Talos Rules 2018-12-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)
 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)

Modified Rules:


 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (snort3-server-webapp.rules)
 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (snort3-file-pdf.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (snort3-file-pdf.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (snort3-file-pdf.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (snort3-server-webapp.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (snort3-file-pdf.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (snort3-malware-cnc.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (snort3-malware-other.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (snort3-malware-other.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (snort3-malware-other.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (snort3-malware-other.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (snort3-indicator-compromise.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (snort3-malware-other.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (snort3-indicator-compromise.rules)
 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (snort3-malware-other.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)

Modified Rules:


 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (snort3-indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (snort3-indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (snort3-indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (snort3-indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (snort3-indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (snort3-indicator-compromise.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (snort3-indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (snort3-indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (snort3-indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (snort3-indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (snort3-indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (snort3-indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (snort3-indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (snort3-indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (snort3-indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (snort3-indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (snort3-indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (snort3-server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (snort3-indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (snort3-indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (snort3-indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (snort3-indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (snort3-indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (snort3-indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (snort3-indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (snort3-indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (snort3-indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (snort3-indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (snort3-indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (snort3-indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (snort3-indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (snort3-indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (snort3-indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (snort3-indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (snort3-indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (snort3-indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (snort3-indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (snort3-indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (snort3-indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (snort3-indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (snort3-indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (snort3-indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (snort3-indicator-compromise.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)
 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)

Modified Rules:


 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)

Modified Rules:


 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)

2018-12-27 21:49:42 UTC

Snort Subscriber Rules Update

Date: 2018-12-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules)
 * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules)
 * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules)
 * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules)
 * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules)
 * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)
 * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
 * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)
 * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)