Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, malware-cnc, malware-other, os-mobile, os-other, os-solaris, os-windows, policy-other, protocol-dns, protocol-other, protocol-scada, pua-other, server-other, server-samba and sql rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45554 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45569 <-> DISABLED <-> SERVER-WEBAPP Squid host header cache poisoning attempt (server-webapp.rules) * 1:45550 <-> ENABLED <-> PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45553 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules) * 1:45565 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif variant download attempt (malware-other.rules) * 1:45552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45557 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45556 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
* 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules) * 1:45408 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45409 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45410 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter payload download attempt (indicator-compromise.rules) * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules) * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules) * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44300 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem authentication bypass attempt (server-webapp.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules) * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:13512 <-> DISABLED <-> SQL generic sql exec injection attempt - GET parameter (sql.rules) * 1:13514 <-> DISABLED <-> SQL generic sql update injection attempt - GET parameter (sql.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:15875 <-> DISABLED <-> SQL generic sql insert injection attempt - POST parameter (sql.rules) * 1:15877 <-> DISABLED <-> SQL generic sql exec injection attempt - POST parameter (sql.rules) * 1:16431 <-> ENABLED <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23182 <-> ENABLED <-> SERVER-OTHER Joomla com_maqmahelpdesk task parameter local file inclusion attempt (server-other.rules) * 1:24647 <-> DISABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules) * 1:26925 <-> DISABLED <-> SQL generic convert injection attempt - GET parameter (sql.rules) * 1:26929 <-> ENABLED <-> SERVER-WEBAPP SAP ConfigServlet command execution attempt (server-webapp.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules) * 1:28288 <-> ENABLED <-> SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28401 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28402 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28403 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt (os-mobile.rules) * 1:28408 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28409 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules) * 1:28557 <-> DISABLED <-> PROTOCOL-DNS Malformed DNS query with HTTP content (protocol-dns.rules) * 1:28806 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware download - single digit .exe file download (indicator-compromise.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28893 <-> DISABLED <-> BROWSER-OTHER known revoked certificate for Tresor CA (browser-other.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:29046 <-> DISABLED <-> SERVER-WEBAPP WhatsUp Gold ExportViewer.asp diretory traversal attempt (server-webapp.rules) * 1:29090 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com (indicator-compromise.rules) * 1:29157 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29158 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29159 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29160 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29170 <-> DISABLED <-> SERVER-WEBAPP NetWeaver internet sales module directory traversal attempt (server-webapp.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29346 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt (server-webapp.rules) * 1:29401 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29402 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29403 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt (server-webapp.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29815 <-> DISABLED <-> SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt (server-webapp.rules) * 1:29829 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29992 <-> DISABLED <-> SERVER-WEBAPP Linksys WRT120N tmUnblock.cgi TM_Block_URL parameter fprintf stack buffer overflow attempt (server-webapp.rules) * 1:30012 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30013 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30033 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense webConfigurator invalid input attempt (server-webapp.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30065 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart compromise attempt detected (indicator-compromise.rules) * 1:30066 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected (indicator-compromise.rules) * 1:30100 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30101 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30230 <-> ENABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com (indicator-compromise.rules) * 1:30249 <-> ENABLED <-> SERVER-WEBAPP Embedded php in Exif data upload attempt (server-webapp.rules) * 1:30274 <-> ENABLED <-> SERVER-WEBAPP LifeSize UVC remote code execution attempt (server-webapp.rules) * 1:30769 <-> ENABLED <-> SERVER-OTHER Wordpress linenity theme LFI attempt (server-other.rules) * 1:30880 <-> ENABLED <-> OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt (os-mobile.rules) * 1:30905 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30908 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30928 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver dir content listing attempt (server-other.rules) * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30996 <-> ENABLED <-> SERVER-OTHER CMSimple remote file inclusion attempt (server-other.rules) * 1:30997 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file (indicator-compromise.rules) * 1:30998 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file (indicator-compromise.rules) * 1:30999 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file (indicator-compromise.rules) * 1:31000 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file (indicator-compromise.rules) * 1:31001 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file (indicator-compromise.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules) * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31339 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31340 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31341 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31342 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31356 <-> ENABLED <-> SERVER-WEBAPP Wordpress timthumb.php webshot source attack attempt (server-webapp.rules) * 1:31499 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31500 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell upload attempt (indicator-compromise.rules) * 1:31501 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31502 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31503 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34220 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34221 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34222 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35222 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex (indicator-compromise.rules) * 1:35243 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35244 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35245 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35246 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35573 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt (server-webapp.rules) * 1:35677 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance KSudoClient privilege escalation attempt (server-webapp.rules) * 1:35678 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35679 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35680 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35681 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php authentication bypass attempt (server-webapp.rules) * 1:35682 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35683 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35684 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35705 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35706 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35735 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35736 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35745 <-> ENABLED <-> INDICATOR-COMPROMISE Wild Neutron potential exploit attempt (indicator-compromise.