Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-dns, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34632 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:34630 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34627 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34649 <-> DISABLED <-> SERVER-OTHER OpenSSL zero-length ClientKeyExchange message denial of service attempt (server-other.rules) * 1:34672 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vesnarusural.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34671 <-> ENABLED <-> BLACKLIST DNS request for known malware domain switlawert.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34670 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mehanistran.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34666 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rabbutdownlitt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules) * 1:34636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypaura variant outbound connection attempt (malware-cnc.rules) * 1:34628 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules) * 1:34645 <-> DISABLED <-> SERVER-MAIL Exim buffer overflow attempt (server-mail.rules) * 1:34626 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain petronasconn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34674 <-> ENABLED <-> BLACKLIST DNS request for known malware domain restavratormira.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34675 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serppoglandam.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34676 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wertstumbahn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34677 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queryforworld.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34678 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serfilefnom.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34679 <-> ENABLED <-> BLACKLIST DNS request for known malware domain andbohemut.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34680 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bejustoftun.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34681 <-> ENABLED <-> BLACKLIST DNS request for known malware domain berigusaf.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34682 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betroninsi.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34683 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dilelanang.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34684 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forttapaha.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34685 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftjuunbesto.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34686 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gantropine.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34687 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gutontredsup.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34688 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hepretfortna.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34689 <-> ENABLED <-> BLACKLIST DNS request for known malware domain juindorey.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain latemiishe.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34691 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leladingna.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34692 <-> ENABLED <-> BLACKLIST DNS request for known malware domain letgrownast.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34693 <-> ENABLED <-> BLACKLIST DNS request for known malware domain masquarten.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34694 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nawertoby.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34695 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pavesohap.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34696 <-> ENABLED <-> BLACKLIST DNS request for known malware domain polutenign.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34697 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pomdonekw.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34698 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qwertygontul.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34699 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rechedtthaten.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34700 <-> ENABLED <-> BLACKLIST DNS request for known malware domain renferolto.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34701 <-> ENABLED <-> BLACKLIST DNS request for known malware domain repherfeted.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34702 <-> ENABLED <-> BLACKLIST DNS request for known malware domain righletfoligh.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34703 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saqunold.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34704 <-> ENABLED <-> BLACKLIST DNS request for known malware domain silawecxla.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34705 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sivesuhat.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34706 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stenfirthsta.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34707 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wekustines.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34708 <-> ENABLED <-> BLACKLIST DNS request for known malware domain windetrusty.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34710 <-> DISABLED <-> SERVER-OTHER PHP unserialize datetimezone object code execution attempt (server-other.rules) * 1:34711 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a.gwas.perl.sh - Win.Trojan.Windex (blacklist.rules) * 1:34712 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.slyip.net - Win.Trojan.Windex (blacklist.rules) * 1:34713 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.dyndns.org - Win.Trojan.Windex (blacklist.rules) * 1:34714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34715 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34719 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit URI structure (exploit-kit.rules) * 1:34667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reswahatce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain servelatmiru.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:34654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34638 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access attempt (browser-plugins.rules) * 1:34635 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lasttrainforest.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain apporistale.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain srachechno.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain howthatficy.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain molokalitra.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34651 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34665 <-> ENABLED <-> BLACKLIST DNS request for known malware domain refherssuce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cawasuse.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ferepritdi.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34634 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules) * 1:34625 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34631 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file download request (file-identify.rules) * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules) * 1:34629 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34639 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34633 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34640 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain terethaundv.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dinghareun.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dingdownmahedt.ru - Win.Trojan.Poseidon (blacklist.rules)
* 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:18667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18662 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules) * 1:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Actionlf out of range negative offset attempt (file-flash.rules) * 1:15129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:14651 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt (os-windows.rules) * 1:14647 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:15139 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:5721 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5717 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:15199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:15205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15203 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:16403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules) * 1:16337 <-> ENABLED <-> FILE-FLASH Adobe Flash Player directory traversal attempt (file-flash.rules) * 1:16315 <-> DISABLED <-> FILE-FLASH Adobe Flash PlugIn check if file exists attempt (file-flash.rules) * 1:16287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 1:15197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:16150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules) * 1:15207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15201 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15202 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:15227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:15135 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 1:15131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:14648 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules) * 