<div dir="ltr">I won't be able to do that but below is a small subset of URLs that triggered the alerts.<br>Presumably the browser requesting these files means these alerts aren't anything to worry about, as the related CVEs are to do with Acrobat Reader and Acrobat DC right?<br><br><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><a href="http://www.minitorque.com">www.minitorque.com</a></span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none">/forum/customavatars/avatar7001_1.gif<br></span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><a href="http://disclaimer.akbank.com">disclaimer.akbank.com</a></span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none">/images/disclaimer19.jpg</span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><br></span></span></span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><a href="http://www.metoffice.gov.uk">www.metoffice.gov.uk</a></span></span></span></span><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none"><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);display:inline;float:none">/media/image/0/q/surfacepressurechart.jpg</span></span></span><br><br><br></span><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 20, 2017 at 5:35 PM, Al Lewis (allewi) <span dir="ltr"><<a href="mailto:allewi@...3865..." target="_blank">allewi@...3865...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Courier,sans-serif">
<div>
<div>Hello Charlie,</div>
<div><br>
</div>
<div><span class="m_2901817515028001263Apple-tab-span" style="white-space:pre-wrap"></span>Do you have a pcap of the traffic that produced some of these false positives?</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>
<div id="m_2901817515028001263MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family:-webkit-standard;margin:0in 0in 0.0001pt;font-size:11pt">
<b><span style="font-size:12pt;color:rgb(31,73,125)"><font face="Courier">Albert Lewis<u></u><u></u></font></span></b></p>
<p class="MsoNormal" style="font-family:-webkit-standard;margin:0in 0in 0.0001pt;font-size:11pt">
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p>
<p class="MsoNormal" style="font-family:-webkit-standard;margin:0in 0in 0.0001pt;font-size:11pt">
<font face="Courier"><span style="color:rgb(153,153,153);font-size:12pt">SOURCE</span><b><span style="font-size:12pt;color:red">fire</span></b><span style="color:rgb(153,153,153);font-size:12pt">, Inc. </span><span style="color:rgb(136,136,136);font-size:12pt">now
 part of </span><b><span style="font-size:12pt"><font color="#00007f">Cisco</font></span></b></font></p>
<p class="MsoNormal" style="font-family:-webkit-standard;margin:0in 0in 0.0001pt;font-size:11pt">
<font face="Courier"><span style="font-size:12pt;color:rgb(153,153,153)">Email: </span><span style="font-size:12pt"><a href="mailto:allewi@...3865..." style="color:purple" target="_blank">allewi@...3865...</a><span style="color:rgb(79,129,189)"> </span></span></font></p>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="m_2901817515028001263OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Charlie Dyer <<a href="mailto:charlierwdyer@...2420..." target="_blank">charlierwdyer@...2420...</a>><br>
<span style="font-weight:bold">Date: </span>Friday, January 20, 2017 at 12:07 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:snort-sigs@lists.sourceforge.net" target="_blank">snort-sigs@...1744...<wbr>net</a>" <<a href="mailto:snort-sigs@lists.sourceforge.net" target="_blank">snort-sigs@...1744...<wbr>net</a>><br>
<span style="font-weight:bold">Subject: </span>[Snort-sigs] SIDs 41338 and 41340 - FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt<br>
</div><div><div class="h5">
<div><br>
</div>
<span>
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>Hi list<br>
<br>
</div>
The number of false positives these two rules produce is huge!<br>
</div>
Has anyone else seen the same or amended the rule to be a bit more specific to the exploit,i.e. user agent is Acrobat Reader or something so it's a bit more specific.<br>
<br>
</div>
Any thoughts gratefully received<br>
<br>
</div>
Charlie<br>
</div>
</div>
</div>
</span></div></div></span>
</div>

</blockquote></div><br></div>