Talos has added and modified multiple rules in the app-detect, browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, netbios, os-mobile, os-other, os-solaris, os-windows, policy-other, policy-social, policy-spam, protocol-ftp, protocol-imap, protocol-other, protocol-pop, protocol-rpc, protocol-scada, protocol-snmp, protocol-telnet, protocol-voip, pua-adware, server-apache, server-iis, server-mail, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
SRU-03-27-001 includes over 1300 updated rules. The bulk of these updates simply add references for the MITRE ATT&ACK framework. The MITRE ATT&CK Framework is described in this wiki (https://attack.mitre.org) which provides a thorough overview of all known attack techniques which are currently or have been employed by adversaries in the wild. Each documented technique is accompanied by explanations, examples, detection recommendations, and the related actor(s) that have employed the technique. Talos has added these additional references in the SIDs provide attack context information for our customers, and to support integration with other systems or reporting requirements.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49598 <-> DISABLED <-> SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt (server-webapp.rules) * 1:49577 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49576 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49575 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49593 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49587 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49582 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49581 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49580 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49579 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49578 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49605 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49604 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49603 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49602 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49601 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49599 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 3:49588 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49589 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49590 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49591 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui directory traversal attempt (server-webapp.rules) * 3:49606 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49607 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49608 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui execPython access attempt (server-webapp.rules) * 3:49609 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui cdp resource command injection attempt (server-webapp.rules) * 3:49610 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui dhcp resource command injection attempt (server-webapp.rules) * 3:49611 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui information disclosure attempt (server-webapp.rules) * 3:49612 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System standby interested message detected (policy-other.rules) * 3:49613 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System master request message detected (policy-other.rules) * 3:49614 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49615 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49616 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules)
* 1:18439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-pdf.rules) * 1:10098 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info (malware-other.rules) * 1:10097 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10096 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog (malware-other.rules) * 1:10089 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp (malware-other.rules) * 1:10088 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp (malware-other.rules) * 1:12159 <-> DISABLED <-> MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging (malware-backdoor.rules) * 1:1133 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:11311 <-> DISABLED <-> MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor (malware-other.rules) * 1:11309 <-> DISABLED <-> MALWARE-OTHER Keylogger sskc v2.0 runtime detection (malware-other.rules) * 1:11307 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection (malware-other.rules) * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules) * 1:11250 <-> DISABLED <-> BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access (browser-plugins.rules) * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:1101 <-> DISABLED <-> INDICATOR-SCAN Webtrends HTTP probe (indicator-scan.rules) * 1:1100 <-> DISABLED <-> INDICATOR-SCAN L3retriever HTTP Probe (indicator-scan.rules) * 1:1090 <-> DISABLED <-> SERVER-WEBAPP Allaire Pro Web Shell attempt (server-webapp.rules) * 1:10464 <-> DISABLED <-> PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt (protocol-telnet.rules) * 1:10457 <-> DISABLED <-> MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (malware-backdoor.rules) * 1:10440 <-> DISABLED <-> MALWARE-OTHER Keylogger pc black box runtime detection (malware-other.rules) * 1:10436 <-> DISABLED <-> MALWARE-OTHER Keylogger keyspy runtime detection (malware-other.rules) * 1:10183 <-> DISABLED <-> MALWARE-OTHER Keylogger activity Keylogger runtime detection (malware-other.rules) * 1:10181 <-> DISABLED <-> MALWARE-OTHER Keylogger systemsleuth runtime detection (malware-other.rules) * 1:10167 <-> DISABLED <-> MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log (malware-other.rules) * 1:10165 <-> DISABLED <-> MALWARE-OTHER Keylogger mybr Keylogger runtime detection (malware-other.rules) * 1:10123 <-> DISABLED <-> PROTOCOL-VOIP PA168 chipset based IP phone default password attempt (protocol-voip.rules) * 1:10100 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website (malware-other.rules) * 1:10099 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:12141 <-> DISABLED <-> MALWARE-OTHER Keylogger logit v1.0 runtime detection (malware-other.rules) * 1:12137 <-> DISABLED <-> MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection (malware-other.rules) * 1:12136 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12135 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12134 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:12133 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:12132 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12131 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12130 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12129 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12128 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection (malware-other.rules) * 1:12080 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability (os-solaris.rules) * 1:12075 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:12049 <-> DISABLED <-> MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection (malware-other.rules) * 1:12048 <-> DISABLED <-> MALWARE-OTHER Keylogger computer Keylogger runtime detection (malware-other.rules) * 1:12046 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (protocol-rpc.rules) * 1:12187 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp rename_principal attempt (protocol-rpc.rules) * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules) * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules) * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules) * 1:12226 <-> DISABLED <-> MALWARE-OTHER Keylogger overspy runtime detection (malware-other.rules) * 1:12243 <-> DISABLED <-> MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (malware-backdoor.rules) * 1:12372 <-> DISABLED <-> MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection (malware-other.rules) * 1:12379 <-> DISABLED <-> MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp (malware-other.rules) * 1:12424 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (protocol-rpc.rules) * 1:12480 <-> ENABLED <-> MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection (malware-other.rules) * 1:12625 <-> DISABLED <-> MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection (malware-other.rules) * 1:12698 <-> DISABLED <-> MALWARE-OTHER Keylogger net vizo 5.2 runtime detection (malware-other.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:12758 <-> ENABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12759 <-> DISABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12760 <-> ENABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12761 <-> DISABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12770 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt (browser-plugins.rules) * 1:12771 <-> DISABLED <-> BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (browser-plugins.rules) * 1:12772 <-> DISABLED <-> BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt (browser-plugins.rules) * 1:12773 <-> DISABLED <-> BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (browser-plugins.rules) * 1:12774 <-> DISABLED <-> BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (browser-plugins.rules) * 1:12775 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt (browser-plugins.rules) * 1:12792 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:12793 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:13236 <-> ENABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:13237 <-> DISABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:13243 <-> ENABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13244 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13278 <-> ENABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13279 <-> DISABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13280 <-> ENABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13281 <-> DISABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:17265 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt (browser-firefox.rules) * 1:13346 <-> ENABLED <-> PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection (pua-adware.rules) * 1:13347 <-> DISABLED <-> PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection (pua-adware.rules) * 1:13479 <-> ENABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13480 <-> DISABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13494 <-> DISABLED <-> MALWARE-OTHER Keylogger smart pc Keylogger runtime detection (malware-other.rules) * 1:13507 <-> DISABLED <-> MALWARE-CNC evilotus 1.3.2 variant outbound connection (malware-cnc.rules) * 1:13551 <-> DISABLED <-> SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (server-oracle.rules) * 1:13567 <-> DISABLED <-> MALWARE-OTHER Keylogger msn spy monitor runtime detection (malware-other.rules) * 1:13568 <-> DISABLED <-> MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection (malware-other.rules) * 1:13625 <-> DISABLED <-> MALWARE-CNC MBR rootkit HTTP POST activity detected (malware-cnc.rules) * 1:13642 <-> DISABLED <-> MALWARE-OTHER Keylogger easy Keylogger runtime detection (malware-other.rules) * 1:13651 <-> DISABLED <-> MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (malware-other.rules) * 1:13652 <-> DISABLED <-> PUA-ADWARE Keylogger all in one Keylogger runtime detection (pua-adware.rules) * 1:13767 <-> ENABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13768 <-> DISABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13778 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb employee monitor runtime detection (malware-other.rules) * 1:13791 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13812 <-> DISABLED <-> MALWARE-OTHER Keylogger refog Keylogger runtime detection (malware-other.rules) * 1:13987 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13988 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13989 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:14008 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:14039 <-> DISABLED <-> FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (file-other.rules) * 1:14040 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (server-other.rules) * 1:14041 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (server-other.rules) * 1:14065 <-> DISABLED <-> MALWARE-OTHER Keylogger emptybase j runtime detection (malware-other.rules) * 1:14074 <-> DISABLED <-> MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection (malware-other.rules) * 1:14075 <-> DISABLED <-> MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection (malware-other.rules) * 1:17273 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:1434 <-> DISABLED <-> SERVER-WEBAPP .bash_history access (server-webapp.rules) * 1:15169 <-> DISABLED <-> POLICY-SOCIAL XBOX Live Kerberos authentication request (policy-social.rules) * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (indicator-obfuscation.rules) * 1:15414 <-> DISABLED <-> PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt (protocol-scada.rules) * 1:15424 <-> DISABLED <-> SERVER-WEBAPP phpBB mod shoutbox sql injection attempt (server-webapp.rules) * 1:15425 <-> DISABLED <-> SERVER-WEBAPP phpBB mod tag board sql injection attempt (server-webapp.rules) * 1:15431 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:15701 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt (os-windows.rules) * 1:15850 <-> DISABLED <-> OS-WINDOWS Remote Desktop orderType remote code execution attempt (os-windows.rules) * 1:15861 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:15863 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (browser-plugins.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:16125 <-> DISABLED <-> MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection (malware-other.rules) * 1:16129 <-> DISABLED <-> MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection (malware-other.rules) * 1:16130 <-> DISABLED <-> MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection (malware-other.rules) * 1:16137 <-> DISABLED <-> MALWARE-OTHER Keylogger cheat monitor runtime detection (malware-other.rules) * 1:16207 <-> DISABLED <-> SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt (server-webapp.rules) * 1:16268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net (malware-cnc.rules) * 1:16269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16350 <-> DISABLED <-> SERVER-OTHER ntp mode 7 denial of service attempt (server-other.rules) * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation (file-pdf.rules) * 1:1638 <-> DISABLED <-> INDICATOR-SCAN SSH Version map attempt (indicator-scan.rules) * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation (file-pdf.rules) * 1:16455 <-> DISABLED <-> MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection (malware-other.rules) * 1:16524 <-> DISABLED <-> PROTOCOL-FTP ProFTPD username sql injection attempt (protocol-ftp.rules) * 1:16573 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape (browser-plugins.rules) * 1:16574 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode (browser-plugins.rules) * 1:16742 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file download request (file-identify.rules) * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (file-other.rules) * 1:17044 <-> ENABLED <-> SQL WinCC DB default password security bypass attempt (sql.rules) * 1:17111 <-> DISABLED <-> INDICATOR-OBFUSCATION known JavaScript obfuscation routine (indicator-obfuscation.rules) * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (browser-firefox.rules) * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (browser-firefox.rules) * 1:17243 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt (server-other.rules) * 1:17274 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:17291 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded uri data object found (indicator-obfuscation.rules) * 1:17353 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt (os-solaris.rules) * 1:17386 <-> DISABLED <-> SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (server-webapp.rules) * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:17444 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:17571 <-> DISABLED <-> BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious (browser-plugins.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18071 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18132 <-> DISABLED <-> INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function (indicator-obfuscation.rules) * 1:1817 <-> DISABLED <-> SERVER-IIS MS Site Server default login attempt (server-iis.rules) * 1:18179 <-> DISABLED <-> INDICATOR-SCAN Proxyfire.net anonymous proxy scan (indicator-scan.rules) * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules) * 1:18205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules) * 1:18208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18239 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:18242 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18245 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt (browser-plugins.rules) * 1:18277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt (os-windows.rules) * 1:18329 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18426 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-other.rules) * 1:18431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-pdf.rules) * 1:18432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-pdf.rules) * 1:18433 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-other.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:18435 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-other.rules) * 1:18436 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-other.rules) * 1:18437 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-other.rules) * 1:18438 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-other.rules) * 1:18440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-pdf.rules) * 1:18441 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-pdf.rules) * 1:18442 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-pdf.rules) * 1:18443 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-pdf.rules) * 1:18445 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18446 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18488 <-> DISABLED <-> FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt (file-other.rules) * 1:18493 <-> DISABLED <-> INDICATOR-OBFUSCATION generic PHP code obfuscation attempt (indicator-obfuscation.rules) * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:18496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (os-windows.rules) * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18529 <-> DISABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18530 <-> DISABLED <-> FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18531 <-> DISABLED <-> SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt (server-other.rules) * 1:18533 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18534 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18556 <-> DISABLED <-> SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:1860 <-> DISABLED <-> SERVER-WEBAPP Linksys router default password login attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18717 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection (malware-cnc.rules) * 1:18782 <-> DISABLED <-> MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (malware-cnc.rules) * 1:18818 <-> DISABLED <-> FILE-IDENTIFY .chm attachment file type blocked by Outlook detected (file-identify.rules) * 1:18822 <-> DISABLED <-> FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected (file-identify.rules) * 1:18831 <-> DISABLED <-> FILE-IDENTIFY .hta attachment file type blocked by Outlook detected (file-identify.rules) * 1:18901 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt (server-other.rules) * 1:18932 <-> DISABLED <-> SERVER-WEBAPP Jboss default configuration unauthorized application add attempt (server-webapp.rules) * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules) * 1:19036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19074 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt (indicator-obfuscation.rules) * 1:19075 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded eval statement (indicator-obfuscation.rules) * 1:19079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules) * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules) * 1:19106 <-> DISABLED <-> MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http (malware-other.rules) * 1:19122 <-> DISABLED <-> POLICY-SPAM appledownload.com known spam email attempt (policy-spam.rules) * 1:1917 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:19171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19172 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19311 <-> DISABLED <-> PUA-ADWARE Keylogger aspy v2.12 runtime detection (pua-adware.rules) * 1:19314 <-> DISABLED <-> OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules) * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:19324 <-> ENABLED <-> MALWARE-OTHER Keylogger WL-Keylogger inbound connection (malware-other.rules) * 1:19325 <-> DISABLED <-> MALWARE-OTHER Keylogger WL-Keylogger outbound connection (malware-other.rules) * 1:19392 <-> ENABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19393 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19437 <-> DISABLED <-> INDICATOR-OBFUSCATION select concat statement - possible sql injection (indicator-obfuscation.rules) * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (os-windows.rules) * 1:19466 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt (file-office.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:19567 <-> DISABLED <-> PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection (pua-adware.rules) * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection (malware-cnc.rules) * 1:19617 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:19619 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (os-windows.rules) * 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection (malware-cnc.rules) * 1:19741 <-> DISABLED <-> MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection (malware-other.rules) * 1:19779 <-> DISABLED <-> INDICATOR-SCAN sqlmap SQL injection scan attempt (indicator-scan.rules) * 1:19867 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:19868 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation (indicator-obfuscation.rules) * 1:19884 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:19887 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19889 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded data object found (indicator-obfuscation.rules) * 1:19899 <-> ENABLED <-> MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection (malware-other.rules) * 1:19900 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19901 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19925 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (browser-plugins.rules) * 1:19927 <-> DISABLED <-> MALWARE-BACKDOOR BRX Rat 0.02 inbound connection (malware-backdoor.rules) * 1:19933 <-> DISABLED <-> INDICATOR-SCAN DirBuster brute forcing tool detected (indicator-scan.rules) * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:20098 <-> DISABLED <-> MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection (malware-cnc.rules) * 1:20118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:20119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:20137 <-> DISABLED <-> INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt (indicator-obfuscation.rules) * 1:20158 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt (server-webapp.rules) * 1:20175 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (netbios.rules) * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (indicator-obfuscation.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:20593 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:20691 <-> DISABLED <-> POLICY-OTHER Cisco Network Registrar default credentials authentication attempt (policy-other.rules) * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules) * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20995 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:20996 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:21038 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:21088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop denial of service attempt (os-windows.rules) * 1:21089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt (os-windows.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:21117 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell (indicator-compromise.rules) * 1:21118 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell security information display (indicator-compromise.rules) * 1:21119 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive file system information display (indicator-compromise.rules) * 1:21120 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive console display (indicator-compromise.rules) * 1:21121 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive SQL display (indicator-compromise.rules) * 1:21129 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell (indicator-compromise.rules) * 1:21130 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell enumeration page (indicator-compromise.rules) * 1:21131 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell domain lookup page (indicator-compromise.rules) * 1:21132 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell sql interaction page (indicator-compromise.rules) * 1:21133 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell encoder page (indicator-compromise.rules) * 1:21134 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security information page (indicator-compromise.rules) * 1:21135 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell password cracking page (indicator-compromise.rules) * 1:21136 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security bypass page (indicator-compromise.rules) * 1:21137 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell tools page (indicator-compromise.rules) * 1:21138 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell database parsing page (indicator-compromise.rules) * 1:21139 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell spread shell page (indicator-compromise.rules) * 1:21140 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell kill shell page (indicator-compromise.rules) * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules) * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules) * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules) * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21289 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:213 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (os-windows.rules) * 1:21318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded (malware-cnc.rules) * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-other.rules) * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules) * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules) * 1:21377 <-> DISABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (server-webapp.rules) * 1:214 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x (malware-backdoor.rules) * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:2145 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password admin attempt (server-webapp.rules) * 1:2146 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password 12345 attempt (server-webapp.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21489 <-> DISABLED <-> FILE-OTHER Microsoft Windows chm file malware related exploit (file-other.rules) * 1:215 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21519 <-> DISABLED <-> INDICATOR-OBFUSCATION Dadongs obfuscated javascript (indicator-obfuscation.rules) * 1:21550 <-> ENABLED <-> MALWARE-BACKDOOR ToolsPack PHP Backdoor access (malware-backdoor.rules) * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (os-windows.rules) * 1:21577 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - charcode (indicator-obfuscation.rules) * 1:21578 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:21579 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21580 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21582 <-> DISABLED <-> FILE-PDF PDF obfuscation attempt (file-pdf.rules) * 1:216 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit satori attempt (malware-backdoor.rules) * 1:21637 <-> DISABLED <-> POLICY-SPAM local user attempted to fill out paypal phishing form (policy-spam.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:21779 <-> DISABLED <-> SQL parameter ending in encoded comment characters - possible sql injection attempt - POST (sql.rules) * 1:21780 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21781 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21782 <-> DISABLED <-> INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21783 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21784 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21785 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21786 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21787 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21938 <-> DISABLED <-> PROTOCOL-TELNET RuggedCom default backdoor login attempt (protocol-telnet.rules) * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection (malware-cnc.rules) * 1:22033 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22034 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22053 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection (malware-cnc.rules) * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (malware-other.rules) * 1:22071 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:22072 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:22073 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape (indicator-obfuscation.rules) * 1:22074 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode (indicator-obfuscation.rules) * 1:2230 <-> DISABLED <-> SERVER-WEBAPP NetGear router default password login attempt admin/password (server-webapp.rules) * 1:2273 <-> DISABLED <-> PROTOCOL-IMAP login brute force attempt (protocol-imap.rules) * 1:2274 <-> DISABLED <-> PROTOCOL-POP login brute force attempt (protocol-pop.rules) * 1:2275 <-> DISABLED <-> SERVER-MAIL AUTH LOGON brute force attempt (server-mail.rules) * 1:22969 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:22970 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23085 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - join (indicator-obfuscation.rules) * 1:23086 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - push (indicator-obfuscation.rules) * 1:23087 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - xval (indicator-obfuscation.rules) * 1:23088 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe (indicator-obfuscation.rules) * 1:23089 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern (indicator-obfuscation.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23160 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:23161 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - eval (indicator-obfuscation.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules) * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules) * 1:23226 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules) * 1:233 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default startup password (malware-other.rules) * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (file-office.rules) * 1:2334 <-> DISABLED <-> PROTOCOL-FTP Yak! FTP server default account login attempt (protocol-ftp.rules) * 1:234 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default password (malware-other.rules) * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules) * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules) * 1:235 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default mdie password (malware-other.rules) * 1:23601 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan default agent string (indicator-scan.rules) * 1:23602 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan Firefox agent string (indicator-scan.rules) * 1:23603 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan MSIE agent string (indicator-scan.rules) * 1:23604 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan iPhone agent string (indicator-scan.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23620 <-> ENABLED <-> MALWARE-OTHER Malvertising network attempted redirect (malware-other.rules) * 1:23621 <-> DISABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules) * 1:23636 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules) * 1:237 <-> DISABLED <-> MALWARE-OTHER Trin00 Master to Daemon default password attempt (malware-other.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:23780 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Begfanit.A outbound connection (malware-cnc.rules) * 1:23829 <-> DISABLED <-> INDICATOR-COMPROMISE Loaderz Web Shell (indicator-compromise.rules) * 1:23830 <-> DISABLED <-> INDICATOR-COMPROMISE Alsa3ek Web Shell (indicator-compromise.rules) * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23934 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (server-webapp.rules) * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (sql.rules) * 1:23985 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:23986 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:24008 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool (policy-other.rules) * 1:2406 <-> DISABLED <-> PROTOCOL-TELNET APC SmartSlot default admin account attempt (protocol-telnet.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24167 <-> DISABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (indicator-obfuscation.rules) * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules) * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:24306 <-> DISABLED <-> SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt (server-apache.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24368 <-> ENABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home (malware-cnc.rules) * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules) * 1:24372 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:24426 <-> DISABLED <-> MALWARE-OTHER Java.Trojan.Jacksbot class download (malware-other.rules) * 1:24435 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24436 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24517 <-> DISABLED <-> SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt (server-webapp.rules) * 1:24629 <-> DISABLED <-> SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt (server-webapp.rules) * 1:24704 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24705 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt (server-webapp.rules) * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (server-webapp.rules) * 1:24814 <-> DISABLED <-> PROTOCOL-SNMP Samsung printer default community string (protocol-snmp.rules) * 1:25010 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (malware-cnc.rules) * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules) * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (malware-backdoor.rules) * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (exploit-kit.rules) * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25453 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25454 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25455 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25456 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25457 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25458 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules) * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules) * 1:25562 <-> DISABLED <-> FILE-JAVA Oracle Java obfuscated jar file download attempt (file-java.rules) * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (os-windows.rules) * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules) * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules) * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:25783 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:2579 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow TCP (server-other.rules) * 1:25907 <-> DISABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules) * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt (exploit-kit.rules) * 1:26070 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26071 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26261 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26440 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules) * 1:26565 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26567 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules) * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules) * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules) * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules) * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (malware-other.rules) * 1:26689 <-> DISABLED <-> OS-MOBILE Android Denofow phone information exfiltration (os-mobile.rules) * 1:26693 <-> DISABLED <-> OS-MOBILE Android Antammi device information exfiltration (os-mobile.rules) * 1:26705 <-> DISABLED <-> OS-MOBILE Android Ewalls device information exfiltration (os-mobile.rules) * 1:26759 <-> DISABLED <-> SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt (server-other.rules) * 1:26769 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt (server-other.rules) * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder variant outbound connection (malware-cnc.rules) * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (indicator-obfuscation.rules) * 1:27193 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27194 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27195 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27286 <-> DISABLED <-> SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt (server-webapp.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27593 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (indicator-obfuscation.rules) * 1:27729 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (indicator-compromise.rules) * 1:27730 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (indicator-compromise.rules) * 1:27731 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (indicator-compromise.rules) * 1:27732 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (indicator-compromise.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (server-webapp.rules) * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (malware-cnc.rules) * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (malware-cnc.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (indicator-scan.rules) * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (indicator-scan.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (server-other.rules) * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules) * 1:28278 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (indicator-scan.rules) * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection (malware-cnc.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port (indicator-scan.rules) * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (exploit-kit.rules) * 1:28629 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28630 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28831 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28833 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28834 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28835 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28836 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28837 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28839 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28840 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28841 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28842 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28908 <-> DISABLED <-> SERVER-OTHER Nagios core config manager tfpassword sql injection attempt (server-other.rules) * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (malware-cnc.rules) * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28991 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration (malware-cnc.rules) * 1:29031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant inbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:29261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29393 <-> DISABLED <-> SERVER-OTHER ntp monlist denial of service attempt (server-other.rules) * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (browser-webkit.rules) * 1:29396 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same (policy-spam.rules) * 1:29397 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same (policy-spam.rules) * 1:29398 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same (policy-spam.rules) * 1:29399 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same (policy-spam.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29509 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules) * 1:29580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt (browser-firefox.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29615 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger outbound connection (malware-cnc.rules) * 1:29616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger inbound connection (malware-cnc.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29680 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29745 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS variable (indicator-obfuscation.rules) * 1:29756 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:29789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29807 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS array (indicator-obfuscation.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:29869 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar phishing attack (malware-cnc.rules) * 1:29886 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30281 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool SMBv2 (policy-other.rules) * 1:30327 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30328 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30392 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell (indicator-shellcode.rules) * 1:30567 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30568 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30569 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt (malware-other.rules) * 1:30982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Karnos variant outbound connection (malware-cnc.rules) * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules) * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (sql.rules) * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules) * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules) * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules) * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules) * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules) * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules) * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules) * 1:33566 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules) * 1:33857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt (malware-cnc.rules) * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules) * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules) * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection (malware-cnc.rules) * 1:34112 <-> DISABLED <-> SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt (server-other.rules) * 1:34114 <-> DISABLED <-> SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt (server-other.rules) * 1:34118 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious javascript packer detected (indicator-obfuscation.rules) * 1:34226 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:34227 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules) * 1:34345 <-> DISABLED <-> POLICY-OTHER Red Hat OpenStack default password login attempt (policy-other.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34890 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt (file-other.rules) * 1:34891 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt (file-other.rules) * 1:34892 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:34893 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:34894 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34895 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34896 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34897 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34898 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34899 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34900 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34901 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34902 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:34903 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34904 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34905 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34906 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34907 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34908 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34909 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:34910 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:34911 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34912 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34913 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34914 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34915 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt (netbios.rules) * 1:34916 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt (netbios.rules) * 1:34944 <-> DISABLED <-> POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt (policy-other.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:35143 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt (file-office.rules) * 1:35168 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules) * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules) * 1:35215 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt (browser-ie.rules) * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules) * 1:3542 <-> DISABLED <-> SQL SA brute force login attempt (sql.rules) * 1:3543 <-> DISABLED <-> SQL SA brute force login attempt TDS v7/8 (sql.rules) * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:3552 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules) * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules) * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection (malware-cnc.rules) * 1:36070 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt (indicator-obfuscation.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules) * 1:36201 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules) * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules) * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules) * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules) * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules) * 1:36407 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36408 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36409 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36410 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules) * 1:3679 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution (indicator-obfuscation.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:36931 <-> ENABLED <-> FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt (file-office.rules) * 1:36994 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:36996 <-> ENABLED <-> FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt (file-office.rules) * 1:36999 <-> ENABLED <-> FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt (file-office.rules) * 1:37000 <-> ENABLED <-> FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt (file-office.