Talos Rules 2017-05-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-other, protocol-scada, protocol-snmp, server-apache, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-05-25 07:16:09 UTC

Snort Subscriber Rules Update

Date: 2017-05-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42984 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:35688 <-> ENABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml file request (protocol-other.rules)
 * 1:42981 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42985 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42986 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42987 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42988 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42989 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42990 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42991 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42992 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42993 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk arbitrary file upload attempt (server-webapp.rules)
 * 1:42994 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk arbitrary file upload attempt (server-webapp.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection attempt (malware-cnc.rules)
 * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection attempt (malware-cnc.rules)
 * 1:42999 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules)
 * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules)
 * 1:43004 <-> ENABLED <-> SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt (server-samba.rules)
 * 1:42980 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42977 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42978 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules)
 * 1:37028 <-> DISABLED <-> PROTOCOL-OTHER Websocket upgrade request without a client key detected (protocol-other.rules)
 * 1:35690 <-> ENABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt (protocol-other.rules)
 * 1:42982 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:35689 <-> DISABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt (protocol-other.rules)
 * 1:42976 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules)
 * 1:42979 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42983 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 3:42974 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0340 attack attempt (protocol-other.rules)
 * 3:42975 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0341 attack attempt (protocol-other.rules)
 * 3:42998 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0339 attack attempt (protocol-other.rules)
 * 3:43000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0342 attack attempt (file-other.rules)
 * 3:43001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0342 attack attempt (file-other.rules)
 * 3:42973 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0338 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules)
 * 1:39148 <-> ENABLED <-> FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt (file-office.rules)
 * 1:39149 <-> ENABLED <-> FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt (file-office.rules)
 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40729 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40730 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40970 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39727 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules)
 * 1:39728 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules)
 * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:39956 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40129 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt (os-windows.rules)
 * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40383 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40384 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40468 <-> DISABLED <-> SERVER-OTHER Memcached append opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40469 <-> DISABLED <-> SERVER-OTHER Memcached append opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40470 <-> DISABLED <-> SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40471 <-> DISABLED <-> SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40472 <-> DISABLED <-> SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40473 <-> DISABLED <-> SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules)
 * 1:40474 <-> DISABLED <-> SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40475 <-> DISABLED <-> SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40982 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40983 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:40483 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:41216 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt (server-other.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:41906 <-> DISABLED <-> POLICY-OTHER HTTP redirect to FTP server attempt (policy-other.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42041 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42117 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42118 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41036 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40969 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:26947 <-> DISABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36760 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:27875 <-> DISABLED <-> EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (exploit-kit.rules)
 * 1:26948 <-> DISABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)

2017-05-25 07:16:09 UTC

Snort Subscriber Rules Update

Date: 2017-05-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43004 <-> ENABLED <-> SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt (server-samba.rules)
 * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules)
 * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules)
 * 1:42999 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection attempt (malware-cnc.rules)
 * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection attempt (malware-cnc.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:42994 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk arbitrary file upload attempt (server-webapp.rules)
 * 1:42993 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk arbitrary file upload attempt (server-webapp.rules)
 * 1:42992 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42991 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42990 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42989 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42988 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42987 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42986 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42985 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42984 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42983 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42982 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42981 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42980 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42979 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42978 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42977 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:42976 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server SYS.KUPV SQL injection attempt (server-oracle.rules)
 * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules)
 * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules)
 * 1:37028 <-> DISABLED <-> PROTOCOL-OTHER Websocket upgrade request without a client key detected (protocol-other.rules)
 * 1:35690 <-> ENABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt (protocol-other.rules)
 * 1:35689 <-> DISABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt (protocol-other.rules)
 * 1:35688 <-> ENABLED <-> PROTOCOL-OTHER MiniUPNP rootdesc.xml file request (protocol-other.rules)
 * 3:42973 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0338 attack attempt (protocol-other.rules)
 * 3:42974 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0340 attack attempt (protocol-other.rules)
 * 3:42975 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0341 attack attempt (protocol-other.rules)
 * 3:42998 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2017-0339 attack attempt (protocol-other.rules)
 * 3:43000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0342 attack attempt (file-other.rules)
 * 3:43001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0342 attack attempt (file-other.rules)

Modified Rules:


 * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42118 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42117 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42041 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:41906 <-> DISABLED <-> POLICY-OTHER HTTP redirect to FTP server attempt (policy-other.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:41216 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt (server-other.rules)
 * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:41036 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:40983 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40982 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40970 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40969 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40730 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40729 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40483 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40475 <-> DISABLED <-> SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40474 <-> DISABLED <-> SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40473 <-> DISABLED <-> SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40472 <-> DISABLED <-> SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40471 <-> DISABLED <-> SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt (server-other.rules)
 * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules)
 * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules)
 * 1:40470 <-> DISABLED <-> SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40469 <-> DISABLED <-> SERVER-OTHER Memcached append opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40468 <-> DISABLED <-> SERVER-OTHER Memcached append opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40384 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40383 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules)
 * 1:40129 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt (os-windows.rules)
 * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:39956 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39728 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules)
 * 1:39727 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 1:39398 <-> ENABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39149 <-> ENABLED <-> FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt (file-office.rules)
 * 1:39148 <-> ENABLED <-> FILE-OFFICE Document Foundation LibreOffice RTF stylesheet use after free attempt (file-office.rules)
 * 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:36760 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:27875 <-> DISABLED <-> EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (exploit-kit.rules)
 * 1:26948 <-> DISABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:26947 <-> DISABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)