Talos Rules 2018-01-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-image, file-java, file-multimedia, file-other, indicator-compromise, malware-cnc, policy-other, server-apache, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-01-04 14:58:04 UTC

Snort Subscriber Rules Update

Date: 2018-01-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules)
 * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules)
 * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules)
 * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules)
 * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules)
 * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules)
 * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
 * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules)
 * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules)
 * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules)
 * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
 * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
 * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules)
 * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules)
 * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules)
 * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules)
 * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules)
 * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)

2018-01-04 14:58:04 UTC

Snort Subscriber Rules Update

Date: 2018-01-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules)
 * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules)
 * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules)
 * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules)
 * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules)
 * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules)
 * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules)
 * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules)
 * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules)
 * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
 * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
 * 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
 * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules)
 * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules)
 * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
 * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules)

2018-01-04 14:58:04 UTC

Snort Subscriber Rules Update

Date: 2018-01-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
 * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules)
 * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules)
 * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules)
 * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules)
 * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules)
 * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules)
 * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules)
 * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules)
 * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules)
 * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules)
 * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules)
 * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules)
 * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules)
 * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules)
 * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules)
 * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules)
 * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules)
 * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules)
 * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
 * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
 * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules)
 * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules)
 * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)