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules) * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules) * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules) * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules) * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules) * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules) * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules) * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules) * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules) * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules) * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules) * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules) * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules) * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules) * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules) * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:37729 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:37841 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37842 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37843 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK possible DoS attempt (server-other.rules) * 1:37891 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37892 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37903 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37904 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37905 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript charset concatentation attempt (indicator-obfuscation.rules) * 1:37906 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript known obfuscation method attempt (indicator-obfuscation.rules) * 1:37907 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript unicode escape variable name attempt (indicator-obfuscation.rules) * 1:37908 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript with hex variable names (indicator-obfuscation.rules) * 1:37909 <-> DISABLED <-> INDICATOR-OBFUSCATION known javascript packer detected (indicator-obfuscation.rules) * 1:37948 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:37949 <-> DISABLED <-> INDICATOR-OBFUSCATION download of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:37950 <-> DISABLED <-> INDICATOR-OBFUSCATION email of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:37971 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:37972 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:38172 <-> DISABLED <-> FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt (file-other.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules) * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules) * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules) * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules) * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules) * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules) * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules) * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules) * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules) * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules) * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules) * 1:39130 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules) * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules) * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules) * 1:39755 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39756 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39870 <-> DISABLED <-> INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion (indicator-compromise.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules) * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules) * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules) * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (server-apache.rules) * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (server-other.rules) * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (server-webapp.rules) * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (server-apache.rules) * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:4060 <-> DISABLED <-> APP-DETECT remote desktop protocol attempted administrator connection request (app-detect.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40897 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:4126 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash (server-other.rules) * 1:41308 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:41309 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules) * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules) * 1:41456 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:41457 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41817 <-> DISABLED <-> SERVER-WEBAPP generic SQL select statement possible sql injection (server-webapp.rules) * 1:41823 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:41824 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:41920 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt (server-webapp.rules) * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules) * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules) * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules) * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules) * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:4236 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access (browser-plugins.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:42451 <-> DISABLED <-> SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt (server-webapp.rules) * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules) * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:43287 <-> DISABLED <-> SERVER-WEBAPP /etc/inetd.conf file access attempt (server-webapp.rules) * 1:43288 <-> DISABLED <-> SERVER-WEBAPP /etc/motd file access attempt (server-webapp.rules) * 1:43289 <-> DISABLED <-> SERVER-WEBAPP /etc/shadow file access attempt (server-webapp.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:43672 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:43673 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:43707 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:43708 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43836 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator (indicator-obfuscation.rules) * 1:43837 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript regex (indicator-obfuscation.rules) * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules) * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules) * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules) * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45173 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:45174 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45454 <-> DISABLED <-> SERVER-WEBAPP PostfixAdmin protected alias deletion attempt (server-webapp.rules) * 1:45469 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:45470 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:45518 <-> DISABLED <-> POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt (policy-other.rules) * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules) * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:46026 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:46027 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules) * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:47115 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:47116 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:47137 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt (server-webapp.rules) * 1:47138 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt (server-webapp.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules) * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:48144 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:48145 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules) * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules) * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules) * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:49051 <-> DISABLED <-> SERVER-OTHER Ewon router default credential login attempt (server-other.rules) * 1:49052 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49053 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49054 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49055 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49056 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49057 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49058 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49059 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49060 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49061 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49062 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49063 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49064 <-> DISABLED <-> SERVER-OTHER Westermo router default credential login attempt (server-other.rules) * 1:4916 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt (browser-ie.rules) * 1:4917 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt (browser-ie.rules) * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:5742 <-> DISABLED <-> MALWARE-OTHER Keylogger activitylogger runtime detection (malware-other.rules) * 1:5759 <-> DISABLED <-> MALWARE-OTHER Keylogger fearlesskeyspy runtime detection (malware-other.rules) * 1:5777 <-> DISABLED <-> MALWARE-OTHER Keylogger gurl watcher runtime detection (malware-other.rules) * 1:5778 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs (malware-other.rules) * 1:5779 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs (malware-other.rules) * 1:5780 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log (malware-other.rules) * 1:5781 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs (malware-other.rules) * 1:5782 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log (malware-other.rules) * 1:5783 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log (malware-other.rules) * 1:5784 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log (malware-other.rules) * 1:5790 <-> DISABLED <-> MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp (malware-other.rules) * 1:5880 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery (malware-other.rules) * 1:5881 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery (malware-other.rules) * 1:5882 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - alert notification (malware-other.rules) * 1:6040 <-> ENABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:6041 <-> DISABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (indicator-scan.rules) * 1:6143 <-> DISABLED <-> MALWARE-BACKDOOR dark connection inside v1.2 runtime detection (malware-backdoor.rules) * 1:6159 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger (malware-backdoor.rules) * 1:616 <-> DISABLED <-> INDICATOR-SCAN ident version request (indicator-scan.rules) * 1:6160 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger (malware-backdoor.rules) * 1:619 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:6190 <-> DISABLED <-> MALWARE-OTHER Keylogger eblaster 5.0 runtime detection (malware-other.rules) * 1:6207 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - smtp (malware-other.rules) * 1:6208 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - ftp (malware-other.rules) * 1:622 <-> DISABLED <-> INDICATOR-SCAN ipEye SYN scan (indicator-scan.rules) * 1:6220 <-> DISABLED <-> MALWARE-OTHER Keylogger boss everyware runtime detection (malware-other.rules) * 1:6221 <-> DISABLED <-> MALWARE-OTHER Keylogger computerspy runtime detection (malware-other.rules) * 1:626 <-> DISABLED <-> INDICATOR-SCAN cybercop os PA12 attempt (indicator-scan.rules) * 1:627 <-> DISABLED <-> INDICATOR-SCAN cybercop os SFU12 probe (indicator-scan.rules) * 1:630 <-> DISABLED <-> INDICATOR-SCAN synscan portscan (indicator-scan.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:6340 <-> DISABLED <-> MALWARE-OTHER Keylogger handy keylogger runtime detection (malware-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (malware-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:6383 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup (malware-other.rules) * 1:6384 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast (malware-other.rules) * 1:6385 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring (malware-other.rules) * 1:6386 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification (malware-other.rules) * 1:6489 <-> DISABLED <-> PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker (pua-adware.rules) * 1:7099 <-> ENABLED <-> MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger (malware-backdoor.rules) * 1:7141 <-> DISABLED <-> PUA-ADWARE Adware pay-per-click runtime detection - update (pua-adware.rules) * 1:7154 <-> DISABLED <-> MALWARE-OTHER Keylogger active keylogger home runtime detection (malware-other.rules) * 1:7156 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - email delivery (malware-other.rules) * 1:7157 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server (malware-other.rules) * 1:7158 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client (malware-other.rules) * 1:7159 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server (malware-other.rules) * 1:7160 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client (malware-other.rules) * 1:7161 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server (malware-other.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:7163 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server (malware-other.rules) * 1:7164 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client (malware-other.rules) * 1:7165 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1 (malware-other.rules) * 1:7166 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2 (malware-other.rules) * 1:7167 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3 (malware-other.rules) * 1:7168 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4 (malware-other.rules) * 1:7169 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange (malware-other.rules) * 1:7175 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:7176 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:7177 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email (malware-other.rules) * 1:7178 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7179 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7180 <-> DISABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7184 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp (malware-other.rules) * 1:7185 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp (malware-other.rules) * 1:7186 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb Keylogger runtime detection (malware-other.rules) * 1:7504 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data (malware-other.rules) * 1:7505 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - smtp (malware-other.rules) * 1:7512 <-> ENABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set (malware-other.rules) * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules) * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules) * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules) * 1:7539 <-> DISABLED <-> MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection (malware-other.rules) * 1:7541 <-> DISABLED <-> MALWARE-OTHER Keylogger starlogger runtime detection (malware-other.rules) * 1:7544 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1 (malware-other.rules) * 1:7545 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2 (malware-other.rules) * 1:7546 <-> DISABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection (malware-other.rules) * 1:7547 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring (malware-other.rules) * 1:7548 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification (malware-other.rules) * 1:7549 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection (malware-other.rules) * 1:7551 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp (malware-other.rules) * 1:7552 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp (malware-other.rules) * 1:7564 <-> DISABLED <-> PUA-ADWARE Hijacker startnow outbound connection (pua-adware.rules) * 1:7574 <-> DISABLED <-> MALWARE-OTHER Keylogger proagent 2.0 runtime detection (malware-other.rules) * 1:7591 <-> ENABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set (malware-other.rules) * 1:7592 <-> DISABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection (malware-other.rules) * 1:7596 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set (malware-other.rules) * 1:7597 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection (malware-other.rules) * 1:7772 <-> ENABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set (malware-backdoor.rules) * 1:7773 <-> DISABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7806 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection (malware-backdoor.rules) * 1:7807 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file (malware-backdoor.rules) * 1:7808 <-> ENABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload (malware-backdoor.rules) * 1:7837 <-> DISABLED <-> MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery (malware-other.rules) * 1:7845 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7846 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7847 <-> DISABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email (malware-other.rules) * 1:7857 <-> DISABLED <-> MALWARE-OTHER Keylogger EliteKeylogger runtime detection (malware-other.rules) * 1:8059 <-> DISABLED <-> SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt (server-oracle.rules) * 1:8081 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:809 <-> DISABLED <-> SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt (server-webapp.rules) * 1:8355 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection (malware-other.rules) * 1:8356 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email (malware-other.rules) * 1:8357 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email (malware-other.rules) * 1:8465 <-> ENABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8466 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8467 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - remote login response (malware-other.rules) * 1:8544 <-> DISABLED <-> MALWARE-OTHER Keylogger nicespy runtime detection - smtp (malware-other.rules) * 1:9647 <-> DISABLED <-> MALWARE-OTHER Keylogger system surveillance pro runtime detection (malware-other.rules) * 1:9648 <-> DISABLED <-> MALWARE-OTHER Keylogger emailspypro runtime detection (malware-other.rules) * 1:9649 <-> ENABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set (malware-other.rules) * 1:9650 <-> DISABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection (malware-other.rules) * 1:9827 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - smtp (malware-other.rules) * 1:9828 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - ftp (malware-other.rules) * 1:9830 <-> DISABLED <-> MALWARE-OTHER Keylogger supreme spy runtime detection (malware-other.rules) * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49603 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49575 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49578 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49599 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49581 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49580 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49593 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49576 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49577 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49604 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49601 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49587 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules) * 1:49579 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49582 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49605 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49602 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49598 <-> DISABLED <-> SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt (server-webapp.rules) * 3:49609 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui cdp resource command injection attempt (server-webapp.rules) * 3:49608 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui execPython access attempt (server-webapp.rules) * 3:49613 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System master request message detected (policy-other.rules) * 3:49614 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49615 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49607 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49590 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49588 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49612 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System standby interested message detected (policy-other.rules) * 3:49616 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49610 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui dhcp resource command injection attempt (server-webapp.rules) * 3:49589 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49591 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui directory traversal attempt (server-webapp.rules) * 3:49611 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui information disclosure attempt (server-webapp.rules) * 3:49606 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules)
* 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:10088 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp (malware-other.rules) * 1:10089 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp (malware-other.rules) * 1:10096 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog (malware-other.rules) * 1:10097 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10098 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info (malware-other.rules) * 1:10099 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10100 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website (malware-other.rules) * 1:10123 <-> DISABLED <-> PROTOCOL-VOIP PA168 chipset based IP phone default password attempt (protocol-voip.rules) * 1:10165 <-> DISABLED <-> MALWARE-OTHER Keylogger mybr Keylogger runtime detection (malware-other.rules) * 1:10167 <-> DISABLED <-> MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log (malware-other.rules) * 1:10181 <-> DISABLED <-> MALWARE-OTHER Keylogger systemsleuth runtime detection (malware-other.rules) * 1:10183 <-> DISABLED <-> MALWARE-OTHER Keylogger activity Keylogger runtime detection (malware-other.rules) * 1:10436 <-> DISABLED <-> MALWARE-OTHER Keylogger keyspy runtime detection (malware-other.rules) * 1:10440 <-> DISABLED <-> MALWARE-OTHER Keylogger pc black box runtime detection (malware-other.rules) * 1:10457 <-> DISABLED <-> MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (malware-backdoor.rules) * 1:10464 <-> DISABLED <-> PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt (protocol-telnet.rules) * 1:1090 <-> DISABLED <-> SERVER-WEBAPP Allaire Pro Web Shell attempt (server-webapp.rules) * 1:1100 <-> DISABLED <-> INDICATOR-SCAN L3retriever HTTP Probe (indicator-scan.rules) * 1:1101 <-> DISABLED <-> INDICATOR-SCAN Webtrends HTTP probe (indicator-scan.rules) * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:11250 <-> DISABLED <-> BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access (browser-plugins.rules) * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules) * 1:11307 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection (malware-other.rules) * 1:11309 <-> DISABLED <-> MALWARE-OTHER Keylogger sskc v2.0 runtime detection (malware-other.rules) * 1:11311 <-> DISABLED <-> MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor (malware-other.rules) * 1:1133 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:12046 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (protocol-rpc.rules) * 1:12048 <-> DISABLED <-> MALWARE-OTHER Keylogger computer Keylogger runtime detection (malware-other.rules) * 1:12049 <-> DISABLED <-> MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection (malware-other.rules) * 1:12075 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:12080 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability (os-solaris.rules) * 1:12128 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection (malware-other.rules) * 1:12129 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12130 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12131 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12132 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12133 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:12134 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:12135 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12136 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12137 <-> DISABLED <-> MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection (malware-other.rules) * 1:12141 <-> DISABLED <-> MALWARE-OTHER Keylogger logit v1.0 runtime detection (malware-other.rules) * 1:12159 <-> DISABLED <-> MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging (malware-backdoor.rules) * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules) * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules) * 1:12187 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp rename_principal attempt (protocol-rpc.rules) * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules) * 1:12226 <-> DISABLED <-> MALWARE-OTHER Keylogger overspy runtime detection (malware-other.rules) * 1:12243 <-> DISABLED <-> MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (malware-backdoor.rules) * 1:12372 <-> DISABLED <-> MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection (malware-other.rules) * 1:12379 <-> DISABLED <-> MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp (malware-other.rules) * 1:12424 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (protocol-rpc.rules) * 1:12480 <-> ENABLED <-> MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection (malware-other.rules) * 1:12625 <-> DISABLED <-> MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection (malware-other.rules) * 1:12698 <-> DISABLED <-> MALWARE-OTHER Keylogger net vizo 5.2 runtime detection (malware-other.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:12758 <-> ENABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12759 <-> DISABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12760 <-> ENABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12761 <-> DISABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12770 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt (browser-plugins.rules) * 1:12771 <-> DISABLED <-> BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (browser-plugins.rules) * 1:12772 <-> DISABLED <-> BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt (browser-plugins.rules) * 1:12773 <-> DISABLED <-> BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (browser-plugins.rules) * 1:12774 <-> DISABLED <-> BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (browser-plugins.rules) * 1:12775 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt (browser-plugins.rules) * 1:12792 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:12793 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:13236 <-> ENABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:13237 <-> DISABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:13243 <-> ENABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13244 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13278 <-> ENABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13279 <-> DISABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13280 <-> ENABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13281 <-> DISABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13346 <-> ENABLED <-> PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection (pua-adware.rules) * 1:13347 <-> DISABLED <-> PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection (pua-adware.rules) * 1:13479 <-> ENABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13480 <-> DISABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13494 <-> DISABLED <-> MALWARE-OTHER Keylogger smart pc Keylogger runtime detection (malware-other.rules) * 1:13507 <-> DISABLED <-> MALWARE-CNC evilotus 1.3.2 variant outbound connection (malware-cnc.rules) * 1:13551 <-> DISABLED <-> SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (server-oracle.rules) * 1:13567 <-> DISABLED <-> MALWARE-OTHER Keylogger msn spy monitor runtime detection (malware-other.rules) * 1:13568 <-> DISABLED <-> MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection (malware-other.rules) * 1:13625 <-> DISABLED <-> MALWARE-CNC MBR rootkit HTTP POST activity detected (malware-cnc.rules) * 1:13642 <-> DISABLED <-> MALWARE-OTHER Keylogger easy Keylogger runtime detection (malware-other.rules) * 1:13651 <-> DISABLED <-> MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (malware-other.rules) * 1:13652 <-> DISABLED <-> PUA-ADWARE Keylogger all in one Keylogger runtime detection (pua-adware.rules) * 1:13767 <-> ENABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13768 <-> DISABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13778 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb employee monitor runtime detection (malware-other.rules) * 1:13791 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13812 <-> DISABLED <-> MALWARE-OTHER Keylogger refog Keylogger runtime detection (malware-other.rules) * 1:13987 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13988 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13989 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:14008 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:14039 <-> DISABLED <-> FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (file-other.rules) * 1:14040 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (server-other.rules) * 1:14041 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (server-other.rules) * 1:14065 <-> DISABLED <-> MALWARE-OTHER Keylogger emptybase j runtime detection (malware-other.rules) * 1:14074 <-> DISABLED <-> MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection (malware-other.rules) * 1:14075 <-> DISABLED <-> MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection (malware-other.rules) * 1:1434 <-> DISABLED <-> SERVER-WEBAPP .bash_history access (server-webapp.rules) * 1:15169 <-> DISABLED <-> POLICY-SOCIAL XBOX Live Kerberos authentication request (policy-social.rules) * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (indicator-obfuscation.rules) * 1:15414 <-> DISABLED <-> PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt (protocol-scada.rules) * 1:15424 <-> DISABLED <-> SERVER-WEBAPP phpBB mod shoutbox sql injection attempt (server-webapp.rules) * 1:15425 <-> DISABLED <-> SERVER-WEBAPP phpBB mod tag board sql injection attempt (server-webapp.rules) * 1:15431 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:15701 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt (os-windows.rules) * 1:15850 <-> DISABLED <-> OS-WINDOWS Remote Desktop orderType remote code execution attempt (os-windows.rules) * 1:15861 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:15863 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (browser-plugins.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:16125 <-> DISABLED <-> MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection (malware-other.rules) * 1:16129 <-> DISABLED <-> MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection (malware-other.rules) * 1:16130 <-> DISABLED <-> MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection (malware-other.rules) * 1:16137 <-> DISABLED <-> MALWARE-OTHER Keylogger cheat monitor runtime detection (malware-other.rules) * 1:16207 <-> DISABLED <-> SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt (server-webapp.rules) * 1:16268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net (malware-cnc.rules) * 1:16269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16350 <-> DISABLED <-> SERVER-OTHER ntp mode 7 denial of service attempt (server-other.rules) * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation (file-pdf.rules) * 1:1638 <-> DISABLED <-> INDICATOR-SCAN SSH Version map attempt (indicator-scan.rules) * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation (file-pdf.rules) * 1:16455 <-> DISABLED <-> MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection (malware-other.rules) * 1:16524 <-> DISABLED <-> PROTOCOL-FTP ProFTPD username sql injection attempt (protocol-ftp.rules) * 1:16573 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape (browser-plugins.rules) * 1:16574 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode (browser-plugins.rules) * 1:16742 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file download request (file-identify.rules) * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (file-other.rules) * 1:17044 <-> ENABLED <-> SQL WinCC DB default password security bypass attempt (sql.rules) * 1:17111 <-> DISABLED <-> INDICATOR-OBFUSCATION known JavaScript obfuscation routine (indicator-obfuscation.rules) * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (browser-firefox.rules) * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (browser-firefox.rules) * 1:17243 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt (server-other.rules) * 1:17265 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt (browser-firefox.rules) * 1:17273 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:17274 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:17291 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded uri data object found (indicator-obfuscation.rules) * 1:17353 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt (os-solaris.rules) * 1:17386 <-> DISABLED <-> SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (server-webapp.rules) * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:17444 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:17571 <-> DISABLED <-> BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious (browser-plugins.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18071 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18132 <-> DISABLED <-> INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function (indicator-obfuscation.rules) * 1:1817 <-> DISABLED <-> SERVER-IIS MS Site Server default login attempt (server-iis.rules) * 1:18179 <-> DISABLED <-> INDICATOR-SCAN Proxyfire.net anonymous proxy scan (indicator-scan.rules) * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules) * 1:18205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules) * 1:18208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18239 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:18242 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18245 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt (browser-plugins.rules) * 1:18277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt (os-windows.rules) * 1:18329 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18426 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-other.rules) * 1:18431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-pdf.rules) * 1:18432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-pdf.rules) * 1:18433 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-other.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:18435 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-other.rules) * 1:18436 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-other.rules) * 1:18437 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-other.rules) * 1:18438 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-other.rules) * 1:18439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-pdf.rules) * 1:18440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-pdf.rules) * 1:18441 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-pdf.rules) * 1:18442 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-pdf.rules) * 1:18443 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-pdf.rules) * 1:18445 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18446 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18488 <-> DISABLED <-> FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt (file-other.rules) * 1:18493 <-> DISABLED <-> INDICATOR-OBFUSCATION generic PHP code obfuscation attempt (indicator-obfuscation.rules) * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:18496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (os-windows.rules) * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18529 <-> DISABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18530 <-> DISABLED <-> FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18531 <-> DISABLED <-> SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt (server-other.rules) * 1:18533 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18534 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18556 <-> DISABLED <-> SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:1860 <-> DISABLED <-> SERVER-WEBAPP Linksys router default password login attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18717 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection (malware-cnc.rules) * 1:18782 <-> DISABLED <-> MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (malware-cnc.rules) * 1:18818 <-> DISABLED <-> FILE-IDENTIFY .chm attachment file type blocked by Outlook detected (file-identify.rules) * 1:18822 <-> DISABLED <-> FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected (file-identify.rules) * 1:18831 <-> DISABLED <-> FILE-IDENTIFY .hta attachment file type blocked by Outlook detected (file-identify.rules) * 1:18901 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt (server-other.rules) * 1:18932 <-> DISABLED <-> SERVER-WEBAPP Jboss default configuration unauthorized application add attempt (server-webapp.rules) * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules) * 1:19036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19074 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt (indicator-obfuscation.rules) * 1:19075 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded eval statement (indicator-obfuscation.rules) * 1:19079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules) * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules) * 1:19106 <-> DISABLED <-> MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http (malware-other.rules) * 1:19122 <-> DISABLED <-> POLICY-SPAM appledownload.com known spam email attempt (policy-spam.rules) * 1:1917 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:19171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19172 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19311 <-> DISABLED <-> PUA-ADWARE Keylogger aspy v2.12 runtime detection (pua-adware.rules) * 1:19314 <-> DISABLED <-> OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules) * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:19324 <-> ENABLED <-> MALWARE-OTHER Keylogger WL-Keylogger inbound connection (malware-other.rules) * 1:19325 <-> DISABLED <-> MALWARE-OTHER Keylogger WL-Keylogger outbound connection (malware-other.rules) * 1:19392 <-> ENABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19393 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19437 <-> DISABLED <-> INDICATOR-OBFUSCATION select concat statement - possible sql injection (indicator-obfuscation.rules) * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (os-windows.rules) * 1:19466 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt (file-office.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:19567 <-> DISABLED <-> PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection (pua-adware.rules) * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection (malware-cnc.rules) * 1:19617 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:19619 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (os-windows.rules) * 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection (malware-cnc.rules) * 1:19741 <-> DISABLED <-> MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection (malware-other.rules) * 1:19779 <-> DISABLED <-> INDICATOR-SCAN sqlmap SQL injection scan attempt (indicator-scan.rules) * 1:19867 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:19868 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation (indicator-obfuscation.rules) * 1:19884 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:19887 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19889 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded data object found (indicator-obfuscation.rules) * 1:19899 <-> ENABLED <-> MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection (malware-other.rules) * 1:19900 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19901 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19925 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (browser-plugins.rules) * 1:19927 <-> DISABLED <-> MALWARE-BACKDOOR BRX Rat 0.02 inbound connection (malware-backdoor.rules) * 1:19933 <-> DISABLED <-> INDICATOR-SCAN DirBuster brute forcing tool detected (indicator-scan.rules) * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:20098 <-> DISABLED <-> MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection (malware-cnc.rules) * 1:20118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:20119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:20137 <-> DISABLED <-> INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt (indicator-obfuscation.rules) * 1:20158 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt (server-webapp.rules) * 1:20175 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (netbios.rules) * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (indicator-obfuscation.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:20593 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:20691 <-> DISABLED <-> POLICY-OTHER Cisco Network Registrar default credentials authentication attempt (policy-other.rules) * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules) * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20995 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:20996 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:21038 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:21088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop denial of service attempt (os-windows.rules) * 1:21089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt (os-windows.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:21117 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell (indicator-compromise.rules) * 1:21118 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell security information display (indicator-compromise.rules) * 1:21119 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive file system information display (indicator-compromise.rules) * 1:21120 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive console display (indicator-compromise.rules) * 1:21121 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive SQL display (indicator-compromise.rules) * 1:21129 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell (indicator-compromise.rules) * 1:21130 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell enumeration page (indicator-compromise.rules) * 1:21131 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell domain lookup page (indicator-compromise.rules) * 1:21132 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell sql interaction page (indicator-compromise.rules) * 1:21133 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell encoder page (indicator-compromise.rules) * 1:21134 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security information page (indicator-compromise.rules) * 1:21135 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell password cracking page (indicator-compromise.rules) * 1:21136 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security bypass page (indicator-compromise.rules) * 1:21137 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell tools page (indicator-compromise.rules) * 1:21138 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell database parsing page (indicator-compromise.rules) * 1:21139 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell spread shell page (indicator-compromise.rules) * 1:21140 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell kill shell page (indicator-compromise.rules) * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules) * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules) * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules) * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21289 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:213 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (os-windows.rules) * 1:21318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded (malware-cnc.rules) * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-other.rules) * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules) * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules) * 1:21377 <-> DISABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (server-webapp.rules) * 1:214 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x (malware-backdoor.rules) * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:2145 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password admin attempt (server-webapp.rules) * 1:2146 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password 12345 attempt (server-webapp.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21489 <-> DISABLED <-> FILE-OTHER Microsoft Windows chm file malware related exploit (file-other.rules) * 1:215 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21519 <-> DISABLED <-> INDICATOR-OBFUSCATION Dadongs obfuscated javascript (indicator-obfuscation.rules) * 1:21550 <-> ENABLED <-> MALWARE-BACKDOOR ToolsPack PHP Backdoor access (malware-backdoor.rules) * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (os-windows.rules) * 1:21577 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - charcode (indicator-obfuscation.rules) * 1:21578 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:21579 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21580 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21582 <-> DISABLED <-> FILE-PDF PDF obfuscation attempt (file-pdf.rules) * 1:216 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit satori attempt (malware-backdoor.rules) * 1:21637 <-> DISABLED <-> POLICY-SPAM local user attempted to fill out paypal phishing form (policy-spam.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:21779 <-> DISABLED <-> SQL parameter ending in encoded comment characters - possible sql injection attempt - POST (sql.rules) * 1:21780 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21781 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21782 <-> DISABLED <-> INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21783 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21784 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21785 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21786 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21787 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21938 <-> DISABLED <-> PROTOCOL-TELNET RuggedCom default backdoor login attempt (protocol-telnet.rules) * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection (malware-cnc.rules) * 1:22033 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22034 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22053 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection (malware-cnc.rules) * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (malware-other.rules) * 1:22071 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:22072 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:22073 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape (indicator-obfuscation.rules) * 1:22074 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode (indicator-obfuscation.rules) * 1:2230 <-> DISABLED <-> SERVER-WEBAPP NetGear router default password login attempt admin/password (server-webapp.rules) * 1:2273 <-> DISABLED <-> PROTOCOL-IMAP login brute force attempt (protocol-imap.rules) * 1:2274 <-> DISABLED <-> PROTOCOL-POP login brute force attempt (protocol-pop.rules) * 1:2275 <-> DISABLED <-> SERVER-MAIL AUTH LOGON brute force attempt (server-mail.rules) * 1:22969 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:22970 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23085 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - join (indicator-obfuscation.rules) * 1:23086 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - push (indicator-obfuscation.rules) * 1:23087 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - xval (indicator-obfuscation.rules) * 1:23088 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe (indicator-obfuscation.rules) * 1:23089 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern (indicator-obfuscation.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23160 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:23161 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - eval (indicator-obfuscation.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules) * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules) * 1:23226 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules) * 1:233 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default startup password (malware-other.rules) * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (file-office.rules) * 1:2334 <-> DISABLED <-> PROTOCOL-FTP Yak! FTP server default account login attempt (protocol-ftp.rules) * 1:234 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default password (malware-other.rules) * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules) * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules) * 1:235 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default mdie password (malware-other.rules) * 1:23601 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan default agent string (indicator-scan.rules) * 1:23602 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan Firefox agent string (indicator-scan.rules) * 1:23603 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan MSIE agent string (indicator-scan.rules) * 1:23604 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan iPhone agent string (indicator-scan.