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules) * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36104 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA configdb_file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:36242 <-> DISABLED <-> SERVER-WEBAPP Reprise License Manager edit_lf_get_data directory traversal attempt (server-webapp.rules) * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37131 <-> ENABLED <-> FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected (file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37135 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37136 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37137 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37138 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37139 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37140 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules) * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules) * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules) * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules) * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39070 <-> ENABLED <-> SERVER-WEBAPP Dlink local file disclosure attempt (server-webapp.rules) * 1:39177 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39178 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39179 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39180 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39181 <-> DISABLED <-> SERVER-WEBAPP Nagios XI ajaxproxy.php server side request forgery attempt (server-webapp.rules) * 1:39188 <-> DISABLED <-> SERVER-WEBAPP Nagios XI backend API server side request forgery attempt (server-webapp.rules) * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules) * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules) * 1:39268 <-> DISABLED <-> SERVER-WEBAPP Joomla PayPlans Extension com_payplans group_id SQL injection attempt (server-webapp.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39349 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39350 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules) * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules) * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules) * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules) * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:39868 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39869 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39871 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39872 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39959 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39960 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39961 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39962 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39970 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39971 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39972 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39973 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules) * 1:40382 <-> DISABLED <-> SERVER-OTHER Easy File Sharing Server remote code execution attempt (server-other.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules) * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules) * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules) * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules) * 1:41112 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41113 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41114 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41115 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41116 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41117 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41364 <-> DISABLED <-> PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt (protocol-other.rules) * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules) * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules) * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules) * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules) * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules) * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules) * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules) * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules) * 1:41520 <-> DISABLED <-> SERVER-OTHER Ge Fanuc Proficy WebView DOS attempt (server-other.rules) * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41770 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN Gallery SQL injection attempt (server-webapp.rules) * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:42005 <-> DISABLED <-> SERVER-WEBAPP Logsign JSON API validate_file command injection attempt (server-webapp.rules) * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules) * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42253 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42254 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt (os-windows.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42406 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG admin backdoor login attempt (server-webapp.rules) * 1:42407 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42408 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42409 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42410 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdtool backdoor login attempt (server-webapp.rules) * 1:42411 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG session id check bypass attempt (server-webapp.rules) * 1:42424 <-> DISABLED <-> POLICY-OTHER MSSQL CLR permission set to unsafe attempt (policy-other.rules) * 1:42426 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42427 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42428 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42429 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42430 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43178 <-> DISABLED <-> SERVER-WEBAPP VICIdial user_authorization command injection attempt (server-webapp.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43308 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43309 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43310 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43311 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43312 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43313 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43314 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43315 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43316 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43317 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43318 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43319 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43320 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43321 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43322 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43323 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43451 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS arbitrary PHP file upload attempt (server-webapp.rules) * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:43549 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (server-webapp.rules) * 1:43552 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43553 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43554 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43687 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .top dns query (indicator-compromise.rules) * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules) * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules) * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45569 <-> DISABLED <-> SERVER-WEBAPP Squid host header cache poisoning attempt (server-webapp.rules) * 1:45550 <-> ENABLED <-> PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45565 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif variant download attempt (malware-other.rules) * 1:45560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45554 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45556 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45557 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45553 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
* 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules) * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44300 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem authentication bypass attempt (server-webapp.rules) * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:13512 <-> DISABLED <-> SQL generic sql exec injection attempt - GET parameter (sql.rules) * 1:13514 <-> DISABLED <-> SQL generic sql update injection attempt - GET parameter (sql.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:15875 <-> DISABLED <-> SQL generic sql insert injection attempt - POST parameter (sql.rules) * 1:15877 <-> DISABLED <-> SQL generic sql exec injection attempt - POST parameter (sql.rules) * 1:16431 <-> ENABLED <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23182 <-> ENABLED <-> SERVER-OTHER Joomla com_maqmahelpdesk task parameter local file inclusion attempt (server-other.rules) * 1:24647 <-> DISABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules) * 1:26925 <-> DISABLED <-> SQL generic convert injection attempt - GET parameter (sql.rules) * 1:26929 <-> ENABLED <-> SERVER-WEBAPP SAP ConfigServlet command execution attempt (server-webapp.