Talos Rules 2015-06-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, netbios, os-windows, protocol-dns, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-06-02 15:35:01 UTC

Snort Subscriber Rules Update

Date: 2015-06-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)
 * 1:34598 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34621 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:34622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34620 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34619 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Enkalogs outbound connection (malware-cnc.rules)
 * 1:34611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dujfudg outbound connection (malware-cnc.rules)
 * 1:34612 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34613 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34606 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kayfcbk outbound connection (malware-cnc.rules)
 * 1:34608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey variant outbound connection attempt (malware-cnc.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34605 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34607 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Punkey (blacklist.rules)
 * 1:34604 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teqimp outbound connection (malware-cnc.rules)
 * 1:34602 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34603 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34599 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)

Modified Rules:


 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:21461 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DarkComet variant outbound connection - post infection (malware-cnc.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:16396 <-> ENABLED <-> NETBIOS SMB server srvnet.sys driver race condition attempt (netbios.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)

2015-06-02 15:35:01 UTC

Snort Subscriber Rules Update

Date: 2015-06-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)
 * 1:34598 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:34621 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:34619 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34620 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34613 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Enkalogs outbound connection (malware-cnc.rules)
 * 1:34611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dujfudg outbound connection (malware-cnc.rules)
 * 1:34612 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kayfcbk outbound connection (malware-cnc.rules)
 * 1:34607 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Punkey (blacklist.rules)
 * 1:34608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey variant outbound connection attempt (malware-cnc.rules)
 * 1:34605 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34606 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34603 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34604 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teqimp outbound connection (malware-cnc.rules)
 * 1:34602 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34599 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)

Modified Rules:


 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:21461 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DarkComet variant outbound connection - post infection (malware-cnc.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:16396 <-> ENABLED <-> NETBIOS SMB server srvnet.sys driver race condition attempt (netbios.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)

2015-06-02 15:35:01 UTC

Snort Subscriber Rules Update

Date: 2015-06-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)
 * 1:34598 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34599 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teqimp outbound connection (malware-cnc.rules)
 * 1:34602 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34603 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34604 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34605 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34606 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34607 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Punkey (blacklist.rules)
 * 1:34608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey variant outbound connection attempt (malware-cnc.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kayfcbk outbound connection (malware-cnc.rules)
 * 1:34611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dujfudg outbound connection (malware-cnc.rules)
 * 1:34612 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34613 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Enkalogs outbound connection (malware-cnc.rules)
 * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34619 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34620 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34621 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)

Modified Rules:


 * 1:21461 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DarkComet variant outbound connection - post infection (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:16396 <-> ENABLED <-> NETBIOS SMB server srvnet.sys driver race condition attempt (netbios.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)

2015-06-02 15:35:01 UTC

Snort Subscriber Rules Update

Date: 2015-06-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:34622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:34621 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34620 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34619 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34618 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34617 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34616 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34615 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station exif description command injection attempt (server-webapp.rules)
 * 1:34614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Enkalogs outbound connection (malware-cnc.rules)
 * 1:34613 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34612 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules)
 * 1:34611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dujfudg outbound connection (malware-cnc.rules)
 * 1:34610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kayfcbk outbound connection (malware-cnc.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey variant outbound connection attempt (malware-cnc.rules)
 * 1:34607 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Punkey (blacklist.rules)
 * 1:34606 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34605 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34604 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt (server-webapp.rules)
 * 1:34603 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34602 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teqimp outbound connection (malware-cnc.rules)
 * 1:34600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34599 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34598 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kjdoom outbound connection (malware-cnc.rules)
 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection  (malware-cnc.rules)

Modified Rules:


 * 1:21461 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DarkComet variant outbound connection - post infection (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:16396 <-> ENABLED <-> NETBIOS SMB server srvnet.sys driver race condition attempt (netbios.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)