1:5724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5729 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:7035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7036 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7037 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7038 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7040 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:7041 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7042 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:8449 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8451 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:12946 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt (os-windows.rules) * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 1:12947 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt (os-windows.rules) * 1:13471 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher invalid pathname overwrite attempt (file-office.rules) * 1:14654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:14649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:15128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:14650 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:15132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15133 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15134 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:15136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15127 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:16404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol Response overflow attempt (os-windows.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16504 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules) * 1:16505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer HTML parsing memory corruption attempt (browser-ie.rules) * 1:16509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules) * 1:16539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt (os-windows.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:16577 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules) * 1:17034 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17035 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17036 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17115 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules) * 1:17125 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt (os-windows.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:17199 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file lRTX overflow attempt (file-other.rules) * 1:17201 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file LsCM overflow attempt (file-other.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:17667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:17746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt (os-windows.rules) * 1:17777 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18213 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher column and row remote code execution attempt (file-office.rules) * 1:18220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:18409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSASS domain name buffer overflow attempt (os-windows.rules) * 1:18412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript beginGradientFill memory corruption attempt (file-flash.rules) * 1:15224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:15221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:18444 <-> DISABLED <-> FILE-FLASH Adobe Flash Player forged atom type attempt (file-flash.rules) * 1:18449 <-> DISABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 1:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules) * 1:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules) * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 1:18655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18661 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18663 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18664 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18666 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules) * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV parsing two integer overflow vulnerabilities (file-flash.rules) * 1:19189 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19191 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 zero length write attempt (os-windows.rules) * 1:19221 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt (os-windows.rules) * 1:2101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:21529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:15140 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:2252 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt (os-windows.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:2258 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:15528 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules) * 1:23314 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt (os-windows.rules) * 1:33421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules) * 1:23237 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:15226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 1:2382 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:2383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:23837 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt (os-windows.rules) * 1:8459 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:23839 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:8454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type attempt (os-windows.rules) * 1:24007 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:24336 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:8457 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8455 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:24359 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:8453 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type andx attempt (os-windows.rules) * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24890 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24891 <-> DISABLED <-> FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt (file-flash.rules) * 1:8460 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:24892 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:26851 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules) * 1:27755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:28613 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page - specific-structure (exploit-kit.rules) * 1:15210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:29066 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:15218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:29411 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:28425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:29413 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:29513 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:29514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:29943 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:31130 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:3145 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt (os-windows.rules) * 1:3000 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:3003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:3005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:31331 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:15206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:3143 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt (os-windows.rules) * 1:15204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:3144 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:3001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:15215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:3146 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:15213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:31694 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31695 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:5722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:33115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules) * 1:15141 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:8452 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:15142 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:33116 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:15138 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:33191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33192 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33195 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:29414 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:33412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style type confusion remote code execution attempt (browser-ie.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:33193 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:8458 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:8456 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode attempt (os-windows.rules) * 1:23838 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt (os-windows.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:5716 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain servelatmiru.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34671 <-> ENABLED <-> BLACKLIST DNS request for known malware domain switlawert.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34672 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vesnarusural.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34670 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mehanistran.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34649 <-> DISABLED <-> SERVER-OTHER OpenSSL zero-length ClientKeyExchange message denial of service attempt (server-other.rules) * 1:34673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain petronasconn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34674 <-> ENABLED <-> BLACKLIST DNS request for known malware domain restavratormira.