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23620 <-> ENABLED <-> MALWARE-OTHER Malvertising network attempted redirect (malware-other.rules) * 1:23621 <-> DISABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules) * 1:23636 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules) * 1:237 <-> DISABLED <-> MALWARE-OTHER Trin00 Master to Daemon default password attempt (malware-other.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:23780 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Begfanit.A outbound connection (malware-cnc.rules) * 1:23829 <-> DISABLED <-> INDICATOR-COMPROMISE Loaderz Web Shell (indicator-compromise.rules) * 1:23830 <-> DISABLED <-> INDICATOR-COMPROMISE Alsa3ek Web Shell (indicator-compromise.rules) * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23934 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (server-webapp.rules) * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (sql.rules) * 1:23985 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:23986 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:24008 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool (policy-other.rules) * 1:2406 <-> DISABLED <-> PROTOCOL-TELNET APC SmartSlot default admin account attempt (protocol-telnet.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24167 <-> DISABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (indicator-obfuscation.rules) * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules) * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:24306 <-> DISABLED <-> SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt (server-apache.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24368 <-> ENABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home (malware-cnc.rules) * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules) * 1:24372 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:24426 <-> DISABLED <-> MALWARE-OTHER Java.Trojan.Jacksbot class download (malware-other.rules) * 1:24435 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24436 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24517 <-> DISABLED <-> SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt (server-webapp.rules) * 1:24629 <-> DISABLED <-> SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt (server-webapp.rules) * 1:24704 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24705 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt (server-webapp.rules) * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (server-webapp.rules) * 1:24814 <-> DISABLED <-> PROTOCOL-SNMP Samsung printer default community string (protocol-snmp.rules) * 1:25010 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (malware-cnc.rules) * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules) * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (malware-backdoor.rules) * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (exploit-kit.rules) * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25453 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25454 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25455 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25456 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25457 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25458 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules) * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules) * 1:25562 <-> DISABLED <-> FILE-JAVA Oracle Java obfuscated jar file download attempt (file-java.rules) * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (os-windows.rules) * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules) * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules) * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:25783 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:2579 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow TCP (server-other.rules) * 1:25907 <-> DISABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules) * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt (exploit-kit.rules) * 1:26070 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26071 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26261 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26440 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules) * 1:26565 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26567 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules) * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules) * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules) * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules) * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (malware-other.rules) * 1:26689 <-> DISABLED <-> OS-MOBILE Android Denofow phone information exfiltration (os-mobile.rules) * 1:26693 <-> DISABLED <-> OS-MOBILE Android Antammi device information exfiltration (os-mobile.rules) * 1:26705 <-> DISABLED <-> OS-MOBILE Android Ewalls device information exfiltration (os-mobile.rules) * 1:26759 <-> DISABLED <-> SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt (server-other.rules) * 1:26769 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt (server-other.rules) * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder variant outbound connection (malware-cnc.rules) * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (indicator-obfuscation.rules) * 1:27193 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27194 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27195 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27286 <-> DISABLED <-> SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt (server-webapp.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27593 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (indicator-obfuscation.rules) * 1:27729 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (indicator-compromise.rules) * 1:27730 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (indicator-compromise.rules) * 1:27731 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (indicator-compromise.rules) * 1:27732 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (indicator-compromise.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (server-webapp.rules) * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (malware-cnc.rules) * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (malware-cnc.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (indicator-scan.rules) * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (indicator-scan.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (server-other.rules) * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules) * 1:28278 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (indicator-scan.rules) * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection (malware-cnc.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port (indicator-scan.rules) * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (exploit-kit.rules) * 1:28629 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28630 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28831 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28833 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28834 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28835 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28836 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28837 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28839 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28840 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28841 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28842 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28908 <-> DISABLED <-> SERVER-OTHER Nagios core config manager tfpassword sql injection attempt (server-other.rules) * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (malware-cnc.rules) * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28991 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration (malware-cnc.rules) * 1:29031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant inbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:29261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29393 <-> DISABLED <-> SERVER-OTHER ntp monlist denial of service attempt (server-other.rules) * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (browser-webkit.rules) * 1:29396 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same (policy-spam.rules) * 1:29397 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same (policy-spam.rules) * 1:29398 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same (policy-spam.rules) * 1:29399 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same (policy-spam.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29509 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules) * 1:29580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt (browser-firefox.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29615 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger outbound connection (malware-cnc.rules) * 1:29616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger inbound connection (malware-cnc.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29680 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29745 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS variable (indicator-obfuscation.rules) * 1:29756 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:29789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29807 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS array (indicator-obfuscation.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:29869 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar phishing attack (malware-cnc.rules) * 1:29886 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30281 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool SMBv2 (policy-other.rules) * 1:30327 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30328 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30392 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell (indicator-shellcode.rules) * 1:30567 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30568 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30569 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt (malware-other.rules) * 1:30982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Karnos variant outbound connection (malware-cnc.rules) * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules) * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (sql.rules) * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules) * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules) * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules) * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules) * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules) * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules) * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules) * 1:33566 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules) * 1:33857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt (malware-cnc.rules) * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules) * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules) * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection (malware-cnc.rules) * 1:34112 <-> DISABLED <-> SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt (server-other.rules) * 1:34114 <-> DISABLED <-> SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt (server-other.rules) * 1:34118 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious javascript packer detected (indicator-obfuscation.rules) * 1:34226 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:34227 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules) * 1:34345 <-> DISABLED <-> POLICY-OTHER Red Hat OpenStack default password login attempt (policy-other.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34890 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt (file-other.rules) * 1:34891 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt (file-other.rules) * 1:34892 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:34893 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:34894 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34895 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34896 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34897 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34898 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34899 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34900 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34901 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34902 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:34903 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34904 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34905 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34906 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34907 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34908 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34909 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:34910 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:34911 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34912 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34913 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34914 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34915 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt (netbios.rules) * 1:34916 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt (netbios.rules) * 1:34944 <-> DISABLED <-> POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt (policy-other.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:35143 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt (file-office.rules) * 1:35168 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules) * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules) * 1:35215 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt (browser-ie.rules) * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules) * 1:3542 <-> DISABLED <-> SQL SA brute force login attempt (sql.rules) * 1:3543 <-> DISABLED <-> SQL SA brute force login attempt TDS v7/8 (sql.rules) * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:3552 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules) * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules) * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection (malware-cnc.rules) * 1:36070 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt (indicator-obfuscation.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules) * 1:36201 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules) * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules) * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules) * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules) * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules) * 1:36407 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36408 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36409 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36410 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules) * 1:3679 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution (indicator-obfuscation.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:36931 <-> ENABLED <-> FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt (file-office.rules) * 1:36994 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:36996 <-> ENABLED <-> FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt (file-office.rules) * 1:36999 <-> ENABLED <-> FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt (file-office.rules) * 1:37000 <-> ENABLED <-> FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt (file-office.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules) * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules) * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules) * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules) * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules) * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules) * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules) * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules) * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules) * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules) * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules) * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules) * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules) * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules) * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules) * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:37729 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:37841 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37842 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37843 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK possible DoS attempt (server-other.rules) * 1:37891 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37892 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37903 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37904 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37905 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript charset concatentation attempt (indicator-obfuscation.rules) * 1:37906 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript known obfuscation method attempt (indicator-obfuscation.rules) * 1:37907 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript unicode escape variable name attempt (indicator-obfuscation.rules) * 1:37908 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript with hex variable names (indicator-obfuscation.rules) * 1:37909 <-> DISABLED <-> INDICATOR-OBFUSCATION known javascript packer detected (indicator-obfuscation.rules) * 1:37948 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:37949 <-> DISABLED <-> INDICATOR-OBFUSCATION download of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:37950 <-> DISABLED <-> INDICATOR-OBFUSCATION email of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:37971 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:37972 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:38172 <-> DISABLED <-> FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt (file-other.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules) * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules) * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules) * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules) * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules) * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules) * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules) * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules) * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules) * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules) * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules) * 1:39130 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules) * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules) * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules) * 1:39755 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39756 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39870 <-> DISABLED <-> INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion (indicator-compromise.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules) * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules) * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules) * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (server-apache.rules) * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (server-other.rules) * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (server-webapp.rules) * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (server-apache.rules) * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:4060 <-> DISABLED <-> APP-DETECT remote desktop protocol attempted administrator connection request (app-detect.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40897 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:4126 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash (server-other.rules) * 1:41308 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:41309 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules) * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules) * 1:41456 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:41457 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41817 <-> DISABLED <-> SERVER-WEBAPP generic SQL select statement possible sql injection (server-webapp.rules) * 1:41823 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:41824 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:41920 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt (server-webapp.rules) * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules) * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules) * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules) * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules) * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:4236 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access (browser-plugins.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:42451 <-> DISABLED <-> SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt (server-webapp.rules) * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules) * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:43287 <-> DISABLED <-> SERVER-WEBAPP /etc/inetd.conf file access attempt (server-webapp.rules) * 1:43288 <-> DISABLED <-> SERVER-WEBAPP /etc/motd file access attempt (server-webapp.rules) * 1:43289 <-> DISABLED <-> SERVER-WEBAPP /etc/shadow file access attempt (server-webapp.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:43672 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:43673 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:43707 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:43708 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43836 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator (indicator-obfuscation.rules) * 1:43837 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript regex (indicator-obfuscation.rules) * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules) * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules) * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules) * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45173 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:45174 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45454 <-> DISABLED <-> SERVER-WEBAPP PostfixAdmin protected alias deletion attempt (server-webapp.rules) * 1:45469 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:45470 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:45518 <-> DISABLED <-> POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt (policy-other.rules) * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules) * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:46026 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:46027 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules) * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:47115 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:47116 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:47137 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt (server-webapp.rules) * 1:47138 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt (server-webapp.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules) * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:48144 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:48145 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules) * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules) * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules) * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:49051 <-> DISABLED <-> SERVER-OTHER Ewon router default credential login attempt (server-other.rules) * 1:49052 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49053 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49054 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49055 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49056 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49057 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:49058 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49059 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49060 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49061 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49062 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49063 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49064 <-> DISABLED <-> SERVER-OTHER Westermo router default credential login attempt (server-other.rules) * 1:4916 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt (browser-ie.rules) * 1:4917 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt (browser-ie.rules) * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:5742 <-> DISABLED <-> MALWARE-OTHER Keylogger activitylogger runtime detection (malware-other.rules) * 1:5759 <-> DISABLED <-> MALWARE-OTHER Keylogger fearlesskeyspy runtime detection (malware-other.rules) * 1:5777 <-> DISABLED <-> MALWARE-OTHER Keylogger gurl watcher runtime detection (malware-other.rules) * 1:5778 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs (malware-other.rules) * 1:5779 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs (malware-other.rules) * 1:5780 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log (malware-other.rules) * 1:5781 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs (malware-other.rules) * 1:5782 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log (malware-other.rules) * 1:5783 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log (malware-other.rules) * 1:5784 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log (malware-other.rules) * 1:5790 <-> DISABLED <-> MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp (malware-other.rules) * 1:5880 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery (malware-other.rules) * 1:5881 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery (malware-other.rules) * 1:5882 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - alert notification (malware-other.rules) * 1:6040 <-> ENABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:6041 <-> DISABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (indicator-scan.rules) * 1:6143 <-> DISABLED <-> MALWARE-BACKDOOR dark connection inside v1.2 runtime detection (malware-backdoor.rules) * 1:6159 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger (malware-backdoor.rules) * 1:616 <-> DISABLED <-> INDICATOR-SCAN ident version request (indicator-scan.rules) * 1:6160 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger (malware-backdoor.rules) * 1:619 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:6190 <-> DISABLED <-> MALWARE-OTHER Keylogger eblaster 5.0 runtime detection (malware-other.rules) * 1:6207 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - smtp (malware-other.rules) * 1:6208 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - ftp (malware-other.rules) * 1:622 <-> DISABLED <-> INDICATOR-SCAN ipEye SYN scan (indicator-scan.rules) * 1:6220 <-> DISABLED <-> MALWARE-OTHER Keylogger boss everyware runtime detection (malware-other.rules) * 1:6221 <-> DISABLED <-> MALWARE-OTHER Keylogger computerspy runtime detection (malware-other.rules) * 1:626 <-> DISABLED <-> INDICATOR-SCAN cybercop os PA12 attempt (indicator-scan.rules) * 1:627 <-> DISABLED <-> INDICATOR-SCAN cybercop os SFU12 probe (indicator-scan.rules) * 1:630 <-> DISABLED <-> INDICATOR-SCAN synscan portscan (indicator-scan.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:6340 <-> DISABLED <-> MALWARE-OTHER Keylogger handy keylogger runtime detection (malware-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (malware-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:6383 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup (malware-other.rules) * 1:6384 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast (malware-other.rules) * 1:6385 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring (malware-other.rules) * 1:6386 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification (malware-other.rules) * 1:6489 <-> DISABLED <-> PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker (pua-adware.rules) * 1:7099 <-> ENABLED <-> MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger (malware-backdoor.rules) * 1:7141 <-> DISABLED <-> PUA-ADWARE Adware pay-per-click runtime detection - update (pua-adware.rules) * 1:7154 <-> DISABLED <-> MALWARE-OTHER Keylogger active keylogger home runtime detection (malware-other.rules) * 1:7156 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - email delivery (malware-other.rules) * 1:7157 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server (malware-other.rules) * 1:7158 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client (malware-other.rules) * 1:7159 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server (malware-other.rules) * 1:7160 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client (malware-other.rules) * 1:7161 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server (malware-other.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:7163 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server (malware-other.rules) * 1:7164 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client (malware-other.rules) * 1:7165 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1 (malware-other.rules) * 1:7166 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2 (malware-other.rules) * 1:7167 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3 (malware-other.rules) * 1:7168 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4 (malware-other.rules) * 1:7169 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange (malware-other.rules) * 1:7175 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:7176 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:7177 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email (malware-other.rules) * 1:7178 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7179 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7180 <-> DISABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:7184 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp (malware-other.rules) * 1:7185 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp (malware-other.rules) * 1:7186 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb Keylogger runtime detection (malware-other.rules) * 1:7504 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data (malware-other.rules) * 1:7505 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - smtp (malware-other.rules) * 1:7512 <-> ENABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set (malware-other.rules) * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules) * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules) * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules) * 1:7539 <-> DISABLED <-> MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection (malware-other.rules) * 1:7541 <-> DISABLED <-> MALWARE-OTHER Keylogger starlogger runtime detection (malware-other.rules) * 1:7544 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1 (malware-other.rules) * 1:7545 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2 (malware-other.rules) * 1:7546 <-> DISABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection (malware-other.rules) * 1:7547 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring (malware-other.rules) * 1:7548 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification (malware-other.rules) * 1:7549 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection (malware-other.rules) * 1:7551 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp (malware-other.rules) * 1:7552 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp (malware-other.rules) * 1:7564 <-> DISABLED <-> PUA-ADWARE Hijacker startnow outbound connection (pua-adware.rules) * 1:7574 <-> DISABLED <-> MALWARE-OTHER Keylogger proagent 2.0 runtime detection (malware-other.rules) * 1:7591 <-> ENABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set (malware-other.rules) * 1:7592 <-> DISABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection (malware-other.rules) * 1:7596 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set (malware-other.rules) * 1:7597 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection (malware-other.rules) * 1:7772 <-> ENABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set (malware-backdoor.rules) * 1:7773 <-> DISABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7806 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection (malware-backdoor.rules) * 1:7807 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file (malware-backdoor.rules) * 1:7808 <-> ENABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload (malware-backdoor.rules) * 1:7837 <-> DISABLED <-> MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery (malware-other.rules) * 1:7845 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7846 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7847 <-> DISABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email (malware-other.rules) * 1:7857 <-> DISABLED <-> MALWARE-OTHER Keylogger EliteKeylogger runtime detection (malware-other.rules) * 1:8059 <-> DISABLED <-> SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt (server-oracle.rules) * 1:8081 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:809 <-> DISABLED <-> SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt (server-webapp.rules) * 1:8355 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection (malware-other.rules) * 1:8356 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email (malware-other.rules) * 1:8357 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email (malware-other.rules) * 1:8465 <-> ENABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8466 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8467 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - remote login response (malware-other.rules) * 1:8544 <-> DISABLED <-> MALWARE-OTHER Keylogger nicespy runtime detection - smtp (malware-other.rules) * 1:9647 <-> DISABLED <-> MALWARE-OTHER Keylogger system surveillance pro runtime detection (malware-other.rules) * 1:9648 <-> DISABLED <-> MALWARE-OTHER Keylogger emailspypro runtime detection (malware-other.rules) * 1:9649 <-> ENABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set (malware-other.rules) * 1:9650 <-> DISABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection (malware-other.rules) * 1:9827 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - smtp (malware-other.rules) * 1:9828 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - ftp (malware-other.rules) * 1:9830 <-> DISABLED <-> MALWARE-OTHER Keylogger supreme spy runtime detection (malware-other.rules) * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules) * 1:49580 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules) * 1:49594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (snort3-malware-cnc.rules) * 1:49595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (snort3-malware-cnc.rules) * 1:49603 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (snort3-server-webapp.rules) * 1:49599 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (snort3-file-pdf.rules) * 1:49587 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (snort3-server-webapp.rules) * 1:49592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (snort3-malware-cnc.rules) * 1:49575 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (snort3-file-image.rules) * 1:49579 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49578 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49581 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules) * 1:49598 <-> DISABLED <-> SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt (snort3-server-webapp.rules) * 1:49604 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (snort3-server-webapp.rules) * 1:49597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (snort3-malware-cnc.rules) * 1:49596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (snort3-malware-cnc.rules) * 1:49600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (snort3-file-pdf.rules) * 1:49576 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (snort3-file-image.rules) * 1:49601 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (snort3-server-other.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules) * 1:49577 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49582 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (snort3-server-webapp.rules) * 1:49605 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (snort3-server-webapp.rules) * 1:49593 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (snort3-malware-cnc.rules) * 1:49602 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (snort3-server-other.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
* 1:6160 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger (snort3-malware-backdoor.rules) * 1:616 <-> DISABLED <-> INDICATOR-SCAN ident version request (snort3-indicator-scan.rules) * 1:6159 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger (snort3-malware-backdoor.rules) * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (snort3-file-other.rules) * 1:619 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (snort3-indicator-scan.rules) * 1:6190 <-> DISABLED <-> MALWARE-OTHER Keylogger eblaster 5.0 runtime detection (snort3-malware-other.rules) * 1:6207 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - smtp (snort3-malware-other.rules) * 1:622 <-> DISABLED <-> INDICATOR-SCAN ipEye SYN scan (snort3-indicator-scan.rules) * 1:6208 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - ftp (snort3-malware-other.rules) * 1:627 <-> DISABLED <-> INDICATOR-SCAN cybercop os SFU12 probe (snort3-indicator-scan.rules) * 1:626 <-> DISABLED <-> INDICATOR-SCAN cybercop os PA12 attempt (snort3-indicator-scan.rules) * 1:6221 <-> DISABLED <-> MALWARE-OTHER Keylogger computerspy runtime detection (snort3-malware-other.rules) * 1:6220 <-> DISABLED <-> MALWARE-OTHER Keylogger boss everyware runtime detection (snort3-malware-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (snort3-indicator-scan.rules) * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (snort3-malware-other.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (snort3-indicator-scan.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (snort3-indicator-scan.rules) * 1:6340 <-> DISABLED <-> MALWARE-OTHER Keylogger handy keylogger runtime detection (snort3-malware-other.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (snort3-indicator-scan.rules) * 1:630 <-> DISABLED <-> INDICATOR-SCAN synscan portscan (snort3-indicator-scan.rules) * 1:7163 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server (snort3-malware-other.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (snort3-malware-other.rules) * 1:7161 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server (snort3-malware-other.rules) * 1:7160 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client (snort3-malware-other.rules) * 1:7159 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server (snort3-malware-other.rules) * 1:7158 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client (snort3-malware-other.rules) * 1:7157 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server (snort3-malware-other.rules) * 1:7156 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - email delivery (snort3-malware-other.rules) * 1:7154 <-> DISABLED <-> MALWARE-OTHER Keylogger active keylogger home runtime detection (snort3-malware-other.rules) * 1:7141 <-> DISABLED <-> PUA-ADWARE Adware pay-per-click runtime detection - update (snort3-pua-adware.rules) * 1:7099 <-> ENABLED <-> MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger (snort3-malware-backdoor.rules) * 1:6489 <-> DISABLED <-> PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker (snort3-pua-adware.rules) * 1:6386 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification (snort3-malware-other.rules) * 1:6385 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring (snort3-malware-other.rules) * 1:6384 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast (snort3-malware-other.rules) * 1:6383 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup (snort3-malware-other.rules) * 1:7164 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client (snort3-malware-other.rules) * 1:7165 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1 (snort3-malware-other.rules) * 1:7541 <-> DISABLED <-> MALWARE-OTHER Keylogger starlogger runtime detection (snort3-malware-other.rules) * 1:7539 <-> DISABLED <-> MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection (snort3-malware-other.rules) * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (snort3-malware-other.rules) * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (snort3-malware-other.rules) * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (snort3-malware-other.rules) * 1:7512 <-> ENABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set (snort3-malware-other.rules) * 1:7505 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - smtp (snort3-malware-other.rules) * 1:7504 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data (snort3-malware-other.rules) * 1:7186 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb Keylogger runtime detection (snort3-malware-other.rules) * 1:7185 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp (snort3-malware-other.rules) * 1:7184 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp (snort3-malware-other.rules) * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (snort3-malware-other.rules) * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (snort3-malware-cnc.rules) * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (snort3-indicator-obfuscation.rules) * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (snort3-file-other.rules) * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (snort3-indicator-obfuscation.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (snort3-server-webapp.rules) * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (snort3-os-windows.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (snort3-policy-other.rules) * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (snort3-malware-cnc.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (snort3-malware-cnc.rules) * 1:41457 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (snort3-malware-cnc.rules) * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (snort3-malware-cnc.rules) * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (snort3-server-webapp.rules) * 1:41456 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (snort3-malware-cnc.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (snort3-malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (snort3-malware-cnc.rules) * 1:4236 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access (snort3-browser-plugins.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (snort3-os-windows.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (snort3-malware-cnc.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (snort3-file-other.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (snort3-indicator-scan.rules) * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (snort3-server-apache.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (snort3-file-other.rules) * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (snort3-indicator-scan.rules) * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (snort3-file-other.rules) * 1:42451 <-> DISABLED <-> SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt (snort3-server-webapp.rules) * 1:41817 <-> DISABLED <-> SERVER-WEBAPP generic SQL select statement possible sql injection (snort3-server-webapp.rules) * 1:41824 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (snort3-server-other.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (snort3-app-detect.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (snort3-server-webapp.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (snort3-malware-cnc.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (snort3-file-other.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (snort3-server-webapp.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (snort3-indicator-compromise.rules) * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (snort3-indicator-scan.rules) * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (snort3-os-windows.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (snort3-server-other.rules) * 1:41823 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (snort3-server-other.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (snort3-indicator-obfuscation.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (snort3-malware-cnc.rules) * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (snort3-protocol-other.rules) * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (snort3-protocol-other.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (snort3-malware-cnc.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (snort3-malware-cnc.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (snort3-file-other.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (snort3-server-other.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (snort3-file-pdf.rules) * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (snort3-server-webapp.rules) * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (snort3-sql.rules) * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (snort3-file-office.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (snort3-file-office.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (snort3-policy-other.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (snort3-policy-other.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (snort3-indicator-obfuscation.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (snort3-file-office.rules) * 1:41920 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt (snort3-server-webapp.rules) * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (snort3-indicator-obfuscation.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (snort3-indicator-obfuscation.rules) * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (snort3-indicator-obfuscation.rules) * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (snort3-indicator-obfuscation.rules) * 1:43837 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript regex (snort3-indicator-obfuscation.rules) * 1:43836 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator (snort3-indicator-obfuscation.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:43708 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (snort3-indicator-obfuscation.rules) * 1:43707 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (snort3-indicator-obfuscation.rules) * 1:43673 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (snort3-browser-firefox.rules) * 1:43672 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (snort3-browser-firefox.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (snort3-netbios.rules) * 1:43289 <-> DISABLED <-> SERVER-WEBAPP /etc/shadow file access attempt (snort3-server-webapp.rules) * 1:43288 <-> DISABLED <-> SERVER-WEBAPP /etc/motd file access attempt (snort3-server-webapp.rules) * 1:43287 <-> DISABLED <-> SERVER-WEBAPP /etc/inetd.conf file access attempt (snort3-server-webapp.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (snort3-indicator-obfuscation.rules) * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (snort3-malware-cnc.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (snort3-server-other.rules) * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (snort3-indicator-obfuscation.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (snort3-netbios.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (snort3-malware-other.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (snort3-policy-other.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (snort3-indicator-obfuscation.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (snort3-file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (snort3-file-office.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (snort3-file-office.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (snort3-malware-cnc.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (snort3-malware-cnc.rules) * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (snort3-malware-other.rules) * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (snort3-malware-other.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (snort3-server-webapp.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (snort3-malware-cnc.rules) * 1:45470 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (snort3-malware-cnc.rules) * 1:45469 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (snort3-malware-cnc.rules) * 1:45454 <-> DISABLED <-> SERVER-WEBAPP PostfixAdmin protected alias deletion attempt (snort3-server-webapp.