VRT Rules 2015-03-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-018: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33287 through 33288, 33707 through 33710, 33718 through 33721, 33726 through 33727, 33730 through 33731, 33736 through 33739, 33741 through 33744, and 33763 through 33764.

Microsoft Security Bulletin MS15-020: A coding deficiency exists in Microsoft Windows Shell that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 17042.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 33775 through 33776.

Microsoft Security Bulletin MS15-021: A coding deficiency exists in the Adobe Font Driver that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33711 through 33714, 33722 through 33725, 33728 through 33729, and 33732 through 33733.

Microsoft Security Bulletin MS15-022: A coding deficiency exists in Microsoft Office that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33705 through 33706, 33715 through 33716, 33734 through 33735, and 33808 through 33809.

Microsoft Security Bulletin MS15-023: A coding deficiency exists in a Microsoft Kernel Mode driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33765 through 33770.

Microsoft Security Bulletin MS15-024: A coding deficiency exists in Microsoft PNG image processing that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33760 through 33761.

Microsoft Security Bulletin MS15-025: A coding deficiency exists in the Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33773 through 33774.

Microsoft Security Bulletin MS15-026: A coding deficiency exists in Microsoft Exchange Server that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33762, 33807, and 33810 through 33811.

Microsoft Security Bulletin MS15-027: A coding deficiency exists in Microsoft Netlogon that may allow spoofing attacks.

A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 3, SID 15453.

Microsoft Security Bulletin MS15-028: A coding deficiency exists in the Microsoft Task Scheduler that may allow a security feature bypass.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 33717.

Microsoft Security Bulletin MS15-029: A coding deficiency exists in a Microsoft graphics component that lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33771 through 33772.

Microsoft Security Bulletin MS15-030: A coding deficiency exists in Microsoft Remote Desktop protocol that may lead to a Denial of Service (DoS).

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 21232.

Microsoft Security Bulletin MS15-031: A coding deficiency exists in Microsoft Schannel that may allow a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33777 through 33806.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, file-other, malware-cnc, malware-other, os-windows, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-10 19:40:03 UTC

Sourcefire VRT Rules Update

Date: 2015-03-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33776 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33772 <-> ENABLED <-> FILE-OTHER Microsoft Windows jxr information disclosure attempt (file-other.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33771 <-> ENABLED <-> FILE-OTHER Microsoft Windows jxr information disclosure attempt (file-other.rules)
 * 1:33770 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33769 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt (os-windows.rules)
 * 1:33768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt (os-windows.rules)
 * 1:33765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:33766 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:33763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33764 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33761 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33762 <-> ENABLED <-> SERVER-WEBAPP Microsoft Outlook WebAccess msgParam cross site scripting attempt (server-webapp.rules)
 * 1:33759 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt (malware-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33757 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound communication (malware-cnc.rules)
 * 1:33758 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt (malware-other.rules)
 * 1:33755 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33756 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound communication (malware-cnc.rules)
 * 1:33754 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33752 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33753 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33750 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33751 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33748 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33749 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33746 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33747 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33744 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt (browser-ie.rules)
 * 1:33745 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33743 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt (browser-ie.rules)
 * 1:33741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33740 <-> DISABLED <-> FILE-IMAGE Microsoft emf file download request (file-image.rules)
 * 1:33738 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33739 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt (browser-ie.rules)
 * 1:33737 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt (browser-ie.rules)
 * 1:33734 <-> DISABLED <-> FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt (file-office.rules)
 * 1:33735 <-> DISABLED <-> FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt (file-office.rules)
 * 1:33733 <-> ENABLED <-> FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt (file-other.rules)
 * 1:33732 <-> ENABLED <-> FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt (file-other.rules)
 * 1:33731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33729 <-> ENABLED <-> OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt (os-windows.rules)
 * 1:33730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33727 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33728 <-> ENABLED <-> OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt (os-windows.rules)
 * 1:33725 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt (file-other.rules)
 * 1:33726 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules)
 * 1:33724 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt (file-other.rules)
 * 1:33721 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt (browser-ie.rules)
 * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules)
 * 1:33719 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt (browser-ie.rules)
 * 1:33720 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 1:33718 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt (browser-ie.rules)
 * 1:33716 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt (file-office.rules)
 * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules)
 * 1:33715 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt (file-office.rules)
 * 1:33712 <-> ENABLED <-> OS-WINDOWS Type one font out of bounds memory access attempt (os-windows.rules)
 * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules)
 * 1:33710 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt (browser-ie.rules)
 * 1:33711 <-> ENABLED <-> OS-WINDOWS Type one font out of bounds memory access attempt (os-windows.rules)
 * 1:33708 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33709 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt (browser-ie.rules)
 * 1:33705 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:33706 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:33707 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33811 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange UM Management user stored XSS attempt (server-mail.rules)
 * 1:33810 <-> ENABLED <-> SERVER-OTHER Microsoft Exchange Server custom DLP policy name cross-site scripting attempt (server-other.rules)
 * 1:33809 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint user display name XSS attempt (server-other.rules)
 * 1:33808 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server Newsfeed XSS attempt (server-other.rules)
 * 1:33807 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange OWA X-OWA-CANARY command injection attempt (server-mail.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)

