Talos Rules 2017-04-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-26 01:24:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules)
 * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules)
 * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules)
 * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules)
 * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules)
 * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules)
 * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules)
 * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules)
 * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules)
 * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
 * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
 * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
 * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)

2017-04-26 01:24:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules)
 * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules)
 * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules)
 * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules)
 * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules)
 * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules)
 * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules)
 * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules)
 * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules)
 * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
 * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
 * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
 * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)

2017-04-26 01:24:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules)
 * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules)
 * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules)
 * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules)
 * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules)
 * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules)
 * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules)
 * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules)
 * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules)
 * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules)
 * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules)
 * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules)
 * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules)
 * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules)
 * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
 * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
 * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules)
 * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules)
 * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
 * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)