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules) * 1:28288 <-> ENABLED <-> SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28401 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28402 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28403 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt (os-mobile.rules) * 1:28408 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28409 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules) * 1:28557 <-> DISABLED <-> PROTOCOL-DNS Malformed DNS query with HTTP content (protocol-dns.rules) * 1:28806 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware download - single digit .exe file download (indicator-compromise.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28893 <-> DISABLED <-> BROWSER-OTHER known revoked certificate for Tresor CA (browser-other.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:29046 <-> DISABLED <-> SERVER-WEBAPP WhatsUp Gold ExportViewer.asp diretory traversal attempt (server-webapp.rules) * 1:29090 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com (indicator-compromise.rules) * 1:29157 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29158 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29159 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29160 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29170 <-> DISABLED <-> SERVER-WEBAPP NetWeaver internet sales module directory traversal attempt (server-webapp.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29346 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt (server-webapp.rules) * 1:29401 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29402 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules) * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules) * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter payload download attempt (indicator-compromise.rules) * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules) * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules) * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules) * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules) * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules) * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules) * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:29403 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt (server-webapp.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29815 <-> DISABLED <-> SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt (server-webapp.rules) * 1:29829 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29992 <-> DISABLED <-> SERVER-WEBAPP Linksys WRT120N tmUnblock.cgi TM_Block_URL parameter fprintf stack buffer overflow attempt (server-webapp.rules) * 1:30012 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45410 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45409 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45408 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:30013 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30033 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense webConfigurator invalid input attempt (server-webapp.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30065 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart compromise attempt detected (indicator-compromise.rules) * 1:30066 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected (indicator-compromise.rules) * 1:30100 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30101 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30230 <-> ENABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com (indicator-compromise.rules) * 1:30249 <-> ENABLED <-> SERVER-WEBAPP Embedded php in Exif data upload attempt (server-webapp.rules) * 1:30274 <-> ENABLED <-> SERVER-WEBAPP LifeSize UVC remote code execution attempt (server-webapp.rules) * 1:30769 <-> ENABLED <-> SERVER-OTHER Wordpress linenity theme LFI attempt (server-other.rules) * 1:30880 <-> ENABLED <-> OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt (os-mobile.rules) * 1:30905 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30908 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30928 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver dir content listing attempt (server-other.rules) * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30996 <-> ENABLED <-> SERVER-OTHER CMSimple remote file inclusion attempt (server-other.rules) * 1:30997 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file (indicator-compromise.rules) * 1:30998 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file (indicator-compromise.rules) * 1:30999 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file (indicator-compromise.rules) * 1:31000 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file (indicator-compromise.rules) * 1:31001 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file (indicator-compromise.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules) * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31339 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31340 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31341 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31342 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31356 <-> ENABLED <-> SERVER-WEBAPP Wordpress timthumb.php webshot source attack attempt (server-webapp.rules) * 1:31499 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31500 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell upload attempt (indicator-compromise.rules) * 1:31501 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31502 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31503 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34220 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34221 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34222 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35222 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex (indicator-compromise.rules) * 1:35243 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35244 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35245 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35246 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35573 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt (server-webapp.rules) * 1:35677 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance KSudoClient privilege escalation attempt (server-webapp.rules) * 1:35678 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35679 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35680 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35681 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php authentication bypass attempt (server-webapp.rules) * 1:35682 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35683 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35684 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35705 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35706 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35735 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35736 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35745 <-> ENABLED <-> INDICATOR-COMPROMISE Wild Neutron potential exploit attempt (indicator-compromise.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules) * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36104 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA configdb_file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:36242 <-> DISABLED <-> SERVER-WEBAPP Reprise License Manager edit_lf_get_data directory traversal attempt (server-webapp.rules) * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37131 <-> ENABLED <-> FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected (file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37135 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37136 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37137 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37138 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37139 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37140 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules) * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules) * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules) * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules) * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39070 <-> ENABLED <-> SERVER-WEBAPP Dlink local file disclosure attempt (server-webapp.rules) * 1:39177 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39178 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39179 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39180 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39181 <-> DISABLED <-> SERVER-WEBAPP Nagios XI ajaxproxy.php server side request forgery attempt (server-webapp.rules) * 1:39188 <-> DISABLED <-> SERVER-WEBAPP Nagios XI backend API server side request forgery attempt (server-webapp.rules) * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules) * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules) * 1:39268 <-> DISABLED <-> SERVER-WEBAPP Joomla PayPlans Extension com_payplans group_id SQL injection attempt (server-webapp.