Talos Rules 2018-05-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-imap, pua-adware, server-apache, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (snort3-malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (snort3-malware-cnc.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (snort3-server-other.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (snort3-server-other.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (snort3-file-pdf.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (snort3-file-pdf.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (snort3-server-other.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (snort3-malware-cnc.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (snort3-os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (snort3-os-windows.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (snort3-server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (snort3-server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (snort3-server-webapp.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (snort3-malware-cnc.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (snort3-malware-cnc.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (snort3-server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (snort3-server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (snort3-browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (snort3-browser-ie.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (snort3-protocol-imap.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (snort3-server-other.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (snort3-protocol-imap.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (snort3-server-mail.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (snort3-server-webapp.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (snort3-malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (snort3-server-apache.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (snort3-policy-other.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (snort3-browser-ie.rules)

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)