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (snort3-os-other.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (snort3-os-other.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (snort3-file-office.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (snort3-file-office.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (snort3-malware-cnc.rules) * 1:45174 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (snort3-browser-firefox.rules) * 1:45173 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (snort3-browser-firefox.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (snort3-indicator-compromise.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (snort3-indicator-compromise.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (snort3-server-other.rules) * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (snort3-file-other.rules) * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (snort3-file-other.rules) * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (snort3-file-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (snort3-server-other.rules) * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (snort3-policy-other.rules) * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (snort3-malware-cnc.rules) * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (snort3-indicator-obfuscation.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (snort3-malware-backdoor.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (snort3-malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (snort3-malware-cnc.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (snort3-malware-cnc.rules) * 1:46027 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (snort3-server-webapp.rules) * 1:46026 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (snort3-server-webapp.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (snort3-malware-cnc.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules) * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (snort3-file-other.rules) * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (snort3-file-other.rules) * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (snort3-indicator-compromise.rules) * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (snort3-malware-backdoor.rules) * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (snort3-malware-backdoor.rules) * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (snort3-server-other.rules) * 1:45518 <-> DISABLED <-> POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt (snort3-policy-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (snort3-malware-backdoor.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (snort3-server-other.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (snort3-indicator-compromise.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (snort3-server-other.rules) * 1:47138 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt (snort3-server-webapp.rules) * 1:47137 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt (snort3-server-webapp.rules) * 1:47116 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (snort3-server-mail.rules) * 1:47115 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (snort3-server-mail.rules) * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (snort3-policy-other.rules) * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (snort3-server-other.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (snort3-indicator-compromise.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (snort3-malware-cnc.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules) * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules) * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules) * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (snort3-server-webapp.rules) * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (snort3-browser-ie.rules) * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (snort3-browser-ie.rules) * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (snort3-malware-cnc.rules) * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (snort3-malware-cnc.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (snort3-os-windows.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (snort3-os-windows.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (snort3-server-webapp.rules) * 1:48145 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (snort3-file-other.rules) * 1:48144 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (snort3-file-other.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (snort3-server-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules) * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules) * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (snort3-server-other.rules) * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (snort3-browser-plugins.rules) * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (snort3-browser-plugins.rules) * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (snort3-file-other.rules) * 1:49060 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:49059 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:49058 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:49057 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49056 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49055 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49054 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49053 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49052 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (snort3-server-other.rules) * 1:49051 <-> DISABLED <-> SERVER-OTHER Ewon router default credential login attempt (snort3-server-other.rules) * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (snort3-policy-spam.rules) * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (snort3-policy-spam.rules) * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (snort3-server-webapp.rules) * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules) * 1:49061 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:4917 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt (snort3-browser-ie.rules) * 1:4916 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt (snort3-browser-ie.rules) * 1:49064 <-> DISABLED <-> SERVER-OTHER Westermo router default credential login attempt (snort3-server-other.rules) * 1:49063 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:49062 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (snort3-server-other.rules) * 1:5781 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs (snort3-malware-other.rules) * 1:5759 <-> DISABLED <-> MALWARE-OTHER Keylogger fearlesskeyspy runtime detection (snort3-malware-other.rules) * 1:5742 <-> DISABLED <-> MALWARE-OTHER Keylogger activitylogger runtime detection (snort3-malware-other.rules) * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (snort3-sql.rules) * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules) * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules) * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules) * 1:5780 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log (snort3-malware-other.rules) * 1:5779 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs (snort3-malware-other.rules) * 1:5778 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs (snort3-malware-other.rules) * 1:5777 <-> DISABLED <-> MALWARE-OTHER Keylogger gurl watcher runtime detection (snort3-malware-other.rules) * 1:6143 <-> DISABLED <-> MALWARE-BACKDOOR dark connection inside v1.2 runtime detection (snort3-malware-backdoor.rules) * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (snort3-indicator-scan.rules) * 1:6041 <-> DISABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (snort3-malware-backdoor.rules) * 1:6040 <-> ENABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (snort3-malware-backdoor.rules) * 1:5882 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - alert notification (snort3-malware-other.rules) * 1:5881 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery (snort3-malware-other.rules) * 1:5880 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery (snort3-malware-other.rules) * 1:5790 <-> DISABLED <-> MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp (snort3-malware-other.rules) * 1:5784 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log (snort3-malware-other.rules) * 1:5783 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log (snort3-malware-other.rules) * 1:5782 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log (snort3-malware-other.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (snort3-malware-cnc.rules) * 1:7180 <-> DISABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (snort3-malware-other.rules) * 1:7179 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (snort3-malware-other.rules) * 1:7178 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (snort3-malware-other.rules) * 1:7177 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email (snort3-malware-other.rules) * 1:7176 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (snort3-malware-other.rules) * 1:7175 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (snort3-malware-other.rules) * 1:7169 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange (snort3-malware-other.rules) * 1:7168 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4 (snort3-malware-other.rules) * 1:7167 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3 (snort3-malware-other.rules) * 1:7166 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2 (snort3-malware-other.rules) * 1:7773 <-> DISABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger (snort3-malware-backdoor.rules) * 1:7772 <-> ENABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set (snort3-malware-backdoor.rules) * 1:7597 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection (snort3-malware-other.rules) * 1:7596 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set (snort3-malware-other.rules) * 1:7592 <-> DISABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection (snort3-malware-other.rules) * 1:7591 <-> ENABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set (snort3-malware-other.rules) * 1:7574 <-> DISABLED <-> MALWARE-OTHER Keylogger proagent 2.0 runtime detection (snort3-malware-other.rules) * 1:7564 <-> DISABLED <-> PUA-ADWARE Hijacker startnow outbound connection (snort3-pua-adware.rules) * 1:7552 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp (snort3-malware-other.rules) * 1:7551 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp (snort3-malware-other.rules) * 1:7549 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection (snort3-malware-other.rules) * 1:7548 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification (snort3-malware-other.rules) * 1:7547 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring (snort3-malware-other.rules) * 1:7546 <-> DISABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection (snort3-malware-other.rules) * 1:7545 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2 (snort3-malware-other.rules) * 1:7544 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1 (snort3-malware-other.rules) * 1:7806 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection (snort3-malware-backdoor.rules) * 1:9650 <-> DISABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection (snort3-malware-other.rules) * 1:9649 <-> ENABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set (snort3-malware-other.rules) * 1:9648 <-> DISABLED <-> MALWARE-OTHER Keylogger emailspypro runtime detection (snort3-malware-other.rules) * 1:9647 <-> DISABLED <-> MALWARE-OTHER Keylogger system surveillance pro runtime detection (snort3-malware-other.rules) * 1:8544 <-> DISABLED <-> MALWARE-OTHER Keylogger nicespy runtime detection - smtp (snort3-malware-other.rules) * 1:8467 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - remote login response (snort3-malware-other.rules) * 1:8466 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (snort3-malware-other.rules) * 1:8465 <-> ENABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (snort3-malware-other.rules) * 1:8357 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email (snort3-malware-other.rules) * 1:8356 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email (snort3-malware-other.rules) * 1:8355 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection (snort3-malware-other.rules) * 1:809 <-> DISABLED <-> SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt (snort3-server-webapp.rules) * 1:8081 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (snort3-indicator-scan.rules) * 1:8059 <-> DISABLED <-> SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt (snort3-server-oracle.rules) * 1:7857 <-> DISABLED <-> MALWARE-OTHER Keylogger EliteKeylogger runtime detection (snort3-malware-other.rules) * 1:7847 <-> DISABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email (snort3-malware-other.rules) * 1:7846 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (snort3-malware-other.rules) * 1:7845 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (snort3-malware-other.rules) * 1:7837 <-> DISABLED <-> MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery (snort3-malware-other.rules) * 1:7808 <-> ENABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload (snort3-malware-backdoor.rules) * 1:7807 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file (snort3-malware-backdoor.rules) * 1:9830 <-> DISABLED <-> MALWARE-OTHER Keylogger supreme spy runtime detection (snort3-malware-other.rules) * 1:9828 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - ftp (snort3-malware-other.rules) * 1:9827 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - smtp (snort3-malware-other.rules) * 1:10097 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (snort3-malware-other.rules) * 1:10123 <-> DISABLED <-> PROTOCOL-VOIP PA168 chipset based IP phone default password attempt (snort3-protocol-voip.rules) * 1:10167 <-> DISABLED <-> MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log (snort3-malware-other.rules) * 1:10183 <-> DISABLED <-> MALWARE-OTHER Keylogger activity Keylogger runtime detection (snort3-malware-other.rules) * 1:10464 <-> DISABLED <-> PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt (snort3-protocol-telnet.rules) * 1:1090 <-> DISABLED <-> SERVER-WEBAPP Allaire Pro Web Shell attempt (snort3-server-webapp.rules) * 1:1100 <-> DISABLED <-> INDICATOR-SCAN L3retriever HTTP Probe (snort3-indicator-scan.rules) * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (snort3-server-webapp.rules) * 1:12046 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (snort3-protocol-rpc.rules) * 1:12048 <-> DISABLED <-> MALWARE-OTHER Keylogger computer Keylogger runtime detection (snort3-malware-other.rules) * 1:12075 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (snort3-protocol-rpc.rules) * 1:12128 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection (snort3-malware-other.rules) * 1:12130 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (snort3-malware-other.rules) * 1:12133 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (snort3-malware-other.rules) * 1:12134 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (snort3-malware-other.rules) * 1:12135 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (snort3-malware-other.rules) * 1:12159 <-> DISABLED <-> MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging (snort3-malware-backdoor.rules) * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (snort3-protocol-rpc.rules) * 1:12187 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp rename_principal attempt (snort3-protocol-rpc.rules) * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (snort3-protocol-rpc.rules) * 1:12243 <-> DISABLED <-> MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (snort3-malware-backdoor.rules) * 1:12372 <-> DISABLED <-> MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection (snort3-malware-other.rules) * 1:12424 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (snort3-protocol-rpc.rules) * 1:12480 <-> ENABLED <-> MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection (snort3-malware-other.rules) * 1:12625 <-> DISABLED <-> MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection (snort3-malware-other.rules) * 1:12698 <-> DISABLED <-> MALWARE-OTHER Keylogger net vizo 5.2 runtime detection (snort3-malware-other.rules) * 1:12759 <-> DISABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (snort3-malware-other.rules) * 1:12760 <-> ENABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (snort3-malware-other.rules) * 1:12761 <-> DISABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (snort3-malware-other.rules) * 1:12770 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12771 <-> DISABLED <-> BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12772 <-> DISABLED <-> BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12793 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (snort3-malware-other.rules) * 1:13243 <-> ENABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (snort3-malware-other.rules) * 1:13278 <-> ENABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (snort3-malware-other.rules) * 1:13280 <-> ENABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (snort3-malware-other.rules) * 1:13479 <-> ENABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (snort3-malware-other.rules) * 1:13480 <-> DISABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (snort3-malware-other.rules) * 1:13494 <-> DISABLED <-> MALWARE-OTHER Keylogger smart pc Keylogger runtime detection (snort3-malware-other.rules) * 1:13568 <-> DISABLED <-> MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection (snort3-malware-other.rules) * 1:13767 <-> ENABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (snort3-malware-other.rules) * 1:13768 <-> DISABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (snort3-malware-other.rules) * 1:13791 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:13987 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:13989 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:14039 <-> DISABLED <-> FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (snort3-file-other.rules) * 1:14040 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (snort3-server-other.rules) * 1:14041 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (snort3-server-other.rules) * 1:1434 <-> DISABLED <-> SERVER-WEBAPP .bash_history access (snort3-server-webapp.rules) * 1:15169 <-> DISABLED <-> POLICY-SOCIAL XBOX Live Kerberos authentication request (snort3-policy-social.rules) * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (snort3-indicator-obfuscation.rules) * 1:15414 <-> DISABLED <-> PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt (snort3-protocol-scada.rules) * 1:15425 <-> DISABLED <-> SERVER-WEBAPP phpBB mod tag board sql injection attempt (snort3-server-webapp.rules) * 1:15431 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (snort3-browser-firefox.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (snort3-sql.rules) * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (snort3-indicator-obfuscation.rules) * 1:15701 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt (snort3-os-windows.rules) * 1:15850 <-> DISABLED <-> OS-WINDOWS Remote Desktop orderType remote code execution attempt (snort3-os-windows.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (snort3-sql.rules) * 1:16125 <-> DISABLED <-> MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection (snort3-malware-other.rules) * 1:16129 <-> DISABLED <-> MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection (snort3-malware-other.rules) * 1:16130 <-> DISABLED <-> MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection (snort3-malware-other.rules) * 1:16137 <-> DISABLED <-> MALWARE-OTHER Keylogger cheat monitor runtime detection (snort3-malware-other.rules) * 1:16207 <-> DISABLED <-> SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt (snort3-server-webapp.rules) * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation (snort3-file-pdf.rules) * 1:16524 <-> DISABLED <-> PROTOCOL-FTP ProFTPD username sql injection attempt (snort3-protocol-ftp.rules) * 1:16574 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode (snort3-browser-plugins.rules) * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (snort3-file-other.rules) * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (snort3-browser-firefox.rules) * 1:17243 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt (snort3-server-other.rules) * 1:17265 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt (snort3-browser-firefox.rules) * 1:17353 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt (snort3-os-solaris.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (snort3-file-office.rules) * 1:18071 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (snort3-file-office.rules) * 1:1817 <-> DISABLED <-> SERVER-IIS MS Site Server default login attempt (snort3-server-iis.rules) * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (snort3-os-windows.rules) * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18239 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (snort3-indicator-obfuscation.rules) * 1:18242 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (snort3-browser-plugins.rules) * 1:18245 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt (snort3-browser-plugins.rules) * 1:18329 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (snort3-browser-plugins.rules) * 1:18408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (snort3-os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (snort3-os-windows.rules) * 1:18426 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18435 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18436 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18437 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18438 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18446 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18529 <-> DISABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18534 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (snort3-server-other.rules) * 1:18556 <-> DISABLED <-> SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt (snort3-server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (snort3-server-webapp.rules) * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18782 <-> DISABLED <-> MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (snort3-malware-cnc.rules) * 1:18822 <-> DISABLED <-> FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected (snort3-file-identify.rules) * 1:18932 <-> DISABLED <-> SERVER-WEBAPP Jboss default configuration unauthorized application add attempt (snort3-server-webapp.rules) * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (snort3-policy-other.rules) * 1:19036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (snort3-malware-cnc.rules) * 1:19079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (snort3-browser-ie.rules) * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (snort3-indicator-obfuscation.rules) * 1:19122 <-> DISABLED <-> POLICY-SPAM appledownload.com known spam email attempt (snort3-policy-spam.rules) * 1:1917 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (snort3-indicator-scan.rules) * 1:19172 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (snort3-browser-ie.rules) * 1:19311 <-> DISABLED <-> PUA-ADWARE Keylogger aspy v2.12 runtime detection (snort3-pua-adware.rules) * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (snort3-malware-other.rules) * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (snort3-malware-other.rules) * 1:19324 <-> ENABLED <-> MALWARE-OTHER Keylogger WL-Keylogger inbound connection (snort3-malware-other.rules) * 1:19393 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (snort3-malware-other.rules) * 1:19437 <-> DISABLED <-> INDICATOR-OBFUSCATION select concat statement - possible sql injection (snort3-indicator-obfuscation.rules) * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (snort3-sql.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (snort3-sql.rules) * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (snort3-os-windows.rules) * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection (snort3-malware-cnc.rules) * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (snort3-os-windows.rules) * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:19706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection (snort3-malware-cnc.rules) * 1:19868 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation (snort3-indicator-obfuscation.rules) * 1:19884 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (snort3-indicator-obfuscation.rules) * 1:19887 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (snort3-indicator-obfuscation.rules) * 1:19900 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (snort3-malware-other.rules) * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:20098 <-> DISABLED <-> MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection (snort3-malware-cnc.rules) * 1:20119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:20158 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt (snort3-server-webapp.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (snort3-server-other.rules) * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (snort3-netbios.rules) * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (snort3-indicator-obfuscation.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (snort3-indicator-scan.rules) * 1:20691 <-> DISABLED <-> POLICY-OTHER Cisco Network Registrar default credentials authentication attempt (snort3-policy-other.rules) * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (snort3-policy-other.rules) * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (snort3-file-office.rules) * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (snort3-file-office.rules) * 1:20995 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (snort3-policy-other.rules) * 1:20996 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (snort3-policy-other.rules) * 1:21038 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (snort3-indicator-obfuscation.rules) * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (snort3-indicator-obfuscation.rules) * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (snort3-indicator-obfuscation.rules) * 1:21088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop denial of service attempt (snort3-os-windows.rules) * 1:21117 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell (snort3-indicator-compromise.rules) * 1:21118 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell security information display (snort3-indicator-compromise.rules) * 1:21119 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive file system information display (snort3-indicator-compromise.rules) * 1:21120 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive console display (snort3-indicator-compromise.rules) * 1:21121 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive SQL display (snort3-indicator-compromise.rules) * 1:21129 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell (snort3-indicator-compromise.rules) * 1:21134 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security information page (snort3-indicator-compromise.rules) * 1:21138 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell database parsing page (snort3-indicator-compromise.rules) * 1:21140 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell kill shell page (snort3-indicator-compromise.rules) * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (snort3-file-identify.rules) * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (snort3-file-identify.rules) * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (snort3-file-identify.rules) * 1:21289 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:21318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded (snort3-malware-cnc.rules) * 1:214 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x (snort3-malware-backdoor.rules) * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (snort3-malware-cnc.rules) * 1:2146 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password 12345 attempt (snort3-server-webapp.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (snort3-file-identify.rules) * 1:215 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (snort3-malware-backdoor.rules) * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:21577 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - charcode (snort3-indicator-obfuscation.rules) * 1:21578 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - eval (snort3-indicator-obfuscation.rules) * 1:216 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit satori attempt (snort3-malware-backdoor.rules) * 1:21637 <-> DISABLED <-> POLICY-SPAM local user attempted to fill out paypal phishing form (snort3-policy-spam.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (snort3-os-windows.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (snort3-sql.rules) * 1:21780 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (snort3-indicator-obfuscation.rules) * 1:21781 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (snort3-indicator-obfuscation.rules) * 1:21783 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (snort3-indicator-obfuscation.rules) * 1:21784 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (snort3-indicator-obfuscation.rules) * 1:21785 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection (snort3-indicator-obfuscation.rules) * 1:21786 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (snort3-indicator-obfuscation.rules) * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection (snort3-malware-cnc.rules) * 1:22033 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (snort3-malware-cnc.rules) * 1:22034 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (snort3-malware-cnc.rules) * 1:22053 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection (snort3-malware-cnc.rules) * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (snort3-malware-other.rules) * 1:22071 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval (snort3-indicator-obfuscation.rules) * 1:2273 <-> DISABLED <-> PROTOCOL-IMAP login brute force attempt (snort3-protocol-imap.rules) * 1:22970 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (snort3-file-identify.rules) * 1:23085 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - join (snort3-indicator-obfuscation.rules) * 1:23087 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - xval (snort3-indicator-obfuscation.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (snort3-indicator-obfuscation.rules) * 1:23160 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (snort3-indicator-obfuscation.rules) * 1:23161 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - eval (snort3-indicator-obfuscation.rules) * 1:233 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default startup password (snort3-malware-other.rules) * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (snort3-indicator-obfuscation.rules) * 1:235 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default mdie password (snort3-malware-other.rules) * 1:23602 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan Firefox agent string (snort3-indicator-scan.rules) * 1:23604 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan iPhone agent string (snort3-indicator-scan.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules) * 1:23636 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (snort3-indicator-obfuscation.rules) * 1:237 <-> DISABLED <-> MALWARE-OTHER Trin00 Master to Daemon default password attempt (snort3-malware-other.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (snort3-file-identify.rules) * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (snort3-indicator-obfuscation.rules) * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (snort3-indicator-obfuscation.rules) * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (snort3-sql.rules) * 1:23985 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (snort3-browser-plugins.rules) * 1:24008 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool (snort3-policy-other.rules) * 1:2406 <-> DISABLED <-> PROTOCOL-TELNET APC SmartSlot default admin account attempt (snort3-protocol-telnet.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (snort3-app-detect.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (snort3-app-detect.rules) * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules) * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules) * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (snort3-indicator-obfuscation.rules) * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (snort3-malware-cnc.rules) * 1:24306 <-> DISABLED <-> SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt (snort3-server-apache.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (snort3-os-windows.rules) * 1:24368 <-> ENABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home (snort3-malware-cnc.rules) * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (snort3-malware-cnc.rules) * 1:24517 <-> DISABLED <-> SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt (snort3-server-webapp.rules) * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt (snort3-server-webapp.rules) * 1:24814 <-> DISABLED <-> PROTOCOL-SNMP Samsung printer default community string (snort3-protocol-snmp.rules) * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (snort3-indicator-obfuscation.rules) * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25453 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25454 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25458 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (snort3-os-windows.rules) * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (snort3-malware-cnc.rules) * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (snort3-malware-other.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (snort3-indicator-obfuscation.rules) * 1:25783 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (snort3-indicator-obfuscation.rules) * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt (snort3-exploit-kit.rules) * 1:26070 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (snort3-file-executable.rules) * 1:26261 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (snort3-malware-other.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (snort3-app-detect.rules) * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (snort3-exploit-kit.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (snort3-indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (snort3-indicator-obfuscation.rules) * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (snort3-indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (snort3-indicator-obfuscation.rules) * 1:26567 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (snort3-indicator-obfuscation.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (snort3-indicator-obfuscation.rules) * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (snort3-browser-webkit.rules) * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (snort3-indicator-obfuscation.rules) * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (snort3-indicator-obfuscation.rules) * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (snort3-indicator-obfuscation.rules) * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (snort3-indicator-obfuscation.rules) * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (snort3-browser-ie.rules) * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (snort3-browser-ie.rules) * 1:26705 <-> DISABLED <-> OS-MOBILE Android Ewalls device information exfiltration (snort3-os-mobile.rules) * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (snort3-malware-other.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (snort3-indicator-obfuscation.rules) * 1:27193 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (snort3-server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (snort3-server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (snort3-server-other.rules) * 1:27286 <-> DISABLED <-> SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt (snort3-server-webapp.rules) * 1:27593 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (snort3-indicator-obfuscation.rules) * 1:27729 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (snort3-indicator-compromise.rules) * 1:27731 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (snort3-indicator-compromise.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (snort3-indicator-obfuscation.rules) * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (snort3-server-webapp.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (snort3-malware-other.rules) * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (snort3-malware-other.rules) * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (snort3-malware-other.rules) * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (snort3-indicator-scan.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (snort3-server-other.rules) * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (snort3-malware-cnc.rules) * 1:28278 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (snort3-server-webapp.rules) * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (snort3-indicator-scan.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (snort3-browser-plugins.rules) * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (snort3-browser-plugins.rules) * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (snort3-browser-plugins.rules) * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection (snort3-malware-cnc.rules) * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (snort3-exploit-kit.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28833 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28835 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28840 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28841 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28842 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:29031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant inbound connection (snort3-malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (snort3-malware-backdoor.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (snort3-indicator-obfuscation.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (snort3-app-detect.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (snort3-app-detect.rules) * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (snort3-browser-webkit.rules) * 1:29396 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same (snort3-policy-spam.rules) * 1:29397 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same (snort3-policy-spam.rules) * 1:29509 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (snort3-indicator-obfuscation.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (snort3-indicator-obfuscation.rules) * 1:29580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt (snort3-browser-firefox.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (snort3-server-webapp.rules) * 1:29615 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger outbound connection (snort3-malware-cnc.rules) * 1:29616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger inbound connection (snort3-malware-cnc.rules) * 1:29680 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (snort3-browser-plugins.rules) * 1:29681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (snort3-browser-plugins.rules) * 1:29745 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS variable (snort3-indicator-obfuscation.rules) * 1:29756 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (snort3-server-webapp.rules) * 1:29791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (snort3-malware-cnc.rules) * 1:29807 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS array (snort3-indicator-obfuscation.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (snort3-indicator-obfuscation.rules) * 1:29869 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar phishing attack (snort3-malware-cnc.rules) * 1:29886 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic (snort3-malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (snort3-malware-other.rules) * 1:30327 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (snort3-indicator-obfuscation.rules) * 1:30568 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (snort3-malware-other.rules) * 1:30982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Karnos variant outbound connection (snort3-malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (snort3-server-webapp.rules) * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (snort3-malware-cnc.rules) * 1:31806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (snort3-malware-cnc.rules) * 1:31807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (snort3-malware-cnc.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (snort3-policy-other.rules) * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (snort3-exploit-kit.rules) * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (snort3-exploit-kit.rules) * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (snort3-malware-other.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (snort3-policy-other.rules) * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (snort3-browser-plugins.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (snort3-indicator-obfuscation.rules) * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (snort3-file-other.rules) * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (snort3-policy-other.rules) * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (snort3-policy-other.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (snort3-policy-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (snort3-policy-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (snort3-malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (snort3-malware-other.rules) * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (snort3-exploit-kit.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (snort3-app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (snort3-app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (snort3-app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (snort3-app-detect.rules) * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (snort3-server-other.rules) * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (snort3-file-identify.rules) * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (snort3-file-identify.rules) * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (snort3-file-identify.rules) * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (snort3-indicator-compromise.rules) * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (snort3-malware-other.rules) * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (snort3-malware-cnc.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (snort3-malware-cnc.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (snort3-malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (snort3-malware-cnc.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (snort3-malware-cnc.rules) * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (snort3-malware-cnc.rules) * 1:33566 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (snort3-browser-firefox.rules) * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (snort3-malware-cnc.rules) * 1:33857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt (snort3-malware-cnc.rules) * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (snort3-malware-cnc.rules) * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (snort3-malware-other.rules) * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (snort3-malware-other.rules) * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules) * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (snort3-exploit-kit.rules) * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection (snort3-malware-cnc.rules) * 1:34112 <-> DISABLED <-> SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt (snort3-server-other.rules) * 1:34114 <-> DISABLED <-> SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt (snort3-server-other.rules) * 1:34118 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious javascript packer detected (snort3-indicator-obfuscation.rules) * 1:34226 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (snort3-indicator-obfuscation.rules) * 1:34227 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (snort3-indicator-obfuscation.rules) * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (snort3-sql.rules) * 1:34345 <-> DISABLED <-> POLICY-OTHER Red Hat OpenStack default password login attempt (snort3-policy-other.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (snort3-malware-cnc.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (snort3-app-detect.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (snort3-server-other.rules) * 1:34890 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34891 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34892 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34893 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34894 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (snort3-file-other.rules) * 1:34895 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (snort3-file-other.rules) * 1:34896 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34897 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34898 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34899 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34900 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34901 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34902 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34903 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34904 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34905 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34906 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34907 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34908 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34909 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34910 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34911 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34912 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34913 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34914 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (snort3-file-other.rules) * 1:34915 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt (snort3-netbios.rules) * 1:34916 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt (snort3-netbios.rules) * 1:34944 <-> DISABLED <-> POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt (snort3-policy-other.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (snort3-malware-cnc.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (snort3-malware-cnc.rules) * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (snort3-exploit-kit.rules) * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (snort3-exploit-kit.rules) * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (snort3-server-other.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (snort3-os-windows.rules) * 1:35143 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt (snort3-file-office.rules) * 1:35168 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (snort3-file-office.rules) * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (snort3-server-mysql.rules) * 1:35215 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt (snort3-browser-ie.rules) * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (snort3-malware-cnc.rules) * 1:3542 <-> DISABLED <-> SQL SA brute force login attempt (snort3-sql.rules) * 1:3543 <-> DISABLED <-> SQL SA brute force login attempt TDS v7/8 (snort3-sql.rules) * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (snort3-malware-cnc.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (snort3-file-identify.rules) * 1:3552 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (snort3-os-windows.rules) * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (snort3-policy-other.rules) * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (snort3-policy-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (snort3-indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (snort3-indicator-obfuscation.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (snort3-malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (snort3-malware-backdoor.rules) * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (snort3-server-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (snort3-policy-other.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (snort3-indicator-obfuscation.rules) * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection (snort3-malware-cnc.rules) * 1:36070 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt (snort3-indicator-obfuscation.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (snort3-server-webapp.rules) * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (snort3-malware-cnc.rules) * 1:36201 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (snort3-exploit-kit.rules) * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (snort3-server-other.rules) * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (snort3-server-other.rules) * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (snort3-server-other.rules) * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (snort3-server-other.