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39349 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39350 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules) * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules) * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules) * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules) * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:39868 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39869 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39871 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39872 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39959 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39960 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39961 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39962 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39970 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39971 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39972 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39973 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules) * 1:40382 <-> DISABLED <-> SERVER-OTHER Easy File Sharing Server remote code execution attempt (server-other.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules) * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules) * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules) * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules) * 1:41112 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41113 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41114 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41115 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41116 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41117 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41364 <-> DISABLED <-> PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt (protocol-other.rules) * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules) * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules) * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules) * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules) * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules) * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules) * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules) * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules) * 1:41520 <-> DISABLED <-> SERVER-OTHER Ge Fanuc Proficy WebView DOS attempt (server-other.rules) * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41770 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN Gallery SQL injection attempt (server-webapp.rules) * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:42005 <-> DISABLED <-> SERVER-WEBAPP Logsign JSON API validate_file command injection attempt (server-webapp.rules) * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules) * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42253 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42254 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt (os-windows.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42406 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG admin backdoor login attempt (server-webapp.rules) * 1:42407 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42408 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42409 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42410 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdtool backdoor login attempt (server-webapp.rules) * 1:42411 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG session id check bypass attempt (server-webapp.rules) * 1:42424 <-> DISABLED <-> POLICY-OTHER MSSQL CLR permission set to unsafe attempt (policy-other.rules) * 1:42426 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42427 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42428 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42429 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42430 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43178 <-> DISABLED <-> SERVER-WEBAPP VICIdial user_authorization command injection attempt (server-webapp.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43308 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43309 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43310 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43311 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43312 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43313 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43314 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43315 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43316 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43317 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43318 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43319 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43320 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43321 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43322 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43323 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43451 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS arbitrary PHP file upload attempt (server-webapp.rules) * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:43549 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (server-webapp.rules) * 1:43552 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43553 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43554 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43687 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .top dns query (indicator-compromise.rules) * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules) * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules) * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45554 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45557 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45550 <-> ENABLED <-> PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45553 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45569 <-> DISABLED <-> SERVER-WEBAPP Squid host header cache poisoning attempt (server-webapp.rules) * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules) * 1:45556 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45565 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif variant download attempt (malware-other.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules)
* 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules) * 1:13512 <-> DISABLED <-> SQL generic sql exec injection attempt - GET parameter (sql.rules) * 1:13514 <-> DISABLED <-> SQL generic sql update injection attempt - GET parameter (sql.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:15875 <-> DISABLED <-> SQL generic sql insert injection attempt - POST parameter (sql.rules) * 1:15877 <-> DISABLED <-> SQL generic sql exec injection attempt - POST parameter (sql.rules) * 1:16431 <-> ENABLED <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:23182 <-> ENABLED <-> SERVER-OTHER Joomla com_maqmahelpdesk task parameter local file inclusion attempt (server-other.rules) * 1:24647 <-> DISABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules) * 1:26925 <-> DISABLED <-> SQL generic convert injection attempt - GET parameter (sql.rules) * 1:26929 <-> ENABLED <-> SERVER-WEBAPP SAP ConfigServlet command execution attempt (server-webapp.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules) * 1:28288 <-> ENABLED <-> SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28401 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28402 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28403 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt (os-mobile.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28409 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28806 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware download - single digit .exe file download (indicator-compromise.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28893 <-> DISABLED <-> BROWSER-OTHER known revoked certificate for Tresor CA (browser-other.rules) * 1:28408 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28557 <-> DISABLED <-> PROTOCOL-DNS Malformed DNS query with HTTP content (protocol-dns.rules) * 1:29090 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com (indicator-compromise.rules) * 1:29157 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29158 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29159 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:29046 <-> DISABLED <-> SERVER-WEBAPP WhatsUp Gold ExportViewer.asp diretory traversal attempt (server-webapp.rules) * 1:29160 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29170 <-> DISABLED <-> SERVER-WEBAPP NetWeaver internet sales module directory traversal attempt (server-webapp.rules) * 1:29346 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt (server-webapp.rules) * 1:30230 <-> ENABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com (indicator-compromise.rules) * 1:29402 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29403 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt (server-webapp.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29815 <-> DISABLED <-> SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt (server-webapp.rules) * 1:29829 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29992 <-> DISABLED <-> SERVER-WEBAPP Linksys WRT120N tmUnblock.cgi TM_Block_URL parameter fprintf stack buffer overflow attempt (server-webapp.rules) * 1:30012 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30013 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30033 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense webConfigurator invalid input attempt (server-webapp.