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34675 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serppoglandam.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34676 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wertstumbahn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34677 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queryforworld.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34678 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serfilefnom.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34679 <-> ENABLED <-> BLACKLIST DNS request for known malware domain andbohemut.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34680 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bejustoftun.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34681 <-> ENABLED <-> BLACKLIST DNS request for known malware domain berigusaf.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34682 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betroninsi.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34683 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dilelanang.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34684 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forttapaha.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34685 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftjuunbesto.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34686 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gantropine.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34687 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gutontredsup.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34688 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hepretfortna.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34689 <-> ENABLED <-> BLACKLIST DNS request for known malware domain juindorey.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain latemiishe.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34691 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leladingna.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34692 <-> ENABLED <-> BLACKLIST DNS request for known malware domain letgrownast.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34693 <-> ENABLED <-> BLACKLIST DNS request for known malware domain masquarten.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34694 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nawertoby.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34695 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pavesohap.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34696 <-> ENABLED <-> BLACKLIST DNS request for known malware domain polutenign.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34697 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pomdonekw.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34698 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qwertygontul.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34699 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rechedtthaten.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34700 <-> ENABLED <-> BLACKLIST DNS request for known malware domain renferolto.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34701 <-> ENABLED <-> BLACKLIST DNS request for known malware domain repherfeted.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34702 <-> ENABLED <-> BLACKLIST DNS request for known malware domain righletfoligh.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34703 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saqunold.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34704 <-> ENABLED <-> BLACKLIST DNS request for known malware domain silawecxla.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34705 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sivesuhat.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34706 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stenfirthsta.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34707 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wekustines.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34708 <-> ENABLED <-> BLACKLIST DNS request for known malware domain windetrusty.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34710 <-> DISABLED <-> SERVER-OTHER PHP unserialize datetimezone object code execution attempt (server-other.rules) * 1:34711 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a.gwas.perl.sh - Win.Trojan.Windex (blacklist.rules) * 1:34712 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.slyip.net - Win.Trojan.Windex (blacklist.rules) * 1:34713 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.dyndns.org - Win.Trojan.Windex (blacklist.rules) * 1:34714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34715 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34719 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit URI structure (exploit-kit.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:34667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reswahatce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain terethaundv.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34645 <-> DISABLED <-> SERVER-MAIL Exim buffer overflow attempt (server-mail.rules) * 1:34626 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules) * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules) * 1:34638 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access attempt (browser-plugins.rules) * 1:34628 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34635 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34632 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:34630 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypaura variant outbound connection attempt (malware-cnc.rules) * 1:34636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34627 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ferepritdi.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cawasuse.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34665 <-> ENABLED <-> BLACKLIST DNS request for known malware domain refherssuce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34651 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain molokalitra.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain howthatficy.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain srachechno.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain apporistale.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lasttrainforest.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34666 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rabbutdownlitt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34625 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules) * 1:34640 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34634 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34629 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34631 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file download request (file-identify.rules) * 1:34639 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules) * 1:34633 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dinghareun.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dingdownmahedt.ru - Win.Trojan.Poseidon (blacklist.rules)
* 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules) * 1:8455 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8453 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type andx attempt (os-windows.rules) * 1:8454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type attempt (os-windows.rules) * 1:15138 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:15142 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:8452 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:15130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:15134 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:14896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt (os-windows.rules) * 1:14647 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14651 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:12947 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt (os-windows.rules) * 1:16403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules) * 1:16337 <-> ENABLED <-> FILE-FLASH Adobe Flash Player directory traversal attempt (file-flash.rules) * 1:16315 <-> DISABLED <-> FILE-FLASH Adobe Flash PlugIn check if file exists attempt (file-flash.rules) * 1:16287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 1:5724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:15227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5729 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:14652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:15139 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5717 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5721 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:7035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7036 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7037 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7038 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7040 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:7041 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7042 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:8449 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8451 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 1:12946 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt (os-windows.rules) * 1:13471 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher invalid pathname overwrite attempt (file-office.rules) * 1:14649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14650 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:14653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:15128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15133 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15141 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15140 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:16404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol Response overflow attempt (os-windows.