Talos Rules 2018-05-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-15 16:42:15 UTC

Snort Subscriber Rules Update

Date: 2018-05-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules)
 * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules)
 * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)

Modified Rules:


 * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)

2018-05-15 16:42:15 UTC

Snort Subscriber Rules Update

Date: 2018-05-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules)
 * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules)
 * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)

Modified Rules:


 * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)

2018-05-15 16:42:15 UTC

Snort Subscriber Rules Update

Date: 2018-05-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (snort3-file-other.rules)
 * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (snort3-file-other.rules)
 * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (snort3-file-other.rules)
 * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (snort3-file-image.rules)
 * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (snort3-file-image.rules)
 * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules)
 * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules)
 * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (snort3-file-pdf.rules)
 * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (snort3-file-pdf.rules)
 * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules)
 * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules)
 * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules)
 * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (snort3-file-pdf.rules)
 * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules)
 * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (snort3-file-pdf.rules)
 * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (snort3-file-pdf.rules)
 * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (snort3-file-pdf.rules)
 * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (snort3-file-other.rules)
 * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (snort3-file-pdf.rules)
 * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (snort3-file-pdf.rules)
 * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (snort3-indicator-compromise.rules)
 * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (snort3-indicator-compromise.rules)
 * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (snort3-malware-cnc.rules)
 * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (snort3-file-other.rules)
 * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (snort3-file-other.rules)
 * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (snort3-file-other.rules)
 * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (snort3-file-other.rules)
 * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (snort3-file-pdf.rules)
 * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (snort3-file-pdf.rules)
 * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (snort3-file-other.rules)
 * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (snort3-file-other.rules)
 * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (snort3-file-pdf.rules)
 * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (snort3-file-pdf.rules)
 * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (snort3-file-other.rules)
 * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (snort3-file-other.rules)
 * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (snort3-file-pdf.rules)
 * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (snort3-file-pdf.rules)
 * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (snort3-file-other.rules)
 * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (snort3-file-other.rules)
 * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (snort3-exploit-kit.rules)
 * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (snort3-indicator-compromise.rules)
 * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (snort3-indicator-compromise.rules)
 * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules)
 * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (snort3-indicator-compromise.rules)
 * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (snort3-file-pdf.rules)
 * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (snort3-file-pdf.rules)
 * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules)
 * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules)
 * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules)
 * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules)
 * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (snort3-file-pdf.rules)
 * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (snort3-file-pdf.rules)
 * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (snort3-file-image.rules)
 * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (snort3-file-image.rules)
 * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (snort3-file-other.rules)
 * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (snort3-file-other.rules)
 * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (snort3-file-image.rules)
 * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (snort3-file-image.rules)
 * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (snort3-file-other.rules)
 * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (snort3-file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (snort3-file-other.rules)
 * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (snort3-file-other.rules)
 * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (snort3-malware-cnc.rules)
 * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (snort3-file-image.rules)
 * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (snort3-file-image.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules)
 * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (snort3-file-pdf.rules)
 * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (snort3-file-pdf.rules)
 * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (snort3-file-other.rules)
 * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (snort3-file-other.rules)
 * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules)
 * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules)
 * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (snort3-file-other.rules)
 * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (snort3-file-pdf.rules)
 * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (snort3-file-pdf.rules)
 * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (snort3-file-other.rules)

Modified Rules:


 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (snort3-malware-cnc.rules)
 * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (snort3-malware-cnc.rules)
 * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (snort3-exploit-kit.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (snort3-file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (snort3-file-other.rules)
 * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (snort3-file-pdf.rules)
 * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (snort3-file-pdf.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules)

2018-05-15 16:42:15 UTC

Snort Subscriber Rules Update

Date: 2018-05-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules)
 * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules)
 * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)

Modified Rules:


 * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)

2018-05-15 16:42:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules)
 * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules)
 * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules)
 * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules)
 * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules)
 * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules)
 * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules)
 * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules)
 * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules)
 * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules)
 * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules)
 * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules)
 * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules)
 * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules)
 * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules)
 * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules)
 * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules)
 * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules)
 * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules)
 * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules)
 * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules)
 * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules)
 * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules)
 * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules)
 * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules)
 * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules)
 * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules)
 * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules)
 * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules)
 * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules)
 * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules)
 * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules)
 * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules)
 * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)

Modified Rules:


 * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)