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30065 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart compromise attempt detected (indicator-compromise.rules) * 1:30066 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected (indicator-compromise.rules) * 1:30100 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30101 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:30249 <-> ENABLED <-> SERVER-WEBAPP Embedded php in Exif data upload attempt (server-webapp.rules) * 1:30274 <-> ENABLED <-> SERVER-WEBAPP LifeSize UVC remote code execution attempt (server-webapp.rules) * 1:30769 <-> ENABLED <-> SERVER-OTHER Wordpress linenity theme LFI attempt (server-other.rules) * 1:30880 <-> ENABLED <-> OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt (os-mobile.rules) * 1:30905 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30908 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30928 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver dir content listing attempt (server-other.rules) * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30996 <-> ENABLED <-> SERVER-OTHER CMSimple remote file inclusion attempt (server-other.rules) * 1:30997 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file (indicator-compromise.rules) * 1:30998 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file (indicator-compromise.rules) * 1:30999 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file (indicator-compromise.rules) * 1:31000 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file (indicator-compromise.rules) * 1:31001 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file (indicator-compromise.rules) * 1:29401 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules) * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31339 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31340 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31341 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31342 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31356 <-> ENABLED <-> SERVER-WEBAPP Wordpress timthumb.php webshot source attack attempt (server-webapp.rules) * 1:31499 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31500 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell upload attempt (indicator-compromise.rules) * 1:31501 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31502 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31503 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34220 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34221 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34222 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35222 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex (indicator-compromise.rules) * 1:35243 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35244 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35245 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35246 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35573 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt (server-webapp.rules) * 1:35677 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance KSudoClient privilege escalation attempt (server-webapp.rules) * 1:35678 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35679 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35680 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35681 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php authentication bypass attempt (server-webapp.rules) * 1:35682 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35683 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35684 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:35706 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35735 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35736 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35745 <-> ENABLED <-> INDICATOR-COMPROMISE Wild Neutron potential exploit attempt (indicator-compromise.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules) * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:35705 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:36104 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA configdb_file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37131 <-> ENABLED <-> FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected (file-identify.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37135 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37136 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37138 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37139 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37140 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules) * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules) * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37137 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules) * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39070 <-> ENABLED <-> SERVER-WEBAPP Dlink local file disclosure attempt (server-webapp.rules) * 1:39177 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39178 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39179 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39180 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39181 <-> DISABLED <-> SERVER-WEBAPP Nagios XI ajaxproxy.php server side request forgery attempt (server-webapp.rules) * 1:39188 <-> DISABLED <-> SERVER-WEBAPP Nagios XI backend API server side request forgery attempt (server-webapp.rules) * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules) * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules) * 1:39268 <-> DISABLED <-> SERVER-WEBAPP Joomla PayPlans Extension com_payplans group_id SQL injection attempt (server-webapp.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39349 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39350 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:36242 <-> DISABLED <-> SERVER-WEBAPP Reprise License Manager edit_lf_get_data directory traversal attempt (server-webapp.rules) * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules) * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules) * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules) * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules) * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:39868 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39869 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39871 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39872 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39959 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39960 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39961 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39962 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39970 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39971 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39972 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39973 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules) * 1:40382 <-> DISABLED <-> SERVER-OTHER Easy File Sharing Server remote code execution attempt (server-other.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules) * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules) * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules) * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules) * 1:41112 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41113 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41114 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41115 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41116 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41117 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:41364 <-> DISABLED <-> PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt (protocol-other.rules) * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules) * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules) * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules) * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules) * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules) * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules) * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules) * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules) * 1:41520 <-> DISABLED <-> SERVER-OTHER Ge Fanuc Proficy WebView DOS attempt (server-other.rules) * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:42005 <-> DISABLED <-> SERVER-WEBAPP Logsign JSON API validate_file command injection attempt (server-webapp.rules) * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules) * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42253 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42254 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt (os-windows.