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16504 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules) * 1:16505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer HTML parsing memory corruption attempt (browser-ie.rules) * 1:16509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules) * 1:16539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt (os-windows.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:16577 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules) * 1:17034 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17035 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17036 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17115 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules) * 1:17125 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt (os-windows.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:17199 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file lRTX overflow attempt (file-other.rules) * 1:17201 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file LsCM overflow attempt (file-other.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:17667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:17746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt (os-windows.rules) * 1:17777 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18213 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher column and row remote code execution attempt (file-office.rules) * 1:18220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 1:18405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSASS domain name buffer overflow attempt (os-windows.rules) * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:18409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript beginGradientFill memory corruption attempt (file-flash.rules) * 1:18444 <-> DISABLED <-> FILE-FLASH Adobe Flash Player forged atom type attempt (file-flash.rules) * 1:18449 <-> DISABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 1:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Actionlf out of range negative offset attempt (file-flash.rules) * 1:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules) * 1:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 1:14648 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:18641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 1:15131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:15135 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15127 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:18655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18661 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18663 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18664 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18666 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules) * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV parsing two integer overflow vulnerabilities (file-flash.rules) * 1:19189 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19221 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt (os-windows.rules) * 1:2101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:21529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:2252 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt (os-windows.rules) * 1:2258 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules) * 1:23314 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt (os-windows.rules) * 1:2382 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:23237 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:2383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules) * 1:23838 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt (os-windows.rules) * 1:23837 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt (os-windows.rules) * 1:23839 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:24007 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:24336 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24359 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24890 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:24891 <-> DISABLED <-> FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt (file-flash.rules) * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24892 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:26851 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules) * 1:28425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:27755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:28613 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page - specific-structure (exploit-kit.rules) * 1:29066 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:29411 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:29414 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:29413 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:29513 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:29514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:29943 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:3000 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:3002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:3003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:8458 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8460 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:31130 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:8459 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:3005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:8457 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:15198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:15199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:15202 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15201 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15203 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:15219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:31331 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:3143 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt (os-windows.rules) * 1:33193 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:3144 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:18662 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:3146 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:31694 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31695 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:33115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33116 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:18667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:33191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33192 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33195 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules) * 1:3145 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt (os-windows.rules) * 1:33412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style type confusion remote code execution attempt (browser-ie.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:19191 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 zero length write attempt (os-windows.rules) * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 1:15226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:15528 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:15197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:16150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules) * 1:15210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:5716 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:8456 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ferepritdi.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain servelatmiru.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain srachechno.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34651 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cawasuse.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34649 <-> DISABLED <-> SERVER-OTHER OpenSSL zero-length ClientKeyExchange message denial of service attempt (server-other.rules) * 1:34667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reswahatce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34670 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mehanistran.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34671 <-> ENABLED <-> BLACKLIST DNS request for known malware domain switlawert.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34672 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vesnarusural.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain petronasconn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34674 <-> ENABLED <-> BLACKLIST DNS request for known malware domain restavratormira.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34676 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wertstumbahn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34675 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serppoglandam.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34677 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queryforworld.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34678 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serfilefnom.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34679 <-> ENABLED <-> BLACKLIST DNS request for known malware domain andbohemut.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34680 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bejustoftun.