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (snort3-policy-other.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (snort3-malware-cnc.rules) * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (snort3-malware-other.rules) * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (snort3-server-other.rules) * 1:36407 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (snort3-os-windows.rules) * 1:36408 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (snort3-os-windows.rules) * 1:36409 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (snort3-os-windows.rules) * 1:36410 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (snort3-os-windows.rules) * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (snort3-server-other.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (snort3-browser-webkit.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (snort3-os-windows.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (snort3-malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (snort3-malware-cnc.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (snort3-malware-cnc.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (snort3-server-other.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (snort3-server-other.rules) * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (snort3-malware-cnc.rules) * 1:3679 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution (snort3-indicator-obfuscation.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (snort3-server-other.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (snort3-server-other.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (snort3-server-other.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (snort3-exploit-kit.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (snort3-browser-ie.rules) * 1:36931 <-> ENABLED <-> FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt (snort3-file-office.rules) * 1:36994 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (snort3-file-office.rules) * 1:36996 <-> ENABLED <-> FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt (snort3-file-office.rules) * 1:36999 <-> ENABLED <-> FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37000 <-> ENABLED <-> FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (snort3-file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (snort3-file-identify.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (snort3-indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (snort3-indicator-compromise.rules) * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (snort3-browser-ie.rules) * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (snort3-app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (snort3-app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (snort3-app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (snort3-app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (snort3-app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (snort3-app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (snort3-file-pdf.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (snort3-file-pdf.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (snort3-server-webapp.rules) * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (snort3-server-webapp.rules) * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (snort3-server-webapp.rules) * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (snort3-server-webapp.rules) * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (snort3-server-webapp.rules) * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (snort3-server-webapp.rules) * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (snort3-server-webapp.rules) * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (snort3-server-webapp.rules) * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (snort3-server-webapp.rules) * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (snort3-server-webapp.rules) * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (snort3-server-webapp.rules) * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (snort3-server-webapp.rules) * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (snort3-server-webapp.rules) * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (snort3-server-webapp.rules) * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (snort3-server-webapp.rules) * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (snort3-server-webapp.rules) * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (snort3-server-webapp.rules) * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (snort3-server-webapp.rules) * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (snort3-server-webapp.rules) * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (snort3-malware-backdoor.rules) * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (snort3-malware-backdoor.rules) * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (snort3-server-other.rules) * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (snort3-server-other.rules) * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (snort3-file-office.rules) * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (snort3-os-windows.rules) * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (snort3-os-windows.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (snort3-indicator-obfuscation.rules) * 1:37729 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (snort3-indicator-obfuscation.rules) * 1:37841 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (snort3-server-other.rules) * 1:37842 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (snort3-server-other.rules) * 1:37843 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK possible DoS attempt (snort3-server-other.rules) * 1:37891 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (snort3-indicator-obfuscation.rules) * 1:37892 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (snort3-indicator-obfuscation.rules) * 1:37903 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:37904 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:37905 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript charset concatentation attempt (snort3-indicator-obfuscation.rules) * 1:37906 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript known obfuscation method attempt (snort3-indicator-obfuscation.rules) * 1:37907 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript unicode escape variable name attempt (snort3-indicator-obfuscation.rules) * 1:37908 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript with hex variable names (snort3-indicator-obfuscation.rules) * 1:37909 <-> DISABLED <-> INDICATOR-OBFUSCATION known javascript packer detected (snort3-indicator-obfuscation.rules) * 1:37948 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (snort3-indicator-obfuscation.rules) * 1:37949 <-> DISABLED <-> INDICATOR-OBFUSCATION download of heavily compressed PDF attempt (snort3-indicator-obfuscation.rules) * 1:37950 <-> DISABLED <-> INDICATOR-OBFUSCATION email of heavily compressed PDF attempt (snort3-indicator-obfuscation.rules) * 1:37971 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (snort3-indicator-obfuscation.rules) * 1:37972 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (snort3-indicator-obfuscation.rules) * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (snort3-indicator-obfuscation.rules) * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (snort3-indicator-obfuscation.rules) * 1:38172 <-> DISABLED <-> FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt (snort3-file-other.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (snort3-file-identify.rules) * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (snort3-file-identify.rules) * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (snort3-server-webapp.rules) * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (snort3-indicator-obfuscation.rules) * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (snort3-indicator-obfuscation.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (snort3-indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (snort3-indicator-obfuscation.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (snort3-indicator-obfuscation.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (snort3-indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (snort3-indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (snort3-indicator-obfuscation.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (snort3-malware-cnc.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (snort3-malware-cnc.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (snort3-malware-cnc.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (snort3-malware-cnc.rules) * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (snort3-indicator-obfuscation.rules) * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (snort3-os-windows.rules) * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (snort3-os-windows.rules) * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (snort3-malware-cnc.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (snort3-indicator-obfuscation.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (snort3-malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (snort3-malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (snort3-malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (snort3-malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (snort3-malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (snort3-malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (snort3-malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (snort3-malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (snort3-malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (snort3-malware-cnc.rules) * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (snort3-indicator-obfuscation.rules) * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (snort3-indicator-obfuscation.rules) * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (snort3-indicator-obfuscation.rules) * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (snort3-indicator-obfuscation.rules) * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (snort3-indicator-obfuscation.rules) * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (snort3-indicator-obfuscation.rules) * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (snort3-indicator-obfuscation.rules) * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (snort3-indicator-obfuscation.rules) * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (snort3-indicator-obfuscation.rules) * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (snort3-indicator-obfuscation.rules) * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (snort3-indicator-obfuscation.rules) * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (snort3-indicator-obfuscation.rules) * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (snort3-indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (snort3-indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (snort3-indicator-obfuscation.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (snort3-indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (snort3-indicator-obfuscation.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (snort3-indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (snort3-indicator-obfuscation.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (snort3-indicator-obfuscation.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (snort3-indicator-obfuscation.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (snort3-malware-cnc.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (snort3-indicator-obfuscation.rules) * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (snort3-exploit-kit.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (snort3-malware-cnc.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (snort3-file-other.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (snort3-indicator-obfuscation.rules) * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (snort3-malware-cnc.rules) * 1:39130 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (snort3-exploit-kit.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (snort3-indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (snort3-indicator-obfuscation.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (snort3-indicator-obfuscation.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (snort3-malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (snort3-malware-cnc.rules) * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (snort3-malware-cnc.rules) * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (snort3-malware-cnc.rules) * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (snort3-indicator-obfuscation.rules) * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (snort3-indicator-obfuscation.rules) * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (snort3-indicator-obfuscation.rules) * 1:39532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (snort3-file-pdf.rules) * 1:39533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (snort3-file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (snort3-server-webapp.rules) * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (snort3-malware-other.rules) * 1:39755 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (snort3-malware-other.rules) * 1:39756 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (snort3-malware-other.rules) * 1:39870 <-> DISABLED <-> INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion (snort3-indicator-compromise.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (snort3-malware-cnc.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (snort3-server-webapp.rules) * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (snort3-file-office.rules) * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (snort3-indicator-scan.rules) * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (snort3-indicator-scan.rules) * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (snort3-server-other.rules) * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (snort3-malware-cnc.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (snort3-indicator-obfuscation.rules) * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (snort3-server-apache.rules) * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (snort3-server-apache.rules) * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (snort3-server-apache.rules) * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (snort3-server-apache.rules) * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (snort3-server-apache.rules) * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (snort3-server-apache.rules) * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (snort3-server-other.rules) * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (snort3-server-other.rules) * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (snort3-server-other.rules) * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (snort3-server-webapp.rules) * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (snort3-server-apache.rules) * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (snort3-file-pdf.rules) * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (snort3-file-pdf.rules) * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (snort3-malware-cnc.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (snort3-server-webapp.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (snort3-file-pdf.rules) * 1:4060 <-> DISABLED <-> APP-DETECT remote desktop protocol attempted administrator connection request (snort3-app-detect.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (snort3-file-flash.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (snort3-server-other.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (snort3-malware-cnc.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40897 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (snort3-server-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (snort3-server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (snort3-server-webapp.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (snort3-malware-cnc.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (snort3-exploit-kit.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (snort3-exploit-kit.rules) * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (snort3-file-pdf.rules) * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (snort3-file-pdf.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (snort3-file-pdf.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (snort3-file-pdf.rules) * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (snort3-file-pdf.rules) * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (snort3-file-pdf.rules) * 1:4126 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash (snort3-server-other.rules) * 1:41308 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (snort3-file-other.rules) * 1:41309 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (snort3-file-other.rules) * 1:10088 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp (snort3-malware-other.rules) * 1:10089 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp (snort3-malware-other.rules) * 1:10096 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog (snort3-malware-other.rules) * 1:10098 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info (snort3-malware-other.rules) * 1:10099 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (snort3-malware-other.rules) * 1:10100 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website (snort3-malware-other.rules) * 1:10165 <-> DISABLED <-> MALWARE-OTHER Keylogger mybr Keylogger runtime detection (snort3-malware-other.rules) * 1:10181 <-> DISABLED <-> MALWARE-OTHER Keylogger systemsleuth runtime detection (snort3-malware-other.rules) * 1:10436 <-> DISABLED <-> MALWARE-OTHER Keylogger keyspy runtime detection (snort3-malware-other.rules) * 1:10440 <-> DISABLED <-> MALWARE-OTHER Keylogger pc black box runtime detection (snort3-malware-other.rules) * 1:10457 <-> DISABLED <-> MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (snort3-malware-backdoor.rules) * 1:1101 <-> DISABLED <-> INDICATOR-SCAN Webtrends HTTP probe (snort3-indicator-scan.rules) * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (snort3-server-webapp.rules) * 1:11250 <-> DISABLED <-> BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access (snort3-browser-plugins.rules) * 1:11307 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection (snort3-malware-other.rules) * 1:11309 <-> DISABLED <-> MALWARE-OTHER Keylogger sskc v2.0 runtime detection (snort3-malware-other.rules) * 1:11311 <-> DISABLED <-> MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor (snort3-malware-other.rules) * 1:1133 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (snort3-indicator-scan.rules) * 1:12049 <-> DISABLED <-> MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection (snort3-malware-other.rules) * 1:12080 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability (snort3-os-solaris.rules) * 1:12129 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (snort3-malware-other.rules) * 1:12131 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (snort3-malware-other.rules) * 1:12132 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (snort3-malware-other.rules) * 1:12136 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (snort3-malware-other.rules) * 1:12137 <-> DISABLED <-> MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection (snort3-malware-other.rules) * 1:12141 <-> DISABLED <-> MALWARE-OTHER Keylogger logit v1.0 runtime detection (snort3-malware-other.rules) * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (snort3-protocol-rpc.rules) * 1:12226 <-> DISABLED <-> MALWARE-OTHER Keylogger overspy runtime detection (snort3-malware-other.rules) * 1:12379 <-> DISABLED <-> MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp (snort3-malware-other.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (snort3-protocol-rpc.rules) * 1:12758 <-> ENABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (snort3-malware-other.rules) * 1:12773 <-> DISABLED <-> BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12774 <-> DISABLED <-> BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12775 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt (snort3-browser-plugins.rules) * 1:12792 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (snort3-malware-other.rules) * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (snort3-protocol-rpc.rules) * 1:13236 <-> ENABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (snort3-malware-other.rules) * 1:13237 <-> DISABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (snort3-malware-other.rules) * 1:13244 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (snort3-malware-other.rules) * 1:13279 <-> DISABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (snort3-malware-other.rules) * 1:13281 <-> DISABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (snort3-malware-other.rules) * 1:13346 <-> ENABLED <-> PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection (snort3-pua-adware.rules) * 1:13347 <-> DISABLED <-> PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection (snort3-pua-adware.rules) * 1:13507 <-> DISABLED <-> MALWARE-CNC evilotus 1.3.2 variant outbound connection (snort3-malware-cnc.rules) * 1:13551 <-> DISABLED <-> SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (snort3-server-oracle.rules) * 1:13567 <-> DISABLED <-> MALWARE-OTHER Keylogger msn spy monitor runtime detection (snort3-malware-other.rules) * 1:13625 <-> DISABLED <-> MALWARE-CNC MBR rootkit HTTP POST activity detected (snort3-malware-cnc.rules) * 1:13642 <-> DISABLED <-> MALWARE-OTHER Keylogger easy Keylogger runtime detection (snort3-malware-other.rules) * 1:13651 <-> DISABLED <-> MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (snort3-malware-other.rules) * 1:13652 <-> DISABLED <-> PUA-ADWARE Keylogger all in one Keylogger runtime detection (snort3-pua-adware.rules) * 1:13778 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb employee monitor runtime detection (snort3-malware-other.rules) * 1:13812 <-> DISABLED <-> MALWARE-OTHER Keylogger refog Keylogger runtime detection (snort3-malware-other.rules) * 1:13988 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (snort3-sql.rules) * 1:14008 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:14065 <-> DISABLED <-> MALWARE-OTHER Keylogger emptybase j runtime detection (snort3-malware-other.rules) * 1:14074 <-> DISABLED <-> MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection (snort3-malware-other.rules) * 1:14075 <-> DISABLED <-> MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection (snort3-malware-other.rules) * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (snort3-indicator-obfuscation.rules) * 1:15424 <-> DISABLED <-> SERVER-WEBAPP phpBB mod shoutbox sql injection attempt (snort3-server-webapp.rules) * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (snort3-server-other.rules) * 1:15861 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (snort3-browser-plugins.rules) * 1:15863 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (snort3-browser-plugins.rules) * 1:16268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net (snort3-malware-cnc.rules) * 1:16269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com (snort3-malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (snort3-browser-ie.rules) * 1:16350 <-> DISABLED <-> SERVER-OTHER ntp mode 7 denial of service attempt (snort3-server-other.rules) * 1:1638 <-> DISABLED <-> INDICATOR-SCAN SSH Version map attempt (snort3-indicator-scan.rules) * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation (snort3-file-pdf.rules) * 1:16455 <-> DISABLED <-> MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection (snort3-malware-other.rules) * 1:16573 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape (snort3-browser-plugins.rules) * 1:16742 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file download request (snort3-file-identify.rules) * 1:17044 <-> ENABLED <-> SQL WinCC DB default password security bypass attempt (snort3-sql.rules) * 1:17111 <-> DISABLED <-> INDICATOR-OBFUSCATION known JavaScript obfuscation routine (snort3-indicator-obfuscation.rules) * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (snort3-browser-firefox.rules) * 1:17273 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (snort3-server-other.rules) * 1:17274 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (snort3-server-other.rules) * 1:17291 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded uri data object found (snort3-indicator-obfuscation.rules) * 1:17386 <-> DISABLED <-> SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (snort3-server-webapp.rules) * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (snort3-indicator-obfuscation.rules) * 1:17444 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (snort3-browser-firefox.rules) * 1:17571 <-> DISABLED <-> BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious (snort3-browser-plugins.rules) * 1:18132 <-> DISABLED <-> INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function (snort3-indicator-obfuscation.rules) * 1:18179 <-> DISABLED <-> INDICATOR-SCAN Proxyfire.net anonymous proxy scan (snort3-indicator-scan.rules) * 1:18205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (snort3-os-windows.rules) * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (snort3-browser-plugins.rules) * 1:18277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (snort3-os-windows.rules) * 1:18433 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18441 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18442 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18443 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (snort3-file-pdf.rules) * 1:18445 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:18488 <-> DISABLED <-> FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18493 <-> DISABLED <-> INDICATOR-OBFUSCATION generic PHP code obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18530 <-> DISABLED <-> FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:18531 <-> DISABLED <-> SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt (snort3-server-other.rules) * 1:18533 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (snort3-server-other.rules) * 1:1860 <-> DISABLED <-> SERVER-WEBAPP Linksys router default password login attempt (snort3-server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (snort3-server-webapp.rules) * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:18717 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection (snort3-malware-cnc.rules) * 1:18818 <-> DISABLED <-> FILE-IDENTIFY .chm attachment file type blocked by Outlook detected (snort3-file-identify.rules) * 1:18831 <-> DISABLED <-> FILE-IDENTIFY .hta attachment file type blocked by Outlook detected (snort3-file-identify.rules) * 1:18901 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt (snort3-server-other.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (snort3-malware-cnc.rules) * 1:19074 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt (snort3-indicator-obfuscation.rules) * 1:19075 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded eval statement (snort3-indicator-obfuscation.rules) * 1:19106 <-> DISABLED <-> MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http (snort3-malware-other.rules) * 1:19171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (snort3-browser-ie.rules) * 1:19314 <-> DISABLED <-> OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:19325 <-> DISABLED <-> MALWARE-OTHER Keylogger WL-Keylogger outbound connection (snort3-malware-other.rules) * 1:19392 <-> ENABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (snort3-malware-other.rules) * 1:19466 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt (snort3-file-office.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (snort3-malware-other.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (snort3-indicator-scan.rules) * 1:19567 <-> DISABLED <-> PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection (snort3-pua-adware.rules) * 1:19617 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (snort3-file-other.rules) * 1:19619 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (snort3-file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (snort3-file-other.rules) * 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (snort3-browser-ie.rules) * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:19741 <-> DISABLED <-> MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection (snort3-malware-other.rules) * 1:19779 <-> DISABLED <-> INDICATOR-SCAN sqlmap SQL injection scan attempt (snort3-indicator-scan.rules) * 1:19867 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (snort3-indicator-obfuscation.rules) * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (snort3-indicator-obfuscation.rules) * 1:19889 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded data object found (snort3-indicator-obfuscation.rules) * 1:19899 <-> ENABLED <-> MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection (snort3-malware-other.rules) * 1:19901 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (snort3-malware-other.rules) * 1:19925 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (snort3-browser-plugins.rules) * 1:19927 <-> DISABLED <-> MALWARE-BACKDOOR BRX Rat 0.02 inbound connection (snort3-malware-backdoor.rules) * 1:19933 <-> DISABLED <-> INDICATOR-SCAN DirBuster brute forcing tool detected (snort3-indicator-scan.rules) * 1:20118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:20137 <-> DISABLED <-> INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt (snort3-indicator-obfuscation.rules) * 1:20175 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (snort3-browser-plugins.rules) * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (snort3-indicator-scan.rules) * 1:20593 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (snort3-browser-webkit.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (snort3-server-other.rules) * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (snort3-file-office.rules) * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (snort3-file-office.rules) * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (snort3-indicator-obfuscation.rules) * 1:21089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt (snort3-os-windows.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (snort3-exploit-kit.rules) * 1:21130 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell enumeration page (snort3-indicator-compromise.rules) * 1:21131 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell domain lookup page (snort3-indicator-compromise.rules) * 1:21132 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell sql interaction page (snort3-indicator-compromise.rules) * 1:21133 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell encoder page (snort3-indicator-compromise.rules) * 1:21135 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell password cracking page (snort3-indicator-compromise.rules) * 1:21136 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security bypass page (snort3-indicator-compromise.rules) * 1:21137 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell tools page (snort3-indicator-compromise.rules) * 1:21139 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell spread shell page (snort3-indicator-compromise.rules) * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (snort3-server-other.rules) * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (snort3-file-identify.rules) * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (snort3-file-identify.rules) * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (snort3-file-identify.rules) * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:213 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (snort3-malware-backdoor.rules) * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (snort3-file-other.rules) * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (snort3-file-flash.rules) * 1:21377 <-> DISABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (snort3-server-webapp.rules) * 1:2145 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password admin attempt (snort3-server-webapp.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (snort3-file-identify.rules) * 1:21489 <-> DISABLED <-> FILE-OTHER Microsoft Windows chm file malware related exploit (snort3-file-other.rules) * 1:21519 <-> DISABLED <-> INDICATOR-OBFUSCATION Dadongs obfuscated javascript (snort3-indicator-obfuscation.rules) * 1:21550 <-> ENABLED <-> MALWARE-BACKDOOR ToolsPack PHP Backdoor access (snort3-malware-backdoor.rules) * 1:21579 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (snort3-indicator-obfuscation.rules) * 1:21580 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (snort3-indicator-obfuscation.rules) * 1:21582 <-> DISABLED <-> FILE-PDF PDF obfuscation attempt (snort3-file-pdf.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (snort3-os-windows.rules) * 1:21779 <-> DISABLED <-> SQL parameter ending in encoded comment characters - possible sql injection attempt - POST (snort3-sql.rules) * 1:21782 <-> DISABLED <-> INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting (snort3-indicator-obfuscation.rules) * 1:21787 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (snort3-indicator-obfuscation.rules) * 1:21938 <-> DISABLED <-> PROTOCOL-TELNET RuggedCom default backdoor login attempt (snort3-protocol-telnet.rules) * 1:22072 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode (snort3-indicator-obfuscation.rules) * 1:22073 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape (snort3-indicator-obfuscation.rules) * 1:22074 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode (snort3-indicator-obfuscation.rules) * 1:2230 <-> DISABLED <-> SERVER-WEBAPP NetGear router default password login attempt admin/password (snort3-server-webapp.rules) * 1:2274 <-> DISABLED <-> PROTOCOL-POP login brute force attempt (snort3-protocol-pop.rules) * 1:2275 <-> DISABLED <-> SERVER-MAIL AUTH LOGON brute force attempt (snort3-server-mail.rules) * 1:22969 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (snort3-file-identify.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (snort3-indicator-obfuscation.rules) * 1:23086 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - push (snort3-indicator-obfuscation.rules) * 1:23088 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe (snort3-indicator-obfuscation.rules) * 1:23089 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern (snort3-indicator-obfuscation.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (snort3-indicator-obfuscation.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (snort3-server-other.rules) * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (snort3-server-other.rules) * 1:23226 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (snort3-indicator-obfuscation.rules) * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (snort3-file-office.rules) * 1:2334 <-> DISABLED <-> PROTOCOL-FTP Yak! FTP server default account login attempt (snort3-protocol-ftp.rules) * 1:234 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default password (snort3-malware-other.rules) * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (snort3-indicator-obfuscation.rules) * 1:23601 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan default agent string (snort3-indicator-scan.rules) * 1:23603 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan MSIE agent string (snort3-indicator-scan.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules) * 1:23620 <-> ENABLED <-> MALWARE-OTHER Malvertising network attempted redirect (snort3-malware-other.rules) * 1:23621 <-> DISABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (snort3-indicator-obfuscation.rules) * 1:23780 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Begfanit.A outbound connection (snort3-malware-cnc.rules) * 1:23829 <-> DISABLED <-> INDICATOR-COMPROMISE Loaderz Web Shell (snort3-indicator-compromise.rules) * 1:23830 <-> DISABLED <-> INDICATOR-COMPROMISE Alsa3ek Web Shell (snort3-indicator-compromise.rules) * 1:23934 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (snort3-server-webapp.rules) * 1:23986 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (snort3-browser-plugins.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (snort3-file-other.rules) * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules) * 1:24167 <-> DISABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (snort3-indicator-obfuscation.rules) * 1:24372 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:24426 <-> DISABLED <-> MALWARE-OTHER Java.Trojan.Jacksbot class download (snort3-malware-other.rules) * 1:24435 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (snort3-server-webapp.rules) * 1:24436 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (snort3-server-webapp.rules) * 1:24629 <-> DISABLED <-> SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt (snort3-server-webapp.rules) * 1:24704 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (snort3-server-webapp.rules) * 1:24705 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (snort3-server-webapp.rules) * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (snort3-server-webapp.rules) * 1:25010 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (snort3-malware-cnc.rules) * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (snort3-malware-backdoor.rules) * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (snort3-exploit-kit.rules) * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25455 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25456 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25457 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (snort3-indicator-obfuscation.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules) * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (snort3-malware-cnc.rules) * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (snort3-malware-cnc.rules) * 1:25562 <-> DISABLED <-> FILE-JAVA Oracle Java obfuscated jar file download attempt (snort3-file-java.rules) * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (snort3-malware-other.rules) * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (snort3-malware-other.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (snort3-server-other.rules) * 1:2579 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow TCP (snort3-server-other.rules) * 1:25907 <-> DISABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (snort3-server-webapp.rules) * 1:26071 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (snort3-file-executable.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (snort3-indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (snort3-indicator-obfuscation.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (snort3-app-detect.rules) * 1:26440 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (snort3-indicator-obfuscation.rules) * 1:26565 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (snort3-indicator-obfuscation.rules) * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (snort3-indicator-obfuscation.rules) * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (snort3-indicator-obfuscation.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (snort3-server-other.rules) * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (snort3-malware-other.rules) * 1:26689 <-> DISABLED <-> OS-MOBILE Android Denofow phone information exfiltration (snort3-os-mobile.rules) * 1:26693 <-> DISABLED <-> OS-MOBILE Android Antammi device information exfiltration (snort3-os-mobile.rules) * 1:26759 <-> DISABLED <-> SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt (snort3-server-other.rules) * 1:26769 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt (snort3-server-other.rules) * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder variant outbound connection (snort3-malware-cnc.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (snort3-indicator-obfuscation.rules) * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (snort3-indicator-obfuscation.rules) * 1:27194 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:27195 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (snort3-server-other.rules) * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (snort3-indicator-obfuscation.rules) * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (snort3-indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (snort3-indicator-obfuscation.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (snort3-malware-other.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:27730 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (snort3-indicator-compromise.rules) * 1:27732 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (snort3-indicator-compromise.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (snort3-malware-cnc.rules) * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (snort3-malware-cnc.rules) * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (snort3-malware-other.rules) * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (snort3-malware-other.rules) * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (snort3-malware-other.rules) * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (snort3-indicator-scan.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules) * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (snort3-indicator-obfuscation.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port (snort3-indicator-scan.rules) * 1:28629 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (snort3-indicator-obfuscation.rules) * 1:28630 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (snort3-indicator-obfuscation.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (snort3-indicator-obfuscation.rules) * 1:28831 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28834 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28836 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28837 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28839 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (snort3-file-other.rules) * 1:28908 <-> DISABLED <-> SERVER-OTHER Nagios core config manager tfpassword sql injection attempt (snort3-server-other.rules) * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (snort3-browser-ie.rules) * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (snort3-browser-ie.rules) * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (snort3-malware-cnc.rules) * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (snort3-file-other.rules) * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (snort3-file-other.rules) * 1:28991 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration (snort3-malware-cnc.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (snort3-indicator-obfuscation.rules) * 1:29261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (snort3-malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (snort3-malware-cnc.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (snort3-app-detect.rules) * 1:29393 <-> DISABLED <-> SERVER-OTHER ntp monlist denial of service attempt (snort3-server-other.rules) * 1:29398 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same (snort3-policy-spam.rules) * 1:29399 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same (snort3-policy-spam.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (snort3-indicator-scan.rules) * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (snort3-indicator-obfuscation.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (snort3-server-webapp.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (snort3-file-image.rules) * 1:29789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (snort3-malware-cnc.rules) * 1:29790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (snort3-malware-cnc.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (snort3-exploit-kit.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (snort3-sql.rules) * 1:30281 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool SMBv2 (snort3-policy-other.rules) * 1:30328 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (snort3-indicator-obfuscation.rules) * 1:30392 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell (snort3-indicator-shellcode.rules) * 1:30567 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (snort3-malware-other.rules) * 1:30569 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt (snort3-malware-other.rules) * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (snort3-malware-cnc.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (snort3-browser-ie.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (snort3-malware-cnc.rules) * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (snort3-os-windows.rules) * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (snort3-sql.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (snort3-malware-cnc.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (snort3-indicator-compromise.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (snort3-server-other.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (snort3-policy-other.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (snort3-policy-other.rules) * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (snort3-exploit-kit.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (snort3-os-windows.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (snort3-malware-cnc.rules) * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (snort3-browser-plugins.rules) * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (snort3-browser-plugins.rules) * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (snort3-browser-plugins.rules) * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (snort3-malware-cnc.rules) * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (snort3-file-other.rules) * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (snort3-sql.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (snort3-server-other.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (snort3-app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (snort3-app-detect.rules) * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49576 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49582 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49598 <-> DISABLED <-> SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt (server-webapp.rules) * 1:49587 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules) * 1:49594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49599 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49605 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49604 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49593 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49581 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49575 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49601 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49602 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49578 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49579 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49577 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49603 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49580 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 3:49613 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System master request message detected (policy-other.rules) * 3:49616 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49608 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui execPython access attempt (server-webapp.rules) * 3:49609 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui cdp resource command injection attempt (server-webapp.rules) * 3:49588 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49591 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui directory traversal attempt (server-webapp.rules) * 3:49615 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49607 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49612 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System standby interested message detected (policy-other.rules) * 3:49590 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49606 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49611 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui information disclosure attempt (server-webapp.rules) * 3:49589 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49614 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49610 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui dhcp resource command injection attempt (server-webapp.rules)