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42406 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG admin backdoor login attempt (server-webapp.rules) * 1:41770 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN Gallery SQL injection attempt (server-webapp.rules) * 1:42407 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42408 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42409 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42410 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdtool backdoor login attempt (server-webapp.rules) * 1:42411 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG session id check bypass attempt (server-webapp.rules) * 1:42424 <-> DISABLED <-> POLICY-OTHER MSSQL CLR permission set to unsafe attempt (policy-other.rules) * 1:42426 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42427 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42429 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42430 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42428 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43178 <-> DISABLED <-> SERVER-WEBAPP VICIdial user_authorization command injection attempt (server-webapp.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43308 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43309 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43310 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43311 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43312 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43313 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43314 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43315 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43316 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43317 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43318 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43319 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43320 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43321 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43322 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43323 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43451 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS arbitrary PHP file upload attempt (server-webapp.rules) * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:43549 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (server-webapp.rules) * 1:43552 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43553 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43554 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43687 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .top dns query (indicator-compromise.rules) * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules) * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules) * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules) * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44300 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem authentication bypass attempt (server-webapp.rules) * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules) * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules) * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter payload download attempt (indicator-compromise.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules) * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules) * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules) * 1:45408 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45409 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45410 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:45562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt (malware-cnc.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45557 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45556 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45554 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45553 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules) * 1:45552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Velso ransomware download (malware-cnc.rules) * 1:45550 <-> ENABLED <-> PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules) * 1:45569 <-> DISABLED <-> SERVER-WEBAPP Squid host header cache poisoning attempt (server-webapp.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45565 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif variant download attempt (malware-other.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
* 1:30033 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense webConfigurator invalid input attempt (server-webapp.rules) * 1:30013 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:30012 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt (server-webapp.rules) * 1:29992 <-> DISABLED <-> SERVER-WEBAPP Linksys WRT120N tmUnblock.cgi TM_Block_URL parameter fprintf stack buffer overflow attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:31356 <-> ENABLED <-> SERVER-WEBAPP Wordpress timthumb.php webshot source attack attempt (server-webapp.rules) * 1:31342 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31341 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt (server-webapp.rules) * 1:31340 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31339 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt (server-webapp.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules) * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31001 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file (indicator-compromise.rules) * 1:31000 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file (indicator-compromise.rules) * 1:30999 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file (indicator-compromise.rules) * 1:30998 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file (indicator-compromise.rules) * 1:30997 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file (indicator-compromise.rules) * 1:30996 <-> ENABLED <-> SERVER-OTHER CMSimple remote file inclusion attempt (server-other.rules) * 1:31499 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules) * 1:31503 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell download attempt (indicator-compromise.rules) * 1:31502 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31501 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt (indicator-compromise.rules) * 1:31500 <-> ENABLED <-> INDICATOR-COMPROMISE Liz0ziM php shell upload attempt (indicator-compromise.rules) * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules) * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules) * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules) * 1:34220 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules) * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules) * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules) * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34222 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:34221 <-> DISABLED <-> SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt (server-webapp.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35246 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35245 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35244 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35243 <-> DISABLED <-> SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt (server-webapp.rules) * 1:35222 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex (indicator-compromise.rules) * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules) * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules) * 1:35682 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35681 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php authentication bypass attempt (server-webapp.rules) * 1:35680 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35679 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35678 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt (server-webapp.rules) * 1:35677 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance KSudoClient privilege escalation attempt (server-webapp.rules) * 1:35573 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt (server-webapp.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35359 <-> DISABLED <-> SERVER-WEBAPP Cacti selected_items SQL injection attempt (server-webapp.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 1:35745 <-> ENABLED <-> INDICATOR-COMPROMISE Wild Neutron potential exploit attempt (indicator-compromise.rules) * 1:35738 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35737 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript stealth executable download attempt (indicator-obfuscation.rules) * 1:35736 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35735 <-> ENABLED <-> OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt (os-other.rules) * 1:35706 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35705 <-> ENABLED <-> BROWSER-IE Microsoft Edge history.state use after free attempt (browser-ie.rules) * 1:35684 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:35683 <-> DISABLED <-> SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt (server-webapp.rules) * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules) * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules) * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules) * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:28811 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28806 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware download - single digit .exe file download (indicator-compromise.rules) * 1:28557 <-> DISABLED <-> PROTOCOL-DNS Malformed DNS query with HTTP content (protocol-dns.rules) * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules) * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:29046 <-> DISABLED <-> SERVER-WEBAPP WhatsUp Gold ExportViewer.asp diretory traversal attempt (server-webapp.rules) * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28893 <-> DISABLED <-> BROWSER-OTHER known revoked certificate for Tresor CA (browser-other.rules) * 1:29090 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com (indicator-compromise.rules) * 1:29157 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29158 <-> DISABLED <-> SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt (server-webapp.rules) * 1:29510 <-> ENABLED <-> INDICATOR-OBFUSCATION Multiple character encodings detected (indicator-obfuscation.rules) * 1:29401 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29346 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt (server-webapp.rules) * 1:29190 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit (indicator-obfuscation.rules) * 1:29170 <-> DISABLED <-> SERVER-WEBAPP NetWeaver internet sales module directory traversal attempt (server-webapp.rules) * 1:29160 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29159 <-> DISABLED <-> SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt (server-webapp.rules) * 1:29462 <-> ENABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent The Mole (indicator-scan.rules) * 1:29403 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt (server-webapp.rules) * 1:29402 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt (server-webapp.rules) * 1:29608 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt (server-webapp.rules) * 1:29609 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt (server-webapp.rules) * 1:29815 <-> DISABLED <-> SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt (server-webapp.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:29829 <-> ENABLED <-> SERVER-WEBAPP HNAP remote code execution attempt (server-webapp.rules) * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules) * 1:30928 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver dir content listing attempt (server-other.rules) * 1:30908 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30905 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30880 <-> ENABLED <-> OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt (os-mobile.rules) * 1:30769 <-> ENABLED <-> SERVER-OTHER Wordpress linenity theme LFI attempt (server-other.rules) * 1:30274 <-> ENABLED <-> SERVER-WEBAPP LifeSize UVC remote code execution attempt (server-webapp.rules) * 1:30249 <-> ENABLED <-> SERVER-WEBAPP Embedded php in Exif data upload attempt (server-webapp.rules) * 1:30230 <-> ENABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com (indicator-compromise.rules) * 1:30101 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30100 <-> ENABLED <-> FILE-OTHER ftpchk3.php malicious script upload attempt (file-other.rules) * 1:30066 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected (indicator-compromise.rules) * 1:30065 <-> ENABLED <-> INDICATOR-COMPROMISE ZenCart compromise attempt detected (indicator-compromise.rules) * 1:30041 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:30040 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36104 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA configdb_file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:37137 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37136 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37135 <-> ENABLED <-> SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt (server-webapp.rules) * 1:37132 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:37131 <-> ENABLED <-> FILE-IDENTIFY .wsf attachment file type blocked by Outlook detected (file-identify.rules) * 1:37130 <-> ENABLED <-> FILE-IDENTIFY Obfuscated .wsf download attempt (file-identify.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules) * 1:36242 <-> DISABLED <-> SERVER-WEBAPP Reprise License Manager edit_lf_get_data directory traversal attempt (server-webapp.rules) * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules) * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules) * 1:37140 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37139 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37138 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt (server-webapp.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules) * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules) * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules) * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules) * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules) * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules) * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39350 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39349 <-> ENABLED <-> SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39268 <-> DISABLED <-> SERVER-WEBAPP Joomla PayPlans Extension com_payplans group_id SQL injection attempt (server-webapp.rules) * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules) * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules) * 1:39188 <-> DISABLED <-> SERVER-WEBAPP Nagios XI backend API server side request forgery attempt (server-webapp.rules) * 1:39181 <-> DISABLED <-> SERVER-WEBAPP Nagios XI ajaxproxy.php server side request forgery attempt (server-webapp.rules) * 1:39180 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39179 <-> DISABLED <-> SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt (server-webapp.rules) * 1:39178 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39177 <-> DISABLED <-> SERVER-WEBAPP Nagios XI graphApi.php command injection attempt (server-webapp.rules) * 1:39070 <-> ENABLED <-> SERVER-WEBAPP Dlink local file disclosure attempt (server-webapp.rules) * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules) * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules) * 1:39869 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39868 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters msofbtCLSID stack buffer overflow attempt (file-office.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules) * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules) * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules) * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules) * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules) * 1:39871 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:39973 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39972 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39971 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39970 <-> DISABLED <-> BROWSER-PLUGINS UCanCode Visualization Enterprise Suite ActiveX clsid access attempt (browser-plugins.rules) * 1:39962 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39961 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39960 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39959 <-> DISABLED <-> BROWSER-PLUGINS AdvantechNVS VideoDAQ ActiveX clsid access attempt (browser-plugins.rules) * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39872 <-> DISABLED <-> FILE-OFFICE LexMark Perceptive Document Filters wSectorShift heap buffer overflow attempt (file-office.rules) * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules) * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:40382 <-> DISABLED <-> SERVER-OTHER Easy File Sharing Server remote code execution attempt (server-other.rules) * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules) * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules) * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules) * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules) * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules) * 1:40905 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:40866 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt (protocol-other.rules) * 1:40904 <-> ENABLED <-> SERVER-WEBAPP Oracle Weblogic default credentials login attempt (server-webapp.rules) * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules) * 1:41402 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt (server-webapp.rules) * 1:41401 <-> DISABLED <-> SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt (server-webapp.rules) * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules) * 1:41388 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt (server-webapp.rules) * 1:41387 <-> DISABLED <-> SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt (server-webapp.rules) * 1:41364 <-> DISABLED <-> PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt (protocol-other.rules) * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules) * 1:41117 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41116 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt (server-webapp.rules) * 1:41115 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41114 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt (server-webapp.rules) * 1:41113 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:41112 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt (server-webapp.rules) * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules) * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules) * 1:40907 <-> DISABLED <-> PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt (protocol-other.