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34682 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betroninsi.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34681 <-> ENABLED <-> BLACKLIST DNS request for known malware domain berigusaf.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34683 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dilelanang.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34684 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forttapaha.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34686 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gantropine.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34685 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftjuunbesto.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34687 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gutontredsup.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34688 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hepretfortna.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34689 <-> ENABLED <-> BLACKLIST DNS request for known malware domain juindorey.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain latemiishe.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34692 <-> ENABLED <-> BLACKLIST DNS request for known malware domain letgrownast.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34691 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leladingna.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34693 <-> ENABLED <-> BLACKLIST DNS request for known malware domain masquarten.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34694 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nawertoby.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34696 <-> ENABLED <-> BLACKLIST DNS request for known malware domain polutenign.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34695 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pavesohap.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34697 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pomdonekw.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34698 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qwertygontul.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34699 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rechedtthaten.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34700 <-> ENABLED <-> BLACKLIST DNS request for known malware domain renferolto.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34702 <-> ENABLED <-> BLACKLIST DNS request for known malware domain righletfoligh.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34701 <-> ENABLED <-> BLACKLIST DNS request for known malware domain repherfeted.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34703 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saqunold.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34704 <-> ENABLED <-> BLACKLIST DNS request for known malware domain silawecxla.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34707 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wekustines.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34705 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sivesuhat.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34706 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stenfirthsta.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34708 <-> ENABLED <-> BLACKLIST DNS request for known malware domain windetrusty.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34710 <-> DISABLED <-> SERVER-OTHER PHP unserialize datetimezone object code execution attempt (server-other.rules) * 1:34711 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a.gwas.perl.sh - Win.Trojan.Windex (blacklist.rules) * 1:34712 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.slyip.net - Win.Trojan.Windex (blacklist.rules) * 1:34713 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.dyndns.org - Win.Trojan.Windex (blacklist.rules) * 1:34714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34715 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34719 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit URI structure (exploit-kit.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:34654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34665 <-> ENABLED <-> BLACKLIST DNS request for known malware domain refherssuce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34666 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rabbutdownlitt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain howthatficy.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lasttrainforest.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dingdownmahedt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34633 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules) * 1:34639 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34631 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file download request (file-identify.rules) * 1:34629 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34634 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34640 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules) * 1:34625 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34627 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypaura variant outbound connection attempt (malware-cnc.rules) * 1:34630 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34632 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:34635 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34628 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34638 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access attempt (browser-plugins.rules) * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules) * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules) * 1:34626 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34645 <-> DISABLED <-> SERVER-MAIL Exim buffer overflow attempt (server-mail.rules) * 1:34659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dinghareun.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain molokalitra.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain terethaundv.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain apporistale.com - Win.Trojan.Poseidon (blacklist.rules)
* 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules) * 1:8459 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8460 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:8457 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8458 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8455 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8456 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode attempt (os-windows.rules) * 1:8454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type attempt (os-windows.rules) * 1:8453 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type andx attempt (os-windows.rules) * 1:15142 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:8452 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:15138 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:15134 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:15130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:14651 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt (os-windows.rules) * 1:12947 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt (os-windows.rules) * 1:14647 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 1:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 1:16287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:16315 <-> DISABLED <-> FILE-FLASH Adobe Flash PlugIn check if file exists attempt (file-flash.rules) * 1:16337 <-> ENABLED <-> FILE-FLASH Adobe Flash Player directory traversal attempt (file-flash.rules) * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules) * 1:16397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol Response overflow attempt (os-windows.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16504 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules) * 1:16505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer HTML parsing memory corruption attempt (browser-ie.rules) * 1:16539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt (os-windows.rules) * 1:16509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:16577 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules) * 1:17034 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17035 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17036 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17115 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:17125 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt (os-windows.rules) * 1:17199 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file lRTX overflow attempt (file-other.rules) * 1:17201 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file LsCM overflow attempt (file-other.rules) * 1:17667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:17746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt (os-windows.rules) * 1:17777 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules) * 1:18213 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher column and row remote code execution attempt (file-office.rules) * 1:18220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:18405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSASS domain name buffer overflow attempt (os-windows.rules) * 1:18409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript beginGradientFill memory corruption attempt (file-flash.rules) * 1:18444 <-> DISABLED <-> FILE-FLASH Adobe Flash Player forged atom type attempt (file-flash.rules) * 1:18449 <-> DISABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 1:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Actionlf out of range negative offset attempt (file-flash.rules) * 1:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules) * 1:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules) * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules) * 1:18641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 1:18655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18663 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18662 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18661 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18664 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 1:18667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18666 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules) * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV parsing two integer overflow vulnerabilities (file-flash.rules) * 1:19221 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19191 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 zero length write attempt (os-windows.rules) * 1:19189 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt (os-windows.rules) * 1:2101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:21529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt (os-windows.