* 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:6160 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger (malware-backdoor.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:7544 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1 (malware-other.rules) * 1:41823 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules) * 1:4916 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt (browser-ie.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:5782 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log (malware-other.rules) * 1:5742 <-> DISABLED <-> MALWARE-OTHER Keylogger activitylogger runtime detection (malware-other.rules) * 1:6385 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring (malware-other.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:7161 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server (malware-other.rules) * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:622 <-> DISABLED <-> INDICATOR-SCAN ipEye SYN scan (indicator-scan.rules) * 1:7166 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2 (malware-other.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:43672 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:5882 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - alert notification (malware-other.rules) * 1:49053 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:43836 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator (indicator-obfuscation.rules) * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:43289 <-> DISABLED <-> SERVER-WEBAPP /etc/shadow file access attempt (server-webapp.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:5779 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs (malware-other.rules) * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:45174 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules) * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules) * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:7177 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email (malware-other.rules) * 1:4126 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash (server-other.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:41308 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:42451 <-> DISABLED <-> SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt (server-webapp.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:7159 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server (malware-other.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:7837 <-> DISABLED <-> MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery (malware-other.rules) * 1:7806 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection (malware-backdoor.rules) * 1:7808 <-> ENABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload (malware-backdoor.rules) * 1:8467 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - remote login response (malware-other.rules) * 1:8465 <-> ENABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:9647 <-> DISABLED <-> MALWARE-OTHER Keylogger system surveillance pro runtime detection (malware-other.rules) * 1:9648 <-> DISABLED <-> MALWARE-OTHER Keylogger emailspypro runtime detection (malware-other.rules) * 1:7857 <-> DISABLED <-> MALWARE-OTHER Keylogger EliteKeylogger runtime detection (malware-other.rules) * 1:7772 <-> ENABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set (malware-backdoor.rules) * 1:9649 <-> ENABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set (malware-other.rules) * 1:9650 <-> DISABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection (malware-other.rules) * 1:9827 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - smtp (malware-other.rules) * 1:9828 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - ftp (malware-other.rules) * 1:9830 <-> DISABLED <-> MALWARE-OTHER Keylogger supreme spy runtime detection (malware-other.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:6207 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - smtp (malware-other.rules) * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:7546 <-> DISABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection (malware-other.rules) * 1:41309 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:7168 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4 (malware-other.rules) * 1:7505 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - smtp (malware-other.rules) * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (indicator-scan.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:6221 <-> DISABLED <-> MALWARE-OTHER Keylogger computerspy runtime detection (malware-other.rules) * 1:7169 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange (malware-other.rules) * 1:45470 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:43673 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:7186 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb Keylogger runtime detection (malware-other.rules) * 1:7160 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client (malware-other.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:6040 <-> ENABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7512 <-> ENABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set (malware-other.rules) * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (malware-other.rules) * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:7504 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data (malware-other.rules) * 1:616 <-> DISABLED <-> INDICATOR-SCAN ident version request (indicator-scan.rules) * 1:7541 <-> DISABLED <-> MALWARE-OTHER Keylogger starlogger runtime detection (malware-other.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:7099 <-> ENABLED <-> MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger (malware-backdoor.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules) * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:5783 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log (malware-other.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:41817 <-> DISABLED <-> SERVER-WEBAPP generic SQL select statement possible sql injection (server-webapp.rules) * 1:49052 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:4917 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt (browser-ie.rules) * 1:7176 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:7551 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp (malware-other.rules) * 1:7847 <-> DISABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email (malware-other.rules) * 1:7773 <-> DISABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:8544 <-> DISABLED <-> MALWARE-OTHER Keylogger nicespy runtime detection - smtp (malware-other.rules) * 1:7845 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7846 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:8466 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8356 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email (malware-other.rules) * 1:8357 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email (malware-other.rules) * 1:809 <-> DISABLED <-> SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt (server-webapp.rules) * 1:8081 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:8059 <-> DISABLED <-> SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt (server-oracle.rules) * 1:7807 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file (malware-backdoor.rules) * 1:7597 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection (malware-other.rules) * 1:7574 <-> DISABLED <-> MALWARE-OTHER Keylogger proagent 2.0 runtime detection (malware-other.rules) * 1:7564 <-> DISABLED <-> PUA-ADWARE Hijacker startnow outbound connection (pua-adware.rules) * 1:7596 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set (malware-other.rules) * 1:7591 <-> ENABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set (malware-other.rules) * 1:7552 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp (malware-other.rules) * 1:7592 <-> DISABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection (malware-other.rules) * 1:8355 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection (malware-other.rules) * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:5784 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log (malware-other.rules) * 1:6489 <-> DISABLED <-> PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker (pua-adware.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:7167 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3 (malware-other.rules) * 1:7539 <-> DISABLED <-> MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection (malware-other.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:5781 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs (malware-other.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:47137 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt (server-webapp.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:6340 <-> DISABLED <-> MALWARE-OTHER Keylogger handy keylogger runtime detection (malware-other.rules) * 1:5790 <-> DISABLED <-> MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp (malware-other.rules) * 1:7547 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring (malware-other.rules) * 1:627 <-> DISABLED <-> INDICATOR-SCAN cybercop os SFU12 probe (indicator-scan.rules) * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:6383 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup (malware-other.rules) * 1:43837 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript regex (indicator-obfuscation.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:6220 <-> DISABLED <-> MALWARE-OTHER Keylogger boss everyware runtime detection (malware-other.rules) * 1:45173 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:43287 <-> DISABLED <-> SERVER-WEBAPP /etc/inetd.conf file access attempt (server-webapp.rules) * 1:5777 <-> DISABLED <-> MALWARE-OTHER Keylogger gurl watcher runtime detection (malware-other.rules) * 1:41920 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt (server-webapp.rules) * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules) * 1:6159 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger (malware-backdoor.rules) * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules) * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:7545 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2 (malware-other.rules) * 1:43288 <-> DISABLED <-> SERVER-WEBAPP /etc/motd file access attempt (server-webapp.rules) * 1:6041 <-> DISABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:7158 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client (malware-other.rules) * 1:49063 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:49051 <-> DISABLED <-> SERVER-OTHER Ewon router default credential login attempt (server-other.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules) * 1:7175 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:49058 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:49057 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:5881 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery (malware-other.rules) * 1:49055 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:5780 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log (malware-other.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:7156 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - email delivery (malware-other.rules) * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:6384 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:41457 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:619 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:49061 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:49064 <-> DISABLED <-> SERVER-OTHER Westermo router default credential login attempt (server-other.rules) * 1:5880 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery (malware-other.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:4236 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access (browser-plugins.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:49059 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:7178 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:7141 <-> DISABLED <-> PUA-ADWARE Adware pay-per-click runtime detection - update (pua-adware.rules) * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:47116 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:6386 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification (malware-other.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:7185 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp (malware-other.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:49056 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:46027 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:6208 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - ftp (malware-other.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules) * 1:7180 <-> DISABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules) * 1:7163 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server (malware-other.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules) * 1:7164 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client (malware-other.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:45454 <-> DISABLED <-> SERVER-WEBAPP PostfixAdmin protected alias deletion attempt (server-webapp.rules) * 1:7154 <-> DISABLED <-> MALWARE-OTHER Keylogger active keylogger home runtime detection (malware-other.rules) * 1:48145 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:49062 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:45518 <-> DISABLED <-> POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt (policy-other.rules) * 1:41824 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules) * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules) * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:41456 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules) * 1:6143 <-> DISABLED <-> MALWARE-BACKDOOR dark connection inside v1.2 runtime detection (malware-backdoor.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:47138 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt (server-webapp.rules) * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:626 <-> DISABLED <-> INDICATOR-SCAN cybercop os PA12 attempt (indicator-scan.rules) * 1:45469 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:43707 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:6190 <-> DISABLED <-> MALWARE-OTHER Keylogger eblaster 5.0 runtime detection (malware-other.rules) * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:46026 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:7549 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection (malware-other.rules) * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules) * 1:47115 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:7184 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp (malware-other.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:49060 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:43708 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:7179 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:7157 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server (malware-other.rules) * 1:5759 <-> DISABLED <-> MALWARE-OTHER Keylogger fearlesskeyspy runtime detection (malware-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:49054 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules) * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules) * 1:630 <-> DISABLED <-> INDICATOR-SCAN synscan portscan (indicator-scan.rules) * 1:7548 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification (malware-other.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules) * 1:48144 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules) * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules) * 1:5778 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs (malware-other.rules) * 1:7165 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1 (malware-other.rules) * 1:40897 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:10088 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp (malware-other.rules) * 1:10089 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp (malware-other.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules) * 1:10098 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info (malware-other.rules) * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules) * 1:10123 <-> DISABLED <-> PROTOCOL-VOIP PA168 chipset based IP phone default password attempt (protocol-voip.rules) * 1:10181 <-> DISABLED <-> MALWARE-OTHER Keylogger systemsleuth runtime detection (malware-other.rules) * 1:10183 <-> DISABLED <-> MALWARE-OTHER Keylogger activity Keylogger runtime detection (malware-other.rules) * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules) * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules) * 1:10436 <-> DISABLED <-> MALWARE-OTHER Keylogger keyspy runtime detection (malware-other.rules) * 1:10457 <-> DISABLED <-> MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (malware-backdoor.rules) * 1:10464 <-> DISABLED <-> PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt (protocol-telnet.rules) * 1:1090 <-> DISABLED <-> SERVER-WEBAPP Allaire Pro Web Shell attempt (server-webapp.rules) * 1:1100 <-> DISABLED <-> INDICATOR-SCAN L3retriever HTTP Probe (indicator-scan.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:1101 <-> DISABLED <-> INDICATOR-SCAN Webtrends HTTP probe (indicator-scan.rules) * 1:11250 <-> DISABLED <-> BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access (browser-plugins.rules) * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules) * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules) * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:11311 <-> DISABLED <-> MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor (malware-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules) * 1:1133 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:12046 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (protocol-rpc.rules) * 1:12048 <-> DISABLED <-> MALWARE-OTHER Keylogger computer Keylogger runtime detection (malware-other.rules) * 1:12049 <-> DISABLED <-> MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection (malware-other.rules) * 1:34345 <-> DISABLED <-> POLICY-OTHER Red Hat OpenStack default password login attempt (policy-other.rules) * 1:12128 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection (malware-other.rules) * 1:12129 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12130 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:12133 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:34892 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:12136 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12159 <-> DISABLED <-> MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging (malware-backdoor.rules) * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules) * 1:34894 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34895 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules) * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules) * 1:12226 <-> DISABLED <-> MALWARE-OTHER Keylogger overspy runtime detection (malware-other.rules) * 1:12243 <-> DISABLED <-> MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (malware-backdoor.rules) * 1:12372 <-> DISABLED <-> MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection (malware-other.rules) * 1:34897 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34898 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:12379 <-> DISABLED <-> MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp (malware-other.rules) * 1:12480 <-> ENABLED <-> MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection (malware-other.rules) * 1:34904 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:12625 <-> DISABLED <-> MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection (malware-other.rules) * 1:34907 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:12758 <-> ENABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:34908 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34910 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:12759 <-> DISABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12760 <-> ENABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12761 <-> DISABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12770 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt (browser-plugins.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:12773 <-> DISABLED <-> BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (browser-plugins.rules) * 1:12774 <-> DISABLED <-> BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (browser-plugins.rules) * 1:12775 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt (browser-plugins.rules) * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:35143 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt (file-office.rules) * 1:13243 <-> ENABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13279 <-> DISABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13280 <-> ENABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules) * 1:35215 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt (browser-ie.rules) * 1:13281 <-> DISABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13347 <-> DISABLED <-> PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection (pua-adware.rules) * 1:13479 <-> ENABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13480 <-> DISABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13494 <-> DISABLED <-> MALWARE-OTHER Keylogger smart pc Keylogger runtime detection (malware-other.rules) * 1:3542 <-> DISABLED <-> SQL SA brute force login attempt (sql.rules) * 1:3543 <-> DISABLED <-> SQL SA brute force login attempt TDS v7/8 (sql.rules) * 1:13507 <-> DISABLED <-> MALWARE-CNC evilotus 1.3.2 variant outbound connection (malware-cnc.rules) * 1:13567 <-> DISABLED <-> MALWARE-OTHER Keylogger msn spy monitor runtime detection (malware-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:13568 <-> DISABLED <-> MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection (malware-other.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules) * 1:13651 <-> DISABLED <-> MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (malware-other.rules) * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:13652 <-> DISABLED <-> PUA-ADWARE Keylogger all in one Keylogger runtime detection (pua-adware.rules) * 1:13767 <-> ENABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13768 <-> DISABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13778 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb employee monitor runtime detection (malware-other.rules) * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules) * 1:13987 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13988 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13989 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:14039 <-> DISABLED <-> FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (file-other.rules) * 1:36407 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:14065 <-> DISABLED <-> MALWARE-OTHER Keylogger emptybase j runtime detection (malware-other.rules) * 1:1434 <-> DISABLED <-> SERVER-WEBAPP .bash_history access (server-webapp.rules) * 1:15169 <-> DISABLED <-> POLICY-SOCIAL XBOX Live Kerberos authentication request (policy-social.rules) * 1:36409 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36410 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:15414 <-> DISABLED <-> PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt (protocol-scada.rules) * 1:15424 <-> DISABLED <-> SERVER-WEBAPP phpBB mod shoutbox sql injection attempt (server-webapp.rules) * 1:15425 <-> DISABLED <-> SERVER-WEBAPP phpBB mod tag board sql injection attempt (server-webapp.rules) * 1:15431 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules) * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules) * 1:15701 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt (os-windows.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:15863 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (browser-plugins.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:16125 <-> DISABLED <-> MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection (malware-other.rules) * 1:16129 <-> DISABLED <-> MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection (malware-other.rules) * 1:16130 <-> DISABLED <-> MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection (malware-other.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:16268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net (malware-cnc.rules) * 1:16269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:1638 <-> DISABLED <-> INDICATOR-SCAN SSH Version map attempt (indicator-scan.rules) * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules) * 1:16524 <-> DISABLED <-> PROTOCOL-FTP ProFTPD username sql injection attempt (protocol-ftp.rules) * 1:16742 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file download request (file-identify.rules) * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (file-other.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:17044 <-> ENABLED <-> SQL WinCC DB default password security bypass attempt (sql.rules) * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (browser-firefox.rules) * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (browser-firefox.rules) * 1:17243 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt (server-other.rules) * 1:17265 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt (browser-firefox.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:17273 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:17291 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded uri data object found (indicator-obfuscation.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:17353 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt (os-solaris.rules) * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:17444 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:17571 <-> DISABLED <-> BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious (browser-plugins.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18071 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18132 <-> DISABLED <-> INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function (indicator-obfuscation.rules) * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules) * 1:18205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules) * 1:18208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules) * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18239 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:18245 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt (browser-plugins.rules) * 1:18277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt (os-windows.rules) * 1:18329 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules) * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules) * 1:18413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18426 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-other.rules) * 1:37729 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:18431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-pdf.rules) * 1:37843 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK possible DoS attempt (server-other.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:37891 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37903 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:18435 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-other.rules) * 1:18436 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-other.rules) * 1:18437 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-other.rules) * 1:18438 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-other.rules) * 1:37949 <-> DISABLED <-> INDICATOR-OBFUSCATION download of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:18441 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-pdf.rules) * 1:18442 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-pdf.rules) * 1:18443 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-pdf.rules) * 1:37971 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:37972 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:18488 <-> DISABLED <-> FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt (file-other.rules) * 1:38172 <-> DISABLED <-> FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt (file-other.rules) * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18529 <-> DISABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules) * 1:18530 <-> DISABLED <-> FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18533 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18534 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18556 <-> DISABLED <-> SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:1860 <-> DISABLED <-> SERVER-WEBAPP Linksys router default password login attempt (server-webapp.rules) * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules) * 1:18782 <-> DISABLED <-> MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (malware-cnc.rules) * 1:18818 <-> DISABLED <-> FILE-IDENTIFY .chm attachment file type blocked by Outlook detected (file-identify.rules) * 1:18822 <-> DISABLED <-> FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected (file-identify.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:18932 <-> DISABLED <-> SERVER-WEBAPP Jboss default configuration unauthorized application add attempt (server-webapp.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules) * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:19106 <-> DISABLED <-> MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http (malware-other.rules) * 1:1917 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:19171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19172 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19311 <-> DISABLED <-> PUA-ADWARE Keylogger aspy v2.12 runtime detection (pua-adware.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules) * 1:19314 <-> DISABLED <-> OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules) * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules) * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:19392 <-> ENABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:19393 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19437 <-> DISABLED <-> INDICATOR-OBFUSCATION select concat statement - possible sql injection (indicator-obfuscation.rules) * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:19466 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt (file-office.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules) * 1:19617 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (os-windows.rules) * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection (malware-cnc.rules) * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules) * 1:39130 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:19741 <-> DISABLED <-> MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection (malware-other.rules) * 1:19867 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:19868 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation (indicator-obfuscation.rules) * 1:19884 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:19887 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19899 <-> ENABLED <-> MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection (malware-other.rules) * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules) * 1:19900 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:19927 <-> DISABLED <-> MALWARE-BACKDOOR BRX Rat 0.02 inbound connection (malware-backdoor.rules) * 1:39532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:19933 <-> DISABLED <-> INDICATOR-SCAN DirBuster brute forcing tool detected (indicator-scan.rules) * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:20098 <-> DISABLED <-> MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection (malware-cnc.rules) * 1:20118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:20158 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt (server-webapp.rules) * 1:20175 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules) * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules) * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (netbios.rules) * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:20691 <-> DISABLED <-> POLICY-OTHER Cisco Network Registrar default credentials authentication attempt (policy-other.rules) * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules) * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20995 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:20996 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (server-other.rules) * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules) * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:21117 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell (indicator-compromise.rules) * 1:21118 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell security information display (indicator-compromise.rules) * 1:21119 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive file system information display (indicator-compromise.rules) * 1:21120 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive console display (indicator-compromise.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:21130 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell enumeration page (indicator-compromise.rules) * 1:21131 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell domain lookup page (indicator-compromise.rules) * 1:21132 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell sql interaction page (indicator-compromise.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21135 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell password cracking page (indicator-compromise.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21138 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell database parsing page (indicator-compromise.rules) * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules) * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules) * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21289 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:213 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21377 <-> DISABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (server-webapp.rules) * 1:214 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x (malware-backdoor.rules) * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:215 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21519 <-> DISABLED <-> INDICATOR-OBFUSCATION Dadongs obfuscated javascript (indicator-obfuscation.rules) * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (os-windows.rules) * 1:21577 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - charcode (indicator-obfuscation.rules) * 1:216 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit satori attempt (malware-backdoor.rules) * 1:21637 <-> DISABLED <-> POLICY-SPAM local user attempted to fill out paypal phishing form (policy-spam.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:21782 <-> DISABLED <-> INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21784 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21785 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21786 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21787 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21938 <-> DISABLED <-> PROTOCOL-TELNET RuggedCom default backdoor login attempt (protocol-telnet.rules) * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (malware-other.rules) * 1:22072 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:22074 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode (indicator-obfuscation.rules) * 1:2275 <-> DISABLED <-> SERVER-MAIL AUTH LOGON brute force attempt (server-mail.rules) * 1:22969 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:22970 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23085 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - join (indicator-obfuscation.rules) * 1:23087 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - xval (indicator-obfuscation.rules) * 1:23088 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe (indicator-obfuscation.rules) * 1:23089 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern (indicator-obfuscation.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:23160 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:23161 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - eval (indicator-obfuscation.rules) * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules) * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules) * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules) * 1:235 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default mdie password (malware-other.rules) * 1:23603 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan MSIE agent string (indicator-scan.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23620 <-> ENABLED <-> MALWARE-OTHER Malvertising network attempted redirect (malware-other.rules) * 1:23636 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules) * 1:237 <-> DISABLED <-> MALWARE-OTHER Trin00 Master to Daemon default password attempt (malware-other.rules) * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (sql.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24167 <-> DISABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (indicator-obfuscation.rules) * 1:24368 <-> ENABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home (malware-cnc.rules) * 1:24372 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:24435 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24704 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24705 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt (server-webapp.rules) * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (server-webapp.rules) * 1:24814 <-> DISABLED <-> PROTOCOL-SNMP Samsung printer default community string (protocol-snmp.rules) * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules) * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (malware-backdoor.rules) * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (exploit-kit.rules) * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25453 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25454 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25456 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25562 <-> DISABLED <-> FILE-JAVA Oracle Java obfuscated jar file download attempt (file-java.rules) * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (os-windows.rules) * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules) * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules) * 1:25783 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:2579 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow TCP (server-other.rules) * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt (exploit-kit.rules) * 1:26261 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules) * 1:26565 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26567 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules) * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules) * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26689 <-> DISABLED <-> OS-MOBILE Android Denofow phone information exfiltration (os-mobile.rules) * 1:26769 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt (server-other.rules) * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder variant outbound connection (malware-cnc.rules) * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27193 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27194 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27195 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27593 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (indicator-obfuscation.rules) * 1:27729 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (indicator-compromise.rules) * 1:27732 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (indicator-compromise.rules) * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (server-webapp.rules) * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (malware-cnc.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules) * 1:28278 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (indicator-scan.rules) * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28630 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28831 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28833 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28835 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28836 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28837 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28839 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28841 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:28842 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28991 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration (malware-cnc.rules) * 1:29031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant inbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:29261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (browser-webkit.rules) * 1:29396 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same (policy-spam.rules) * 1:29509 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt (browser-firefox.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29745 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS variable (indicator-obfuscation.rules) * 1:29756 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:29789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29886 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic (malware-cnc.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30392 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell (indicator-shellcode.rules) * 1:30567 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30568 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30569 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt (malware-other.rules) * 1:30982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Karnos variant outbound connection (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules) * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules) * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules) * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:10096 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog (malware-other.rules) * 1:10097 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:10099 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10100 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website (malware-other.rules) * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules) * 1:10165 <-> DISABLED <-> MALWARE-OTHER Keylogger mybr Keylogger runtime detection (malware-other.rules) * 1:10167 <-> DISABLED <-> MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log (malware-other.rules) * 1:10440 <-> DISABLED <-> MALWARE-OTHER Keylogger pc black box runtime detection (malware-other.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules) * 1:33566 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules) * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:33857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt (malware-cnc.rules) * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:11307 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection (malware-other.rules) * 1:11309 <-> DISABLED <-> MALWARE-OTHER Keylogger sskc v2.0 runtime detection (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection (malware-cnc.rules) * 1:34112 <-> DISABLED <-> SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt (server-other.rules) * 1:34114 <-> DISABLED <-> SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt (server-other.rules) * 1:34118 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious javascript packer detected (indicator-obfuscation.rules) * 1:34226 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:34227 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:12075 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules) * 1:12080 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability (os-solaris.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34890 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt (file-other.rules) * 1:12131 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12132 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:34891 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt (file-other.rules) * 1:12134 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:12135 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:34893 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:12137 <-> DISABLED <-> MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection (malware-other.rules) * 1:12141 <-> DISABLED <-> MALWARE-OTHER Keylogger logit v1.0 runtime detection (malware-other.rules) * 1:12187 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp rename_principal attempt (protocol-rpc.rules) * 1:34896 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34899 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34900 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34901 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34902 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:12424 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (protocol-rpc.rules) * 1:34903 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34905 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34906 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:12698 <-> DISABLED <-> MALWARE-OTHER Keylogger net vizo 5.2 runtime detection (malware-other.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:34909 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:34911 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34912 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:34913 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34914 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:34915 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt (netbios.rules) * 1:34916 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt (netbios.rules) * 1:12771 <-> DISABLED <-> BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (browser-plugins.rules) * 1:34944 <-> DISABLED <-> POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt (policy-other.rules) * 1:12772 <-> DISABLED <-> BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt (browser-plugins.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules) * 1:12792 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:12793 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:13236 <-> ENABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:13237 <-> DISABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:35168 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules) * 1:13244 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:13278 <-> ENABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13346 <-> ENABLED <-> PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection (pua-adware.rules) * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules) * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:3552 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules) * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:13551 <-> DISABLED <-> SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (server-oracle.rules) * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:13625 <-> DISABLED <-> MALWARE-CNC MBR rootkit HTTP POST activity detected (malware-cnc.rules) * 1:13642 <-> DISABLED <-> MALWARE-OTHER Keylogger easy Keylogger runtime detection (malware-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection (malware-cnc.rules) * 1:36070 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt (indicator-obfuscation.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules) * 1:36201 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules) * 1:13791 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules) * 1:13812 <-> DISABLED <-> MALWARE-OTHER Keylogger refog Keylogger runtime detection (malware-other.rules) * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules) * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:14008 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules) * 1:14040 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (server-other.rules) * 1:14041 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (server-other.rules) * 1:36408 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:14074 <-> DISABLED <-> MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection (malware-other.rules) * 1:14075 <-> DISABLED <-> MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection (malware-other.rules) * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (indicator-obfuscation.rules) * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:3679 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution (indicator-obfuscation.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:15850 <-> DISABLED <-> OS-WINDOWS Remote Desktop orderType remote code execution attempt (os-windows.rules) * 1:15861 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:36931 <-> ENABLED <-> FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt (file-office.rules) * 1:36994 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:36996 <-> ENABLED <-> FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt (file-office.rules) * 1:36999 <-> ENABLED <-> FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt (file-office.rules) * 1:37000 <-> ENABLED <-> FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt (file-office.rules) * 1:16137 <-> DISABLED <-> MALWARE-OTHER Keylogger cheat monitor runtime detection (malware-other.