after-free attempt (file-flash.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:35783 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection (malware-cnc.rules)
 * 1:34842 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DownExecute outbound connection (malware-cnc.rules)
 * 1:33757 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33756 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection (malware-cnc.rules)
 * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules)
 * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:32622 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32623 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:31944 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tavdig outbound connection (malware-cnc.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:31682 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:28985 <-> DISABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules)
 * 1:29863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pirminay variant outbound connection (malware-cnc.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28879 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Tavdig variant outbound connection (malware-cnc.rules)
 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mecifg variant outbound connection (malware-cnc.rules)
 * 1:28315 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:27601 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection (malware-cnc.rules)
 * 1:27804 <-> DISABLED <-> MALWARE-CNC Win.Trojan.PRISM variant outbound connection (malware-cnc.rules)
 * 1:26777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:27057 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalbot variant outbound connection (malware-cnc.rules)
 * 1:26529 <-> DISABLED <-> MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt (malware-backdoor.rules)
 * 1:21555 <-> DISABLED <-> MALWARE-OTHER Horde javascript.php href backdoor (malware-other.rules)
 * 1:24285 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules)
 * 1:21074 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor (server-apache.rules)
 * 3:36228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:36226 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)
 * 3:36225 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0060 attack attempt (file-other.rules)