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:2252 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt (os-windows.rules) * 1:2258 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:23237 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules) * 1:23314 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt (os-windows.rules) * 1:2382 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:2383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:23837 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt (os-windows.rules) * 1:23838 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt (os-windows.rules) * 1:23839 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:24007 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:24336 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24359 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24890 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24891 <-> DISABLED <-> FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt (file-flash.rules) * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24892 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:26851 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules) * 1:27755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:28425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:5717 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:28613 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page - specific-structure (exploit-kit.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5721 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:29066 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:5724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:29411 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:5727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5729 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:29414 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:29413 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:5735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:29513 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:7035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7036 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7037 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7038 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:29514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:7039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7040 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:7041 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7042 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:29943 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:8449 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8451 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:3001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:3000 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:3003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:12946 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt (os-windows.rules) * 1:3004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:13471 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher invalid pathname overwrite attempt (file-office.rules) * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 1:14649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14650 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:14648 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:14653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:14652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:15129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15127 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15133 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:15137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15135 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15141 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15140 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15139 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:31130 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:15196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:3005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:31331 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:3143 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt (os-windows.rules) * 1:3145 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt (os-windows.rules) * 1:3144 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:3146 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:31694 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31695 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:33115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33116 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33193 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33192 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33195 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules) * 1:33412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style type confusion remote code execution attempt (browser-ie.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:5716 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:16150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:15528 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 1:15217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:15221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15203 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15201 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15202 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:15198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:15197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:15226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:34719 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit URI structure (exploit-kit.rules) * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules) * 1:34715 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:34713 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.dyndns.org - Win.Trojan.Windex (blacklist.rules) * 1:34712 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a-gwas-01.slyip.net - Win.Trojan.Windex (blacklist.rules) * 1:34711 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a.gwas.perl.sh - Win.Trojan.Windex (blacklist.rules) * 1:34710 <-> DISABLED <-> SERVER-OTHER PHP unserialize datetimezone object code execution attempt (server-other.rules) * 1:34709 <-> DISABLED <-> SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt (server-other.rules) * 1:34708 <-> ENABLED <-> BLACKLIST DNS request for known malware domain windetrusty.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34707 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wekustines.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34706 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stenfirthsta.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34705 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sivesuhat.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34704 <-> ENABLED <-> BLACKLIST DNS request for known malware domain silawecxla.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34703 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saqunold.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34702 <-> ENABLED <-> BLACKLIST DNS request for known malware domain righletfoligh.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34701 <-> ENABLED <-> BLACKLIST DNS request for known malware domain repherfeted.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34700 <-> ENABLED <-> BLACKLIST DNS request for known malware domain renferolto.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34699 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rechedtthaten.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34698 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qwertygontul.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34697 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pomdonekw.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34696 <-> ENABLED <-> BLACKLIST DNS request for known malware domain polutenign.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34695 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pavesohap.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34694 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nawertoby.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34693 <-> ENABLED <-> BLACKLIST DNS request for known malware domain masquarten.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34692 <-> ENABLED <-> BLACKLIST DNS request for known malware domain letgrownast.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34691 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leladingna.