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:16207 <-> DISABLED <-> SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt (server-webapp.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules) * 1:16350 <-> DISABLED <-> SERVER-OTHER ntp mode 7 denial of service attempt (server-other.rules) * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation (file-pdf.rules) * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules) * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation (file-pdf.rules) * 1:16455 <-> DISABLED <-> MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection (malware-other.rules) * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules) * 1:16573 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape (browser-plugins.rules) * 1:16574 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode (browser-plugins.rules) * 1:17111 <-> DISABLED <-> INDICATOR-OBFUSCATION known JavaScript obfuscation routine (indicator-obfuscation.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:17274 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules) * 1:17386 <-> DISABLED <-> SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (server-webapp.rules) * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules) * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules) * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules) * 1:1817 <-> DISABLED <-> SERVER-IIS MS Site Server default login attempt (server-iis.rules) * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:18179 <-> DISABLED <-> INDICATOR-SCAN Proxyfire.net anonymous proxy scan (indicator-scan.rules) * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules) * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules) * 1:18209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules) * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18242 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules) * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules) * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:37841 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37842 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:18432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-pdf.rules) * 1:18433 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-other.rules) * 1:37892 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37904 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37905 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript charset concatentation attempt (indicator-obfuscation.rules) * 1:37906 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript known obfuscation method attempt (indicator-obfuscation.rules) * 1:37907 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript unicode escape variable name attempt (indicator-obfuscation.rules) * 1:37908 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript with hex variable names (indicator-obfuscation.rules) * 1:37909 <-> DISABLED <-> INDICATOR-OBFUSCATION known javascript packer detected (indicator-obfuscation.rules) * 1:18439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-pdf.rules) * 1:37948 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:18440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-pdf.rules) * 1:37950 <-> DISABLED <-> INDICATOR-OBFUSCATION email of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:18445 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18446 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:18493 <-> DISABLED <-> INDICATOR-OBFUSCATION generic PHP code obfuscation attempt (indicator-obfuscation.rules) * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:18496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (os-windows.rules) * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18531 <-> DISABLED <-> SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt (server-other.rules) * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules) * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules) * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules) * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules) * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules) * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:18717 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection (malware-cnc.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:18831 <-> DISABLED <-> FILE-IDENTIFY .hta attachment file type blocked by Outlook detected (file-identify.rules) * 1:18901 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt (server-other.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules) * 1:19036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:19074 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt (indicator-obfuscation.rules) * 1:19075 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded eval statement (indicator-obfuscation.rules) * 1:19122 <-> DISABLED <-> POLICY-SPAM appledownload.com known spam email attempt (policy-spam.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules) * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules) * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:19324 <-> ENABLED <-> MALWARE-OTHER Keylogger WL-Keylogger inbound connection (malware-other.rules) * 1:19325 <-> DISABLED <-> MALWARE-OTHER Keylogger WL-Keylogger outbound connection (malware-other.rules) * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (os-windows.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:19567 <-> DISABLED <-> PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection (pua-adware.rules) * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection (malware-cnc.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:19619 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19779 <-> DISABLED <-> INDICATOR-SCAN sqlmap SQL injection scan attempt (indicator-scan.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:19889 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded data object found (indicator-obfuscation.rules) * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules) * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:19901 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19925 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (browser-plugins.rules) * 1:39533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules) * 1:39755 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39756 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39870 <-> DISABLED <-> INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion (indicator-compromise.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:20119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules) * 1:20137 <-> DISABLED <-> INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt (indicator-obfuscation.rules) * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules) * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (indicator-obfuscation.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:20593 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (server-apache.rules) * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (server-webapp.rules) * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (server-apache.rules) * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:21038 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:21088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop denial of service attempt (os-windows.rules) * 1:21089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt (os-windows.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:4060 <-> DISABLED <-> APP-DETECT remote desktop protocol attempted administrator connection request (app-detect.rules) * 1:21121 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive SQL display (indicator-compromise.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:21129 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell (indicator-compromise.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21133 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell encoder page (indicator-compromise.rules) * 1:21134 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security information page (indicator-compromise.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21136 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security bypass page (indicator-compromise.rules) * 1:21137 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell tools page (indicator-compromise.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21139 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell spread shell page (indicator-compromise.rules) * 1:21140 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell kill shell page (indicator-compromise.rules) * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (os-windows.rules) * 1:21318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded (malware-cnc.rules) * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-other.rules) * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules) * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules) * 1:2145 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password admin attempt (server-webapp.rules) * 1:2146 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password 12345 attempt (server-webapp.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21489 <-> DISABLED <-> FILE-OTHER Microsoft Windows chm file malware related exploit (file-other.rules) * 1:21550 <-> ENABLED <-> MALWARE-BACKDOOR ToolsPack PHP Backdoor access (malware-backdoor.rules) * 1:21578 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:21579 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21580 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21582 <-> DISABLED <-> FILE-PDF PDF obfuscation attempt (file-pdf.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:21779 <-> DISABLED <-> SQL parameter ending in encoded comment characters - possible sql injection attempt - POST (sql.rules) * 1:21780 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21781 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21783 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection (malware-cnc.rules) * 1:22033 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22034 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22053 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection (malware-cnc.rules) * 1:22071 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:22073 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape (indicator-obfuscation.rules) * 1:2230 <-> DISABLED <-> SERVER-WEBAPP NetGear router default password login attempt admin/password (server-webapp.rules) * 1:2273 <-> DISABLED <-> PROTOCOL-IMAP login brute force attempt (protocol-imap.rules) * 1:2274 <-> DISABLED <-> PROTOCOL-POP login brute force attempt (protocol-pop.rules) * 1:23086 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - push (indicator-obfuscation.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules) * 1:23226 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules) * 1:233 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default startup password (malware-other.rules) * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (file-office.rules) * 1:2334 <-> DISABLED <-> PROTOCOL-FTP Yak! FTP server default account login attempt (protocol-ftp.rules) * 1:234 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default password (malware-other.rules) * 1:23601 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan default agent string (indicator-scan.rules) * 1:23602 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan Firefox agent string (indicator-scan.rules) * 1:23604 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan iPhone agent string (indicator-scan.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23621 <-> DISABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:23780 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Begfanit.A outbound connection (malware-cnc.rules) * 1:23829 <-> DISABLED <-> INDICATOR-COMPROMISE Loaderz Web Shell (indicator-compromise.rules) * 1:23830 <-> DISABLED <-> INDICATOR-COMPROMISE Alsa3ek Web Shell (indicator-compromise.rules) * 1:23934 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (server-webapp.rules) * 1:23985 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:23986 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:24008 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool (policy-other.rules) * 1:2406 <-> DISABLED <-> PROTOCOL-TELNET APC SmartSlot default admin account attempt (protocol-telnet.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules) * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:24306 <-> DISABLED <-> SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt (server-apache.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules) * 1:24426 <-> DISABLED <-> MALWARE-OTHER Java.Trojan.Jacksbot class download (malware-other.rules) * 1:24436 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24517 <-> DISABLED <-> SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt (server-webapp.rules) * 1:24629 <-> DISABLED <-> SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt (server-webapp.rules) * 1:25010 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (malware-cnc.rules) * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25455 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25457 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:25458 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules) * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules) * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:25907 <-> DISABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules) * 1:26070 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26071 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26440 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules) * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules) * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (malware-other.rules) * 1:26693 <-> DISABLED <-> OS-MOBILE Android Antammi device information exfiltration (os-mobile.rules) * 1:26705 <-> DISABLED <-> OS-MOBILE Android Ewalls device information exfiltration (os-mobile.rules) * 1:26759 <-> DISABLED <-> SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt (server-other.rules) * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (indicator-obfuscation.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27286 <-> DISABLED <-> SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt (server-webapp.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27730 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (indicator-compromise.rules) * 1:27731 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (indicator-compromise.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (malware-cnc.rules) * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (indicator-scan.rules) * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (indicator-scan.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (server-other.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection (malware-cnc.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port (indicator-scan.rules) * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (exploit-kit.rules) * 1:28629 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:28834 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28840 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28908 <-> DISABLED <-> SERVER-OTHER Nagios core config manager tfpassword sql injection attempt (server-other.rules) * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (malware-cnc.rules) * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29393 <-> DISABLED <-> SERVER-OTHER ntp monlist denial of service attempt (server-other.rules) * 1:29397 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same (policy-spam.rules) * 1:29398 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same (policy-spam.rules) * 1:29399 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same (policy-spam.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29615 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger outbound connection (malware-cnc.rules) * 1:29616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger inbound connection (malware-cnc.rules) * 1:29680 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29807 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS array (indicator-obfuscation.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:29869 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar phishing attack (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30281 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool SMBv2 (policy-other.rules) * 1:30327 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30328 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules) * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (sql.rules) * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules) * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49577 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49581 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49582 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49579 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49601 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49587 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49605 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49575 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49580 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49593 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49578 <-> DISABLED <-> SERVER-WEBAPP ElectronJS Exodus remote code execution attempt (server-webapp.rules) * 1:49597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49576 <-> DISABLED <-> FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt (file-image.rules) * 1:49599 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt (malware-cnc.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49602 <-> DISABLED <-> SERVER-OTHER Century Star SCADA directory traversal attempt (server-other.rules) * 1:49600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49604 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt (malware-cnc.rules) * 1:49603 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt (server-webapp.rules) * 1:49598 <-> DISABLED <-> SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt (server-webapp.rules) * 3:49610 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui dhcp resource command injection attempt (server-webapp.rules) * 3:49611 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui information disclosure attempt (server-webapp.rules) * 3:49607 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49608 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui execPython access attempt (server-webapp.rules) * 3:49613 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System master request message detected (policy-other.rules) * 3:49590 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49606 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP calling display name denial of service attempt (protocol-voip.rules) * 3:49615 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49609 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui cdp resource command injection attempt (server-webapp.rules) * 3:49616 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49614 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui rathrottler command injection attempt (server-webapp.rules) * 3:49612 <-> ENABLED <-> POLICY-OTHER Cisco Virtual Switching System standby interested message detected (policy-other.rules) * 3:49588 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules) * 3:49591 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui directory traversal attempt (server-webapp.rules) * 3:49589 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui debugBundle command injection attempt (server-webapp.rules)
* 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:49056 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:7545 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2 (malware-other.rules) * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules) * 1:7165 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1 (malware-other.rules) * 1:43289 <-> DISABLED <-> SERVER-WEBAPP /etc/shadow file access attempt (server-webapp.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:6159 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger (malware-backdoor.rules) * 1:45518 <-> DISABLED <-> POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt (policy-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48145 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:45454 <-> DISABLED <-> SERVER-WEBAPP PostfixAdmin protected alias deletion attempt (server-webapp.rules) * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (malware-other.rules) * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:6386 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification (malware-other.rules) * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules) * 1:41309 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:7175 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules) * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules) * 1:5882 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - alert notification (malware-other.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:4916 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload document.write obfuscation overflow attempt (browser-ie.rules) * 1:41823 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:7159 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server (malware-other.rules) * 1:6208 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - ftp (malware-other.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:7176 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve (malware-other.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:7166 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2 (malware-other.rules) * 1:43707 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:6160 <-> DISABLED <-> MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger (malware-backdoor.rules) * 1:5778 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs (malware-other.rules) * 1:630 <-> DISABLED <-> INDICATOR-SCAN synscan portscan (indicator-scan.rules) * 1:48144 <-> DISABLED <-> FILE-OTHER McAfee True Key dll-load exploit attempt (file-other.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:49057 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:7178 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:49052 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:4236 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer WMI ASDI Extension ActiveX object access (browser-plugins.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:7541 <-> DISABLED <-> MALWARE-OTHER Keylogger starlogger runtime detection (malware-other.rules) * 1:622 <-> DISABLED <-> INDICATOR-SCAN ipEye SYN scan (indicator-scan.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:5782 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log (malware-other.rules) * 1:6143 <-> DISABLED <-> MALWARE-BACKDOOR dark connection inside v1.2 runtime detection (malware-backdoor.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:6489 <-> DISABLED <-> PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker (pua-adware.rules) * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:5759 <-> DISABLED <-> MALWARE-OTHER Keylogger fearlesskeyspy runtime detection (malware-other.rules) * 1:42451 <-> DISABLED <-> SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt (server-webapp.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules) * 1:6385 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring (malware-other.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules) * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:7158 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client (malware-other.rules) * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:627 <-> DISABLED <-> INDICATOR-SCAN cybercop os SFU12 probe (indicator-scan.rules) * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:49053 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:49059 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:7141 <-> DISABLED <-> PUA-ADWARE Adware pay-per-click runtime detection - update (pua-adware.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:47137 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt (server-webapp.rules) * 1:49055 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:7169 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange (malware-other.rules) * 1:47138 <-> DISABLED <-> SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt (server-webapp.rules) * 1:49060 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:6040 <-> ENABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7186 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb Keylogger runtime detection (malware-other.rules) * 1:6041 <-> DISABLED <-> MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7504 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data (malware-other.rules) * 1:41817 <-> DISABLED <-> SERVER-WEBAPP generic SQL select statement possible sql injection (server-webapp.rules) * 1:41457 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43672 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:49063 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:5783 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log (malware-other.rules) * 1:49051 <-> DISABLED <-> SERVER-OTHER Ewon router default credential login attempt (server-other.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:47116 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45173 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:45174 <-> DISABLED <-> BROWSER-FIREFOX Mozilla download directory file deletion attempt (browser-firefox.rules) * 1:27193 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:5880 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery (malware-other.rules) * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules) * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules) * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules) * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules) * 1:6221 <-> DISABLED <-> MALWARE-OTHER Keylogger computerspy runtime detection (malware-other.rules) * 1:43673 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (browser-firefox.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules) * 1:7505 <-> DISABLED <-> MALWARE-OTHER Keylogger actualspy runtime detection - smtp (malware-other.rules) * 1:41308 <-> DISABLED <-> FILE-OTHER Dell Precision Optimizer dll-load exploit attempt (file-other.rules) * 1:7544 <-> ENABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1 (malware-other.rules) * 1:5780 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log (malware-other.rules) * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules) * 1:6383 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup (malware-other.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:7512 <-> ENABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set (malware-other.rules) * 1:7163 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server (malware-other.rules) * 1:626 <-> DISABLED <-> INDICATOR-SCAN cybercop os PA12 attempt (indicator-scan.rules) * 1:5781 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs (malware-other.rules) * 1:41824 <-> DISABLED <-> SERVER-OTHER Nagios Core privilege escalation attempt (server-other.rules) * 1:6340 <-> DISABLED <-> MALWARE-OTHER Keylogger handy keylogger runtime detection (malware-other.rules) * 1:7154 <-> DISABLED <-> MALWARE-OTHER Keylogger active keylogger home runtime detection (malware-other.rules) * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:7596 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set (malware-other.rules) * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:5742 <-> DISABLED <-> MALWARE-OTHER Keylogger activitylogger runtime detection (malware-other.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46027 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules) * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules) * 1:7179 <-> ENABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:49061 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:7099 <-> ENABLED <-> MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger (malware-backdoor.rules) * 1:5779 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs (malware-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:43002 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules) * 1:7167 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3 (malware-other.rules) * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules) * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules) * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:43288 <-> DISABLED <-> SERVER-WEBAPP /etc/motd file access attempt (server-webapp.rules) * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules) * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:49064 <-> DISABLED <-> SERVER-OTHER Westermo router default credential login attempt (server-other.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:43837 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript regex (indicator-obfuscation.rules) * 1:7180 <-> DISABLED <-> MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection (malware-other.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:6207 <-> DISABLED <-> MALWARE-OTHER Keylogger winsession runtime detection - smtp (malware-other.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:49054 <-> DISABLED <-> SERVER-OTHER Moxa router default credential login attempt (server-other.rules) * 1:6190 <-> DISABLED <-> MALWARE-OTHER Keylogger eblaster 5.0 runtime detection (malware-other.rules) * 1:616 <-> DISABLED <-> INDICATOR-SCAN ident version request (indicator-scan.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:7539 <-> DISABLED <-> MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection (malware-other.rules) * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules) * 1:7164 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client (malware-other.rules) * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules) * 1:41920 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt (server-webapp.rules) * 1:7156 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - email delivery (malware-other.rules) * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules) * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules) * 1:47115 <-> DISABLED <-> SERVER-MAIL Zerofont phishing attempt (server-mail.rules) * 1:5790 <-> DISABLED <-> MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp (malware-other.rules) * 1:7185 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp (malware-other.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:41456 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger (malware-cnc.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:7161 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server (malware-other.rules) * 1:7160 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client (malware-other.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:5777 <-> DISABLED <-> MALWARE-OTHER Keylogger gurl watcher runtime detection (malware-other.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules) * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules) * 1:5881 <-> ENABLED <-> MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery (malware-other.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules) * 1:6220 <-> DISABLED <-> MALWARE-OTHER Keylogger boss everyware runtime detection (malware-other.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:7592 <-> DISABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection (malware-other.rules) * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules) * 1:7597 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern keylogger runtime detection (malware-other.rules) * 1:7591 <-> ENABLED <-> MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set (malware-other.rules) * 1:7552 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp (malware-other.rules) * 1:7549 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection (malware-other.rules) * 1:7547 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring (malware-other.rules) * 1:7548 <-> DISABLED <-> MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification (malware-other.rules) * 1:7564 <-> DISABLED <-> PUA-ADWARE Hijacker startnow outbound connection (pua-adware.rules) * 1:7574 <-> DISABLED <-> MALWARE-OTHER Keylogger proagent 2.0 runtime detection (malware-other.rules) * 1:10096 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog (malware-other.rules) * 1:7551 <-> DISABLED <-> MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp (malware-other.rules) * 1:7772 <-> ENABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set (malware-backdoor.rules) * 1:7546 <-> DISABLED <-> MALWARE-OTHER Keylogger PerfectKeylogger runtime detection (malware-other.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:43003 <-> ENABLED <-> PROTOCOL-OTHER NETBIOS SMB IPC share access attempt (protocol-other.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:7157 <-> ENABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server (malware-other.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:619 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:43287 <-> DISABLED <-> SERVER-WEBAPP /etc/inetd.conf file access attempt (server-webapp.rules) * 1:43708 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated vbscript detected (indicator-obfuscation.rules) * 1:5784 <-> DISABLED <-> MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log (malware-other.rules) * 1:49058 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:7177 <-> DISABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email (malware-other.rules) * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules) * 1:7168 <-> ENABLED <-> MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4 (malware-other.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:49062 <-> DISABLED <-> SERVER-OTHER Sierra Wireless router default credential login attempt (server-other.rules) * 1:43836 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator (indicator-obfuscation.rules) * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (indicator-scan.rules) * 1:45470 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:45469 <-> ENABLED <-> MALWARE-CNC SambaCry ransomware download attempt (malware-cnc.rules) * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:7184 <-> DISABLED <-> MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp (malware-other.rules) * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules) * 1:6384 <-> DISABLED <-> MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast (malware-other.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:4126 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash (server-other.rules) * 1:46026 <-> DISABLED <-> SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt (server-webapp.rules) * 1:4917 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript onload prompt obfuscation overflow attempt (browser-ie.rules) * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:10097 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10098 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info (malware-other.rules) * 1:10099 <-> ENABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection (malware-other.rules) * 1:10100 <-> DISABLED <-> MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website (malware-other.rules) * 1:10123 <-> DISABLED <-> PROTOCOL-VOIP PA168 chipset based IP phone default password attempt (protocol-voip.rules) * 1:10165 <-> DISABLED <-> MALWARE-OTHER Keylogger mybr Keylogger runtime detection (malware-other.rules) * 1:10089 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp (malware-other.rules) * 1:10088 <-> DISABLED <-> MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp (malware-other.rules) * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules) * 1:41164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:7837 <-> DISABLED <-> MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery (malware-other.rules) * 1:7845 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7846 <-> ENABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection (malware-other.rules) * 1:7807 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file (malware-backdoor.rules) * 1:7808 <-> ENABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload (malware-backdoor.rules) * 1:7773 <-> DISABLED <-> MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger (malware-backdoor.rules) * 1:7847 <-> DISABLED <-> MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email (malware-other.rules) * 1:7857 <-> DISABLED <-> MALWARE-OTHER Keylogger EliteKeylogger runtime detection (malware-other.rules) * 1:8059 <-> DISABLED <-> SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt (server-oracle.rules) * 1:8081 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:809 <-> DISABLED <-> SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt (server-webapp.rules) * 1:8355 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection (malware-other.rules) * 1:8356 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email (malware-other.rules) * 1:8357 <-> ENABLED <-> MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email (malware-other.rules) * 1:8465 <-> ENABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8466 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - email notification (malware-other.rules) * 1:8467 <-> DISABLED <-> MALWARE-OTHER Keylogger netobserve runtime detection - remote login response (malware-other.rules) * 1:8544 <-> DISABLED <-> MALWARE-OTHER Keylogger nicespy runtime detection - smtp (malware-other.rules) * 1:9647 <-> DISABLED <-> MALWARE-OTHER Keylogger system surveillance pro runtime detection (malware-other.rules) * 1:9830 <-> DISABLED <-> MALWARE-OTHER Keylogger supreme spy runtime detection (malware-other.rules) * 1:1100 <-> DISABLED <-> INDICATOR-SCAN L3retriever HTTP Probe (indicator-scan.rules) * 1:27731 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (indicator-compromise.rules) * 1:27732 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (indicator-compromise.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:11307 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection (malware-other.rules) * 1:11311 <-> DISABLED <-> MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor (malware-other.rules) * 1:12048 <-> DISABLED <-> MALWARE-OTHER Keylogger computer Keylogger runtime detection (malware-other.rules) * 1:12075 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:12080 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability (os-solaris.rules) * 1:12131 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:12132 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging (malware-other.rules) * 1:12134 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (indicator-scan.rules) * 1:12159 <-> DISABLED <-> MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging (malware-backdoor.rules) * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules) * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:12226 <-> DISABLED <-> MALWARE-OTHER Keylogger overspy runtime detection (malware-other.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:28630 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:13236 <-> ENABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:28841 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:13279 <-> DISABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:13280 <-> ENABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13281 <-> DISABLED <-> MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection (malware-other.rules) * 1:13346 <-> ENABLED <-> PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection (pua-adware.rules) * 1:13494 <-> DISABLED <-> MALWARE-OTHER Keylogger smart pc Keylogger runtime detection (malware-other.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:29261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:13625 <-> DISABLED <-> MALWARE-CNC MBR rootkit HTTP POST activity detected (malware-cnc.rules) * 1:13651 <-> DISABLED <-> MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (malware-other.rules) * 1:13768 <-> DISABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:13791 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13812 <-> DISABLED <-> MALWARE-OTHER Keylogger refog Keylogger runtime detection (malware-other.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:14008 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:14040 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (server-other.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:1434 <-> DISABLED <-> SERVER-WEBAPP .bash_history access (server-webapp.rules) * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:29790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:15424 <-> DISABLED <-> SERVER-WEBAPP phpBB mod shoutbox sql injection attempt (server-webapp.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:15861 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:30392 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell (indicator-shellcode.rules) * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation (file-pdf.rules) * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:16742 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file download request (file-identify.rules) * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (file-other.rules) * 1:17044 <-> ENABLED <-> SQL WinCC DB default password security bypass attempt (sql.rules) * 1:17111 <-> DISABLED <-> INDICATOR-OBFUSCATION known JavaScript obfuscation routine (indicator-obfuscation.rules) * 1:17265 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt (browser-firefox.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:17386 <-> DISABLED <-> SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (server-webapp.rules) * 1:17444 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:18071 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:1817 <-> DISABLED <-> SERVER-IIS MS Site Server default login attempt (server-iis.rules) * 1:18179 <-> DISABLED <-> INDICATOR-SCAN Proxyfire.net anonymous proxy scan (indicator-scan.rules) * 1:18209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:18277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool fveapi.dll dll-load exploit attempt (os-windows.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:18433 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-other.rules) * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules) * 1:18493 <-> DISABLED <-> INDICATOR-OBFUSCATION generic PHP code obfuscation attempt (indicator-obfuscation.rules) * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules) * 1:18500 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:18529 <-> DISABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18530 <-> DISABLED <-> FILE-OTHER Adobe Premier Pro ibfs32.dll dll-load exploit attempt (file-other.rules) * 1:18531 <-> DISABLED <-> SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt (server-other.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:34114 <-> DISABLED <-> SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt (server-other.rules) * 1:34118 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious javascript packer detected (indicator-obfuscation.rules) * 1:34227 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (os-windows.rules) * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (os-windows.rules) * 1:18717 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection (malware-cnc.rules) * 1:18831 <-> DISABLED <-> FILE-IDENTIFY .hta attachment file type blocked by Outlook detected (file-identify.rules) * 1:34895 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:18901 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt (server-other.rules) * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules) * 1:34899 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:19079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules) * 1:19106 <-> DISABLED <-> MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http (malware-other.rules) * 1:34908 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:19171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:34916 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt (netbios.rules) * 1:34944 <-> DISABLED <-> POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt (policy-other.rules) * 1:19325 <-> DISABLED <-> MALWARE-OTHER Keylogger WL-Keylogger outbound connection (malware-other.rules) * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:19619 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:19706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection (malware-cnc.rules) * 1:19741 <-> DISABLED <-> MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection (malware-other.rules) * 1:19779 <-> DISABLED <-> INDICATOR-SCAN sqlmap SQL injection scan attempt (indicator-scan.rules) * 1:19887 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules) * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules) * 1:19901 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:19927 <-> DISABLED <-> MALWARE-BACKDOOR BRX Rat 0.02 inbound connection (malware-backdoor.rules) * 1:20098 <-> DISABLED <-> MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection (malware-cnc.rules) * 1:20119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:20137 <-> DISABLED <-> INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt (indicator-obfuscation.rules) * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:36410 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules) * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (indicator-obfuscation.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:20691 <-> DISABLED <-> POLICY-OTHER Cisco Network Registrar default credentials authentication attempt (policy-other.rules) * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:37000 <-> ENABLED <-> FILE-OFFICE Microsoft Office nwdblib.dll dll-load exploit attempt (file-office.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:21089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop oversized cookie attempt (os-windows.rules) * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:21136 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security bypass page (indicator-compromise.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules) * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules) * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules) * 1:21289 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules) * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules) * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-other.rules) * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules) * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:2146 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password 12345 attempt (server-webapp.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules) * 1:21489 <-> DISABLED <-> FILE-OTHER Microsoft Windows chm file malware related exploit (file-other.rules) * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules) * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules) * 1:215 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:21550 <-> ENABLED <-> MALWARE-BACKDOOR ToolsPack PHP Backdoor access (malware-backdoor.rules) * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules) * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules) * 1:21580 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:21582 <-> DISABLED <-> FILE-PDF PDF obfuscation attempt (file-pdf.rules) * 1:21637 <-> DISABLED <-> POLICY-SPAM local user attempted to fill out paypal phishing form (policy-spam.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:21780 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:37905 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript charset concatentation attempt (indicator-obfuscation.rules) * 1:37906 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript known obfuscation method attempt (indicator-obfuscation.rules) * 1:37907 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript unicode escape variable name attempt (indicator-obfuscation.rules) * 1:37908 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript with hex variable names (indicator-obfuscation.rules) * 1:21784 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:37949 <-> DISABLED <-> INDICATOR-OBFUSCATION download of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:37950 <-> DISABLED <-> INDICATOR-OBFUSCATION email of heavily compressed PDF attempt (indicator-obfuscation.rules) * 1:21785 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:21787 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:22033 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:22034 <-> ENABLED <-> MALWARE-CNC Apple OSX Flashback malware variant outbound connection (malware-cnc.rules) * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:22071 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules) * 1:22073 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape (indicator-obfuscation.rules) * 1:38172 <-> DISABLED <-> FILE-OTHER Adobe Acrobat updaternotifications.dll dll-load exploit attempt (file-other.