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41642 <-> DISABLED <-> SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt (server-webapp.rules) * 1:41520 <-> DISABLED <-> SERVER-OTHER Ge Fanuc Proficy WebView DOS attempt (server-other.rules) * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules) * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules) * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules) * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules) * 1:42426 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules) * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules) * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42005 <-> DISABLED <-> SERVER-WEBAPP Logsign JSON API validate_file command injection attempt (server-webapp.rules) * 1:41917 <-> ENABLED <-> SERVER-WEBAPP Carel PlantVisorPRO default login attempt (server-webapp.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules) * 1:41770 <-> DISABLED <-> SERVER-WEBAPP Wordpress NextGEN Gallery SQL injection attempt (server-webapp.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:42424 <-> DISABLED <-> POLICY-OTHER MSSQL CLR permission set to unsafe attempt (policy-other.rules) * 1:42411 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG session id check bypass attempt (server-webapp.rules) * 1:42410 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdtool backdoor login attempt (server-webapp.rules) * 1:42409 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42408 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42407 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt (server-webapp.rules) * 1:42406 <-> DISABLED <-> SERVER-WEBAPP WePresent WiPG admin backdoor login attempt (server-webapp.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt (os-windows.rules) * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules) * 1:42254 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42253 <-> ENABLED <-> OS-SOLARIS Solaris dtappgather local privilege escalation attempt (os-solaris.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules) * 1:42427 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:43316 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:27287 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules) * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:16431 <-> ENABLED <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules) * 1:15877 <-> DISABLED <-> SQL generic sql exec injection attempt - POST parameter (sql.rules) * 1:15875 <-> DISABLED <-> SQL generic sql insert injection attempt - POST parameter (sql.rules) * 1:15874 <-> DISABLED <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules) * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:13514 <-> DISABLED <-> SQL generic sql update injection attempt - GET parameter (sql.rules) * 1:13512 <-> DISABLED <-> SQL generic sql exec injection attempt - GET parameter (sql.rules) * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules) * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules) * 1:26929 <-> ENABLED <-> SERVER-WEBAPP SAP ConfigServlet command execution attempt (server-webapp.rules) * 1:26925 <-> DISABLED <-> SQL generic convert injection attempt - GET parameter (sql.rules) * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules) * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules) * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules) * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules) * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules) * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules) * 1:24647 <-> DISABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules) * 1:23182 <-> ENABLED <-> SERVER-OTHER Joomla com_maqmahelpdesk task parameter local file inclusion attempt (server-other.rules) * 1:23018 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:21778 <-> DISABLED <-> SQL parameter ending in comment characters - possible sql injection attempt - POST (sql.rules) * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules) * 1:27288 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules) * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules) * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28288 <-> ENABLED <-> SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt (server-webapp.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules) * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28401 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28409 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28408 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules) * 1:28403 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt (os-mobile.rules) * 1:28402 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules) * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:28812 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules) * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules) * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules) * 1:42430 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42429 <-> DISABLED <-> SERVER-WEBAPP Phpcms user registration remote file include attempt (server-webapp.rules) * 1:42428 <-> DISABLED <-> SERVER-WEBAPP Phpcms attachment upload SQL injection attempt (server-webapp.rules) * 1:43315 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43314 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43313 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43312 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43311 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43310 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43309 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43308 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules) * 1:43178 <-> DISABLED <-> SERVER-WEBAPP VICIdial user_authorization command injection attempt (server-webapp.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules) * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules) * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules) * 1:43687 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .top dns query (indicator-compromise.rules) * 1:43554 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43553 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43552 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk upload remote code execution attempt (server-webapp.rules) * 1:43549 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (server-webapp.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules) * 1:43451 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS arbitrary PHP file upload attempt (server-webapp.rules) * 1:43323 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43322 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft SNTP ActiveX clsid access attempt (browser-plugins.rules) * 1:43321 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43320 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft NetworkResources ActiveX clsid access attempt (browser-plugins.rules) * 1:43319 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43318 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft ICMP ActiveX clsid access attempt (browser-plugins.rules) * 1:43317 <-> DISABLED <-> BROWSER-PLUGINS MagnetoSoft DNS ActiveX clsid access attempt (browser-plugins.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules) * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules) * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules) * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules) * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules) * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules) * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules) * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules) * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules) * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules) * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules) * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules) * 1:44300 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem authentication bypass attempt (server-webapp.rules) * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt (file-office.rules) * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules) * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules) * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules) * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules) * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules) * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules) * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules) * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter payload download attempt (indicator-compromise.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules) * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules) * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules) * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules) * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules) * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules) * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules) * 1:45408 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45409 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45410 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt (server-webapp.rules) * 1:45418 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45419 <-> DISABLED <-> OS-OTHER Apple macOS IOHIDeous exploit download attempt (os-other.rules) * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)