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain latemiishe.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34689 <-> ENABLED <-> BLACKLIST DNS request for known malware domain juindorey.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34688 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hepretfortna.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34687 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gutontredsup.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34686 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gantropine.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34685 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftjuunbesto.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34684 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forttapaha.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34683 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dilelanang.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34682 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betroninsi.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34681 <-> ENABLED <-> BLACKLIST DNS request for known malware domain berigusaf.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34680 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bejustoftun.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34679 <-> ENABLED <-> BLACKLIST DNS request for known malware domain andbohemut.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34678 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serfilefnom.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34677 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queryforworld.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34676 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wertstumbahn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34675 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serppoglandam.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34674 <-> ENABLED <-> BLACKLIST DNS request for known malware domain restavratormira.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain petronasconn.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34672 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vesnarusural.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34671 <-> ENABLED <-> BLACKLIST DNS request for known malware domain switlawert.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34670 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mehanistran.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain servelatmiru.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain srachechno.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain reswahatce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34666 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rabbutdownlitt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34665 <-> ENABLED <-> BLACKLIST DNS request for known malware domain refherssuce.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lasttrainforest.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain howthatficy.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain terethaundv.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ferepritdi.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dingdownmahedt.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dinghareun.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cawasuse.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain apporistale.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain molokalitra.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.ru - Win.Trojan.Poseidon (blacklist.rules) * 1:34654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain litramoloka.com - Win.Trojan.Poseidon (blacklist.rules) * 1:34653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JS notification object double free attempt (file-pdf.rules) * 1:34651 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt (file-pdf.rules) * 1:34649 <-> DISABLED <-> SERVER-OTHER OpenSSL zero-length ClientKeyExchange message denial of service attempt (server-other.rules) * 1:34648 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34647 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34646 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt (server-webapp.rules) * 1:34645 <-> DISABLED <-> SERVER-MAIL Exim buffer overflow attempt (server-mail.rules) * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules) * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules) * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules) * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules) * 1:34640 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34639 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules) * 1:34638 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access attempt (browser-plugins.rules) * 1:34637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flactionbot outbound connection (malware-cnc.rules) * 1:34635 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34634 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34633 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt (server-webapp.rules) * 1:34632 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:34631 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file download request (file-identify.rules) * 1:34630 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34629 <-> ENABLED <-> FILE-IDENTIFY WordPerfect file attachment detected (file-identify.rules) * 1:34628 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34627 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34626 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34625 <-> DISABLED <-> FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt (file-pdf.rules) * 1:34624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypaura variant outbound connection attempt (malware-cnc.rules)
* 1:8460 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:8459 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8458 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8457 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:8456 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode attempt (os-windows.rules) * 1:8455 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type attempt (os-windows.rules) * 1:8453 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Rename invalid buffer type andx attempt (os-windows.rules) * 1:8452 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode attempt (os-windows.rules) * 1:15196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:15141 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15142 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:15139 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:15140 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15138 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:15137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15135 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:15136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:15133 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules) * 1:15134 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules) * 1:15131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules) * 1:15132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules) * 1:15130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules) * 1:15129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules) * 1:15128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules) * 1:14896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt (os-windows.rules) * 1:15127 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules) * 1:14653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:14651 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search andx Search filename size integer underflow attempt (os-windows.rules) * 1:14652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules) * 1:14649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14650 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:14647 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search Search filename size integer underflow attempt (os-windows.rules) * 1:14648 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Search unicode Search filename size integer underflow attempt (os-windows.rules) * 1:13471 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher invalid pathname overwrite attempt (file-office.rules) * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 1:12947 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB SMBv2 protocol negotiation attempt (os-windows.rules) * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 1:12946 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS SMBv2 protocol negotiation attempt (os-windows.rules) * 1:8451 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type unicode andx attempt (os-windows.rules) * 1:8450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type attempt (os-windows.rules) * 1:8449 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Rename invalid buffer type andx attempt (os-windows.rules) * 1:7042 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:7041 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7040 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules) * 1:7039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx mailslot heap overflow attempt (os-windows.rules) * 1:7038 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7037 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:7036 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode mailslot heap overflow attempt (os-windows.rules) * 1:7035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans mailslot heap overflow attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5729 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5721 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5717 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5716 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incorrect ptCount element denial of service attempt (file-office.