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:22074 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode (indicator-obfuscation.rules) * 1:2273 <-> DISABLED <-> PROTOCOL-IMAP login brute force attempt (protocol-imap.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:23085 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - join (indicator-obfuscation.rules) * 1:23087 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - xval (indicator-obfuscation.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:23160 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules) * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules) * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules) * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules) * 1:23226 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules) * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:233 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default startup password (malware-other.rules) * 1:2334 <-> DISABLED <-> PROTOCOL-FTP Yak! FTP server default account login attempt (protocol-ftp.rules) * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules) * 1:235 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default mdie password (malware-other.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:23603 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan MSIE agent string (indicator-scan.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23621 <-> DISABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules) * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules) * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:23829 <-> DISABLED <-> INDICATOR-COMPROMISE Loaderz Web Shell (indicator-compromise.rules) * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules) * 1:23830 <-> DISABLED <-> INDICATOR-COMPROMISE Alsa3ek Web Shell (indicator-compromise.rules) * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:23985 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:24008 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool (policy-other.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:24095 <-> DISABLED <-> APP-DETECT Teamviewer installer download attempt (app-detect.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules) * 1:24306 <-> DISABLED <-> SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt (server-apache.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:24426 <-> DISABLED <-> MALWARE-OTHER Java.Trojan.Jacksbot class download (malware-other.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules) * 1:24435 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:24517 <-> DISABLED <-> SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt (server-webapp.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (server-webapp.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:24814 <-> DISABLED <-> PROTOCOL-SNMP Samsung printer default community string (protocol-snmp.rules) * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules) * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25453 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:39755 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39756 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page (malware-other.rules) * 1:39870 <-> DISABLED <-> INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion (indicator-compromise.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:25457 <-> ENABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules) * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules) * 1:25458 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules) * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (os-windows.rules) * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules) * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules) * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:25783 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:25907 <-> DISABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules) * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:26567 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules) * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules) * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (malware-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26689 <-> DISABLED <-> OS-MOBILE Android Denofow phone information exfiltration (os-mobile.rules) * 1:26705 <-> DISABLED <-> OS-MOBILE Android Ewalls device information exfiltration (os-mobile.rules) * 1:40897 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:9648 <-> DISABLED <-> MALWARE-OTHER Keylogger emailspypro runtime detection (malware-other.rules) * 1:1090 <-> DISABLED <-> SERVER-WEBAPP Allaire Pro Web Shell attempt (server-webapp.rules) * 1:11250 <-> DISABLED <-> BROWSER-PLUGINS Sony Rootkit Uninstaller ActiveX clsid access (browser-plugins.rules) * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (malware-cnc.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (server-webapp.rules) * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:11309 <-> DISABLED <-> MALWARE-OTHER Keylogger sskc v2.0 runtime detection (malware-other.rules) * 1:12128 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection (malware-other.rules) * 1:12049 <-> DISABLED <-> MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection (malware-other.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:12136 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12187 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp rename_principal attempt (protocol-rpc.rules) * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules) * 1:12243 <-> DISABLED <-> MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (malware-backdoor.rules) * 1:12372 <-> DISABLED <-> MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection (malware-other.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection (malware-cnc.rules) * 1:12480 <-> ENABLED <-> MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection (malware-other.rules) * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:12698 <-> DISABLED <-> MALWARE-OTHER Keylogger net vizo 5.2 runtime detection (malware-other.rules) * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (exploit-kit.rules) * 1:28629 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:12758 <-> ENABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12761 <-> DISABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:12771 <-> DISABLED <-> BROWSER-PLUGINS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (browser-plugins.rules) * 1:12772 <-> DISABLED <-> BROWSER-PLUGINS obfuscated PPStream PowerPlayer ActiveX exploit attempt (browser-plugins.rules) * 1:12773 <-> DISABLED <-> BROWSER-PLUGINS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (browser-plugins.rules) * 1:12770 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows obfuscated RDS.Dataspace ActiveX exploit attempt (browser-plugins.rules) * 1:28835 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:12793 <-> DISABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:12792 <-> ENABLED <-> MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection (malware-other.rules) * 1:13243 <-> ENABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:28840 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:13479 <-> ENABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:13480 <-> DISABLED <-> MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection (malware-other.rules) * 1:29031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant inbound connection (malware-cnc.rules) * 1:13567 <-> DISABLED <-> MALWARE-OTHER Keylogger msn spy monitor runtime detection (malware-other.rules) * 1:29393 <-> DISABLED <-> SERVER-OTHER ntp monlist denial of service attempt (server-other.rules) * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (browser-webkit.rules) * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29396 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same (policy-spam.rules) * 1:13642 <-> DISABLED <-> MALWARE-OTHER Keylogger easy Keylogger runtime detection (malware-other.rules) * 1:13987 <-> DISABLED <-> INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13778 <-> DISABLED <-> MALWARE-OTHER Keylogger kgb employee monitor runtime detection (malware-other.rules) * 1:29615 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger outbound connection (malware-cnc.rules) * 1:14065 <-> DISABLED <-> MALWARE-OTHER Keylogger emptybase j runtime detection (malware-other.rules) * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (indicator-obfuscation.rules) * 1:15169 <-> DISABLED <-> POLICY-SOCIAL XBOX Live Kerberos authentication request (policy-social.rules) * 1:15425 <-> DISABLED <-> SERVER-WEBAPP phpBB mod tag board sql injection attempt (server-webapp.rules) * 1:15431 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:29807 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS array (indicator-obfuscation.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:29886 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic (malware-cnc.rules) * 1:15850 <-> DISABLED <-> OS-WINDOWS Remote Desktop orderType remote code execution attempt (os-windows.rules) * 1:30327 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:30328 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious (indicator-obfuscation.rules) * 1:15863 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (browser-plugins.rules) * 1:16129 <-> DISABLED <-> MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection (malware-other.rules) * 1:16137 <-> DISABLED <-> MALWARE-OTHER Keylogger cheat monitor runtime detection (malware-other.rules) * 1:16207 <-> DISABLED <-> SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt (server-webapp.rules) * 1:16268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net (malware-cnc.rules) * 1:16130 <-> DISABLED <-> MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection (malware-other.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation (file-pdf.rules) * 1:16350 <-> DISABLED <-> SERVER-OTHER ntp mode 7 denial of service attempt (server-other.rules) * 1:16524 <-> DISABLED <-> PROTOCOL-FTP ProFTPD username sql injection attempt (protocol-ftp.rules) * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (browser-firefox.rules) * 1:17243 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt (server-other.rules) * 1:31806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:17291 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded uri data object found (indicator-obfuscation.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules) * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules) * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules) * 1:18132 <-> DISABLED <-> INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function (indicator-obfuscation.rules) * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules) * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:18242 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18239 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:18329 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access (browser-plugins.rules) * 1:18408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:18426 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-other.rules) * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules) * 1:18432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt (file-pdf.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:18437 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-other.rules) * 1:18439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-pdf.rules) * 1:18440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-pdf.rules) * 1:18441 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-pdf.rules) * 1:18438 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-other.rules) * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules) * 1:18446 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18445 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt (file-flash.rules) * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:18534 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:18556 <-> DISABLED <-> SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt (server-webapp.rules) * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules) * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:18782 <-> DISABLED <-> MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a (malware-cnc.rules) * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (os-windows.rules) * 1:34900 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19122 <-> DISABLED <-> POLICY-SPAM appledownload.com known spam email attempt (policy-spam.rules) * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules) * 1:19172 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (browser-ie.rules) * 1:19311 <-> DISABLED <-> PUA-ADWARE Keylogger aspy v2.12 runtime detection (pua-adware.rules) * 1:34910 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uvipl.dll dll-load exploit attempt (file-other.rules) * 1:34914 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules) * 1:34913 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll_SSE3.dll dll-load exploit attempt (file-other.rules) * 1:19324 <-> ENABLED <-> MALWARE-OTHER Keylogger WL-Keylogger inbound connection (malware-other.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules) * 1:19392 <-> ENABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (os-windows.rules) * 1:19466 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio mfc71 dll-load exploit attempt (file-office.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:35215 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode atlthunk.dll dll-load exploit attempt (browser-ie.rules) * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection (malware-cnc.rules) * 1:19567 <-> DISABLED <-> PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection (pua-adware.rules) * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (os-windows.rules) * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules) * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules) * 1:19868 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation (indicator-obfuscation.rules) * 1:19884 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:19899 <-> ENABLED <-> MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection (malware-other.rules) * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:19925 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (browser-plugins.rules) * 1:20158 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt (server-webapp.rules) * 1:20118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows shell extensions deskpan.dll dll-load exploit attempt (os-windows.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules) * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules) * 1:20995 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:20996 <-> DISABLED <-> POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt (policy-other.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:36996 <-> ENABLED <-> FILE-OFFICE Microsoft Office spframe.dll dll-load exploit attempt (file-office.rules) * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:36994 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:21088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote desktop denial of service attempt (os-windows.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:21119 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive file system information display (indicator-compromise.rules) * 1:21121 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive SQL display (indicator-compromise.rules) * 1:21129 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell (indicator-compromise.rules) * 1:21130 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell enumeration page (indicator-compromise.rules) * 1:21120 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell interactive console display (indicator-compromise.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:21134 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell security information page (indicator-compromise.rules) * 1:21133 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell encoder page (indicator-compromise.rules) * 1:21138 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell database parsing page (indicator-compromise.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules) * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (os-windows.rules) * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules) * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules) * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:2145 <-> DISABLED <-> SERVER-WEBAPP TextPortal admin.php default password admin attempt (server-webapp.rules) * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules) * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules) * 1:21519 <-> DISABLED <-> INDICATOR-OBFUSCATION Dadongs obfuscated javascript (indicator-obfuscation.rules) * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules) * 1:21577 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - charcode (indicator-obfuscation.rules) * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (os-windows.rules) * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules) * 1:21579 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:21578 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript obfuscation - eval (indicator-obfuscation.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:37729 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:37841 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:216 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit satori attempt (malware-backdoor.rules) * 1:37842 <-> DISABLED <-> SERVER-OTHER ntpd reference clock impersonation attempt (server-other.rules) * 1:37891 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37892 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:37903 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:37843 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK possible DoS attempt (server-other.rules) * 1:37904 <-> DISABLED <-> INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt (indicator-obfuscation.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:21781 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (indicator-obfuscation.rules) * 1:21779 <-> DISABLED <-> SQL parameter ending in encoded comment characters - possible sql injection attempt - POST (sql.rules) * 1:21782 <-> DISABLED <-> INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:21783 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules) * 1:37948 <-> DISABLED <-> INDICATOR-OBFUSCATION known malicious JavaScript decryption routine (indicator-obfuscation.rules) * 1:37909 <-> DISABLED <-> INDICATOR-OBFUSCATION known javascript packer detected (indicator-obfuscation.rules) * 1:37971 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:21938 <-> DISABLED <-> PROTOCOL-TELNET RuggedCom default backdoor login attempt (protocol-telnet.rules) * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection (malware-cnc.rules) * 1:21786 <-> DISABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules) * 1:22053 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection (malware-cnc.rules) * 1:37972 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated script encoding detected (indicator-obfuscation.rules) * 1:22072 <-> DISABLED <-> INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (malware-other.rules) * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules) * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules) * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules) * 1:2230 <-> DISABLED <-> SERVER-WEBAPP NetGear router default password login attempt admin/password (server-webapp.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:2275 <-> DISABLED <-> SERVER-MAIL AUTH LOGON brute force attempt (server-mail.rules) * 1:2274 <-> DISABLED <-> PROTOCOL-POP login brute force attempt (protocol-pop.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:22970 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:22969 <-> ENABLED <-> FILE-IDENTIFY remote desktop configuration file attachment detected (file-identify.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:23086 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - push (indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules) * 1:23089 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern (indicator-obfuscation.rules) * 1:23088 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe (indicator-obfuscation.rules) * 1:23161 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - eval (indicator-obfuscation.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules) * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules) * 1:38470 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38469 <-> ENABLED <-> OS-WINDOWS Microsoft Windows api-ms-win-appmodel-runtime dll-load exploit attempt (os-windows.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:234 <-> DISABLED <-> MALWARE-OTHER Trin00 Attacker to Master default password (malware-other.rules) * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules) * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (file-office.rules) * 1:23601 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan default agent string (indicator-scan.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:23604 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan iPhone agent string (indicator-scan.rules) * 1:23602 <-> DISABLED <-> INDICATOR-SCAN Skipfish scan Firefox agent string (indicator-scan.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:23620 <-> ENABLED <-> MALWARE-OTHER Malvertising network attempted redirect (malware-other.rules) * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules) * 1:237 <-> DISABLED <-> MALWARE-OTHER Trin00 Master to Daemon default password attempt (malware-other.rules) * 1:23636 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules) * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules) * 1:23780 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Begfanit.A outbound connection (malware-cnc.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules) * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules) * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules) * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules) * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (sql.rules) * 1:23934 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (server-webapp.rules) * 1:2406 <-> DISABLED <-> PROTOCOL-TELNET APC SmartSlot default admin account attempt (protocol-telnet.rules) * 1:23986 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt (browser-plugins.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:24094 <-> DISABLED <-> APP-DETECT Teamviewer control server ping (app-detect.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:24167 <-> DISABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (indicator-obfuscation.rules) * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules) * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules) * 1:24372 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:24368 <-> ENABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home (malware-cnc.rules) * 1:39130 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:24436 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt (server-webapp.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:24704 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:24629 <-> DISABLED <-> SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt (server-webapp.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt (server-webapp.rules) * 1:24705 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt (server-webapp.rules) * 1:39409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection (malware-cnc.rules) * 1:39410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection (malware-cnc.rules) * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules) * 1:25010 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (malware-cnc.rules) * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules) * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules) * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (exploit-kit.rules) * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (malware-backdoor.rules) * 1:25454 <-> ENABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules) * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:25455 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules) * 1:25456 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules) * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules) * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules) * 1:25562 <-> DISABLED <-> FILE-JAVA Oracle Java obfuscated jar file download attempt (file-java.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules) * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules) * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (server-apache.rules) * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (server-other.rules) * 1:2579 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow TCP (server-other.rules) * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (server-webapp.rules) * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt (exploit-kit.rules) * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules) * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (server-apache.rules) * 1:26071 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:26070 <-> ENABLED <-> FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt (file-executable.rules) * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules) * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:26261 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules) * 1:26440 <-> DISABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26565 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:4060 <-> DISABLED <-> APP-DETECT remote desktop protocol attempted administrator connection request (app-detect.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules) * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules) * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:26693 <-> DISABLED <-> OS-MOBILE Android Antammi device information exfiltration (os-mobile.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:26769 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt (server-other.rules) * 1:26759 <-> DISABLED <-> SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt (server-other.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules) * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder variant outbound connection (malware-cnc.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41163 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt (file-pdf.rules) * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (indicator-obfuscation.rules) * 1:27194 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27195 <-> DISABLED <-> SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt (server-other.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:10181 <-> DISABLED <-> MALWARE-OTHER Keylogger systemsleuth runtime detection (malware-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:10183 <-> DISABLED <-> MALWARE-OTHER Keylogger activity Keylogger runtime detection (malware-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:10440 <-> DISABLED <-> MALWARE-OTHER Keylogger pc black box runtime detection (malware-other.rules) * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:1101 <-> DISABLED <-> INDICATOR-SCAN Webtrends HTTP probe (indicator-scan.rules) * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules) * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (malware-cnc.rules) * 1:27730 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (indicator-compromise.rules) * 1:12129 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:1133 <-> DISABLED <-> INDICATOR-SCAN cybercop os probe (indicator-scan.rules) * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:12130 <-> DISABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info (malware-other.rules) * 1:12135 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun (malware-other.rules) * 1:12137 <-> DISABLED <-> MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection (malware-other.rules) * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (server-other.rules) * 1:12141 <-> DISABLED <-> MALWARE-OTHER Keylogger logit v1.0 runtime detection (malware-other.rules) * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28278 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:12379 <-> DISABLED <-> MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp (malware-other.rules) * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:12625 <-> DISABLED <-> MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection (malware-other.rules) * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port (indicator-scan.rules) * 1:12760 <-> ENABLED <-> MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection (malware-other.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28831 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:28833 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:12775 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer obfuscated Ierpplug.dll ActiveX exploit attempt (browser-plugins.rules) * 1:28836 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules) * 1:28834 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:13244 <-> DISABLED <-> MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection (malware-other.rules) * 1:28839 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (malware-cnc.rules) * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:13507 <-> DISABLED <-> MALWARE-CNC evilotus 1.3.2 variant outbound connection (malware-cnc.rules) * 1:13568 <-> DISABLED <-> MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection (malware-other.rules) * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:13988 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:13652 <-> DISABLED <-> PUA-ADWARE Keylogger all in one Keylogger runtime detection (pua-adware.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:13989 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules) * 1:14041 <-> DISABLED <-> SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (server-other.rules) * 1:14074 <-> DISABLED <-> MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection (malware-other.rules) * 1:29680 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:14075 <-> DISABLED <-> MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection (malware-other.rules) * 1:29789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Careto plugin download (malware-cnc.rules) * 1:29745 <-> DISABLED <-> INDICATOR-OBFUSCATION Alternating character encodings - JS variable (indicator-obfuscation.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules) * 1:15414 <-> DISABLED <-> PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt (protocol-scada.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:15701 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 2000 domain authentication bypass attempt (os-windows.rules) * 1:30281 <-> DISABLED <-> POLICY-OTHER use of psexec remote administration tool SMBv2 (policy-other.rules) * 1:16125 <-> DISABLED <-> MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection (malware-other.rules) * 1:30567 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30568 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt (malware-other.rules) * 1:30569 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt (malware-other.rules) * 1:30982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Karnos variant outbound connection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:1638 <-> DISABLED <-> INDICATOR-SCAN SSH Version map attempt (indicator-scan.rules) * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules) * 1:16573 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via unescape (browser-plugins.rules) * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (sql.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules) * 1:17273 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:17353 <-> DISABLED <-> OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt (os-solaris.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:18205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules) * 1:17571 <-> DISABLED <-> BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious (browser-plugins.rules) * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:18208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (os-windows.rules) * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:18413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WMI tracing api integer truncation attempt (os-windows.rules) * 1:18245 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt (browser-plugins.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:18431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-pdf.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:18436 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-other.rules) * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules) * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules) * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules) * 1:18443 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-pdf.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:18488 <-> DISABLED <-> FILE-OTHER Adobe Photoshop wintab32.dll dll-load exploit attempt (file-other.rules) * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules) * 1:18496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (os-windows.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules) * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules) * 1:1860 <-> DISABLED <-> SERVER-WEBAPP Linksys router default password login attempt (server-webapp.rules) * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:34345 <-> DISABLED <-> POLICY-OTHER Red Hat OpenStack default password login attempt (policy-other.rules) * 1:34112 <-> DISABLED <-> SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt (server-other.rules) * 1:18818 <-> DISABLED <-> FILE-IDENTIFY .chm attachment file type blocked by Outlook detected (file-identify.rules) * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (os-windows.rules) * 1:34893 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:18822 <-> DISABLED <-> FILE-IDENTIFY .cpl attachment file type blocked by Outlook detected (file-identify.rules) * 1:19036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19074 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt (indicator-obfuscation.rules) * 1:34903 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:19075 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript uuencoded eval statement (indicator-obfuscation.rules) * 1:34907 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uhDSPlay.dll dll-load exploit attempt (file-other.rules) * 1:34909 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uipl.dll dll-load exploit attempt (file-other.rules) * 1:34905 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:34911 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:19314 <-> DISABLED <-> OS-WINDOWS Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:1917 <-> DISABLED <-> INDICATOR-SCAN UPnP service discover attempt (indicator-scan.rules) * 1:34915 <-> DISABLED <-> NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt (netbios.rules) * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:19437 <-> DISABLED <-> INDICATOR-OBFUSCATION select concat statement - possible sql injection (indicator-obfuscation.rules) * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected (server-other.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:35143 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer msostyle.dll dll-load exploit attempt (file-office.rules) * 1:35168 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:35317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Directate outbound connection (malware-cnc.rules) * 1:19617 <-> DISABLED <-> FILE-OTHER Adobe Audition assist.dll dll-load exploit attempt (file-other.rules) * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules) * 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:3543 <-> DISABLED <-> SQL SA brute force login attempt TDS v7/8 (sql.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:19900 <-> DISABLED <-> MALWARE-OTHER Tong Keylogger outbound connection (malware-other.rules) * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules) * 1:36070 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt (indicator-obfuscation.rules) * 1:20175 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules) * 1:19933 <-> DISABLED <-> INDICATOR-SCAN DirBuster brute forcing tool detected (indicator-scan.rules) * 1:36408 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:20593 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:3679 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution (indicator-obfuscation.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules) * 1:36999 <-> ENABLED <-> FILE-OFFICE Microsoft Office elsext.dll dll-load exploit attempt (file-office.rules) * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:21118 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell security information display (indicator-compromise.rules) * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules) * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules) * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules) * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules) * 1:21132 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell sql interaction page (indicator-compromise.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:21135 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell password cracking page (indicator-compromise.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:21139 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell spread shell page (indicator-compromise.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules) * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules) * 1:21318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded (malware-cnc.rules) * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules) * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules) * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules) * 1:21377 <-> DISABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (server-webapp.rules) * 1:7806 <-> DISABLED <-> MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection (malware-backdoor.rules) * 1:10167 <-> DISABLED <-> MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log (malware-other.rules) * 1:9649 <-> ENABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set (malware-other.rules) * 1:9650 <-> DISABLED <-> MALWARE-OTHER Keylogger ghost Keylogger runtime detection (malware-other.rules) * 1:9827 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - smtp (malware-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:9828 <-> DISABLED <-> MALWARE-OTHER Keylogger paq keylog runtime detection - ftp (malware-other.rules) * 1:10436 <-> DISABLED <-> MALWARE-OTHER Keylogger keyspy runtime detection (malware-other.rules) * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules) * 1:10457 <-> DISABLED <-> MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (malware-backdoor.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27286 <-> DISABLED <-> SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt (server-webapp.rules) * 1:27593 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (indicator-obfuscation.rules) * 1:10464 <-> DISABLED <-> PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt (protocol-telnet.rules) * 1:27729 <-> DISABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (indicator-compromise.rules) * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:12046 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (protocol-rpc.rules) * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules) * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules) * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:12133 <-> ENABLED <-> MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url (malware-other.rules) * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (indicator-scan.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules) * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (indicator-scan.rules) * 1:12424 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (protocol-rpc.rules) * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules) * 1:12759 <-> DISABLED <-> MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection (malware-other.rules) * 1:12774 <-> DISABLED <-> BROWSER-PLUGINS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (browser-plugins.rules) * 1:28837 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro d2d1.dll dll-load exploit attempt (file-other.rules) * 1:13237 <-> DISABLED <-> MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection (malware-other.rules) * 1:28842 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wintab32.dll dll-load exploit attempt (file-other.rules) * 1:13278 <-> ENABLED <-> MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection (malware-other.rules) * 1:28908 <-> DISABLED <-> SERVER-OTHER Nagios core config manager tfpassword sql injection attempt (server-other.rules) * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules) * 1:28991 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration (malware-cnc.rules) * 1:13347 <-> DISABLED <-> PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection (pua-adware.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:13551 <-> DISABLED <-> SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (server-oracle.rules) * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules) * 1:13767 <-> ENABLED <-> MALWARE-OTHER Keylogger cyber sitter runtime detection (malware-other.rules) * 1:29397 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same (policy-spam.rules) * 1:29398 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same (policy-spam.rules) * 1:29399 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same (policy-spam.rules) * 1:29509 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules) * 1:14039 <-> DISABLED <-> FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt (file-other.rules) * 1:29580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt (browser-firefox.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keylogger inbound connection (malware-cnc.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt (browser-plugins.rules) * 1:29756 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:29869 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar phishing attack (malware-cnc.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:16269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com (malware-cnc.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules) * 1:16455 <-> DISABLED <-> MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection (malware-other.rules) * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:16574 <-> DISABLED <-> BROWSER-PLUGINS obfuscated ActiveX object instantiation via fromCharCode (browser-plugins.rules) * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (browser-firefox.rules) * 1:31807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt (malware-cnc.rules) * 1:17274 <-> DISABLED <-> SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt (server-other.rules) * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules) * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules) * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules) * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules) * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:18435 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt (file-other.rules) * 1:18442 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-pdf.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules) * 1:33566 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt (browser-firefox.rules) * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules) * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules) * 1:33857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt (malware-cnc.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:18533 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt (server-other.rules) * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection (malware-cnc.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:34226 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple AV products evasion attempt (indicator-obfuscation.rules) * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (os-windows.rules) * 1:34890 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32ZLib.dll dll-load exploit attempt (file-other.rules) * 1:34891 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro u32Zlib.dll dll-load exploit attempt (file-other.rules) * 1:34892 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro quserex.dll dll-load exploit attempt (file-other.rules) * 1:34894 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro FxManagedCommands dll-load exploit attempt (file-other.rules) * 1:34896 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:18932 <-> DISABLED <-> SERVER-WEBAPP Jboss default configuration unauthorized application add attempt (server-webapp.rules) * 1:34897 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro TD_Mgd_3.08_9.dll dll-load exploit attempt (file-other.rules) * 1:34898 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro wacommt.dll dll-load exploit attempt (file-other.rules) * 1:34901 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro igfxcmrt32.dll dll-load exploit attempt (file-other.rules) * 1:34902 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro ipl.dll dll-load exploit attempt (file-other.rules) * 1:34904 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro MSPStyleLib.dll dll-load exploit attempt (file-other.rules) * 1:34906 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro uFioUtil.dll dll-load exploit attempt (file-other.rules) * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules) * 1:34912 <-> DISABLED <-> FILE-OTHER Corel PaintShop Pro VC1DecDll.dll dll-load exploit attempt (file-other.rules) * 1:19393 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:3542 <-> DISABLED <-> SQL SA brute force login attempt (sql.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:3552 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules) * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules) * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:19867 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules) * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection (malware-cnc.rules) * 1:19889 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded data object found (indicator-obfuscation.rules) * 1:36201 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules) * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules) * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules) * 1:36407 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36409 <-> DISABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules) * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules) * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (netbios.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:21038 <-> DISABLED <-> INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected (indicator-obfuscation.rules) * 1:36931 <-> ENABLED <-> FILE-OFFICE Microsoft Office wuaext.dll dll-load exploit attempt (file-office.rules) * 1:21117 <-> DISABLED <-> INDICATOR-COMPROMISE WSO web shell (indicator-compromise.rules) * 1:21131 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell domain lookup page (indicator-compromise.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:21137 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell tools page (indicator-compromise.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:21140 <-> DISABLED <-> INDICATOR-COMPROMISE Mulcishell web shell kill shell page (indicator-compromise.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules) * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules) * 1:213 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt (malware-backdoor.rules) * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules) * 1:214 <-> DISABLED <-> MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x (malware-backdoor.rules) * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)