Modified Rules:


 * 1:17042 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:18353 <-> ENABLED <-> BLACKLIST User-Agent request for known PUA user agent - SelectRebates (blacklist.rules)
 * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33685 <-> DISABLED <-> SERVER-OTHER PHPMoAdmin remote code execution attempt (server-other.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)

2015-03-10 19:40:03 UTC

Sourcefire VRT Rules Update

Date: 2015-03-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33737 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt (browser-ie.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33807 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange OWA X-OWA-CANARY command injection attempt (server-mail.rules)
 * 1:33738 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33705 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33809 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint user display name XSS attempt (server-other.rules)
 * 1:33808 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server Newsfeed XSS attempt (server-other.rules)
 * 1:33810 <-> ENABLED <-> SERVER-OTHER Microsoft Exchange Server custom DLP policy name cross-site scripting attempt (server-other.rules)
 * 1:33811 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange UM Management user stored XSS attempt (server-mail.rules)
 * 1:33758 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt (malware-other.rules)
 * 1:33759 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt (malware-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33756 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound communication (malware-cnc.rules)
 * 1:33757 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CTB-Locker outbound communication (malware-cnc.rules)
 * 1:33754 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33755 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33752 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33753 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33750 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33751 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33749 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33747 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33748 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33745 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33746 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication attempt (malware-cnc.rules)
 * 1:33743 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt (browser-ie.rules)
 * 1:33744 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table cell out-of-bounds access attempt (browser-ie.rules)
 * 1:33741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33739 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33740 <-> DISABLED <-> FILE-IMAGE Microsoft emf file download request (file-image.rules)
 * 1:33735 <-> DISABLED <-> FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt (file-office.rules)
 * 1:33736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use after free attempt (browser-ie.rules)
 * 1:33734 <-> DISABLED <-> FILE-OFFICE Microsoft Office ADODB.RecordSet code execution attempt (file-office.rules)
 * 1:33733 <-> ENABLED <-> FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt (file-other.rules)
 * 1:33732 <-> ENABLED <-> FILE-OTHER Microsoft OpenType font atlmfd.dll uninitialized memory read attempt (file-other.rules)
 * 1:33730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33728 <-> ENABLED <-> OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt (os-windows.rules)
 * 1:33729 <-> ENABLED <-> OS-WINDOWS ATLMFD.DLL improperly terminated encrypted charstrings in type 1 font attempt (os-windows.rules)
 * 1:33726 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33727 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33725 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt (file-other.rules)
 * 1:33724 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font blend operator negative operand code execution attempt (file-other.rules)
 * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules)
 * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules)
 * 1:33720 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt (browser-ie.rules)
 * 1:33721 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 sandbox bypass attempt (browser-ie.rules)
 * 1:33718 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt (browser-ie.rules)
 * 1:33719 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode interpreted as CGeneratedTreeNode remote code execution attempt (browser-ie.rules)
 * 1:33716 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt (file-office.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules)
 * 1:33715 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect schema property remote code execution attempt (file-office.rules)
 * 1:33712 <-> ENABLED <-> OS-WINDOWS Type one font out of bounds memory access attempt (os-windows.rules)
 * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules)
 * 1:33711 <-> ENABLED <-> OS-WINDOWS Type one font out of bounds memory access attempt (os-windows.rules)
 * 1:33709 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt (browser-ie.rules)
 * 1:33710 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript array element use after free attempt (browser-ie.rules)
 * 1:33708 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33707 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33706 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:33761 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33762 <-> ENABLED <-> SERVER-WEBAPP Microsoft Outlook WebAccess msgParam cross site scripting attempt (server-webapp.rules)
 * 1:33763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33764 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CInputContext object use after free attempt (browser-ie.rules)
 * 1:33765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:33766 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:33767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt (os-windows.rules)
 * 1:33768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserFnINOUTNCCALCSIZE kernel memory leak attempt (os-windows.rules)
 * 1:33769 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33770 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33771 <-> ENABLED <-> FILE-OTHER Microsoft Windows jxr information disclosure attempt (file-other.rules)
 * 1:33772 <-> ENABLED <-> FILE-OTHER Microsoft Windows jxr information disclosure attempt (file-other.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33776 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array access attempt (browser-ie.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)

Modified Rules:


 * 1:17042 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:18353 <-> ENABLED <-> BLACKLIST User-Agent request for known PUA user agent - SelectRebates (blacklist.rules)
 * 1:21232 <-> DISABLED <-> SERVER-OTHER Remote Desktop Protocol brute force attempt (server-other.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33685 <-> DISABLED <-> SERVER-OTHER PHPMoAdmin remote code execution attempt (server-other.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)