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:33722 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:33723 <-> ENABLED <-> FILE-OTHER Type 1 font memory out-of-bounds read attempt (file-other.rules) * 1:33714 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33713 <-> DISABLED <-> OS-WINDOWS Microsoft Windows atlmfd.dll out-of-bounds memory write attempt (os-windows.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:33421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules) * 1:33412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style type confusion remote code execution attempt (browser-ie.rules) * 1:33196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33195 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33192 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33193 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules) * 1:33116 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:31695 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31694 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:3146 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:3144 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules) * 1:3145 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt (os-windows.rules) * 1:3143 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt (os-windows.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31331 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:3005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:31130 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:3004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:3003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:3002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules) * 1:3001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules) * 1:3000 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules) * 1:29943 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:29514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:29513 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:29413 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:29414 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:29411 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:29066 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:28613 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page - specific-structure (exploit-kit.rules) * 1:28425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules) * 1:27755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules) * 1:26851 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24892 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules) * 1:24891 <-> DISABLED <-> FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt (file-flash.rules) * 1:24890 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules) * 1:24360 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Kerberos NULL session denial of service attempt (os-windows.rules) * 1:24359 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:24336 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules) * 1:24007 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:23839 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules) * 1:23837 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB host announcement format string exploit attempt (os-windows.rules) * 1:23838 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NetServerEnum response host format string exploit attempt (os-windows.rules) * 1:2383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:2382 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules) * 1:23314 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid character argument injection attempt (os-windows.rules) * 1:23237 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules) * 1:2258 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2252 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt (os-windows.rules) * 1:2177 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder unicode access (os-windows.rules) * 1:21529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 Find_First2 filename overflow attempt (os-windows.rules) * 1:2176 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB startup folder access (os-windows.rules) * 1:2101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:19972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response paramcount overflow attempt (os-windows.rules) * 1:19221 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19191 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 zero length write attempt (os-windows.rules) * 1:19189 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV parsing two integer overflow vulnerabilities (file-flash.rules) * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules) * 1:18669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 1:18667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18666 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18664 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18663 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18662 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18661 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys escalation of privilege attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LLMNR invalid reverse name lookup stack corruption attempt (os-windows.rules) * 1:18641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 1:18640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed SupBook record attempt (file-office.rules) * 1:18631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18630 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules) * 1:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules) * 1:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Actionlf out of range negative offset attempt (file-flash.rules) * 1:18449 <-> DISABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 1:18444 <-> DISABLED <-> FILE-FLASH Adobe Flash Player forged atom type attempt (file-flash.rules) * 1:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript beginGradientFill memory corruption attempt (file-flash.rules) * 1:18412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 1:18411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 1:18410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:18405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LSASS domain name buffer overflow attempt (os-windows.rules) * 1:18220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 1:18213 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher column and row remote code execution attempt (file-office.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules) * 1:18070 <-> DISABLED <-> FILE-OFFICE Microsoft Office pptimpconv.dll dll-load exploit attempt (file-office.rules) * 1:17777 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt (server-mail.rules) * 1:17746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB client TRANS response Find_First2 filename overflow attempt (os-windows.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:17667 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:17201 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file LsCM overflow attempt (file-other.rules) * 1:17199 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director file lRTX overflow attempt (file-other.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:17125 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 MaxDataCount overflow attempt (os-windows.rules) * 1:17115 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules) * 1:17036 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17035 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:17034 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook AttachMethods local file execution attempt (file-office.rules) * 1:16658 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 cross-site scripting attempt (browser-ie.rules) * 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16577 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:16539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt (os-windows.rules) * 1:16509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules) * 1:16505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer HTML parsing memory corruption attempt (browser-ie.rules) * 1:16504 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol Response overflow attempt (os-windows.rules) * 1:16404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (os-windows.rules) * 1:16399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access (os-windows.rules) * 1:16398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB invalid server name share access (os-windows.rules) * 1:16397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB andx invalid server name share access (os-windows.rules) * 1:16395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB COPY command oversized pathname attempt (os-windows.rules) * 1:16337 <-> ENABLED <-> FILE-FLASH Adobe Flash Player directory traversal attempt (file-flash.rules) * 1:16315 <-> DISABLED <-> FILE-FLASH Adobe Flash PlugIn check if file exists attempt (file-flash.rules) * 1:16287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules) * 1:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 1:16150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules) * 1:15528 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 1:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 1:15227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:15226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules) * 1:15224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules) * 1:15223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules) * 1:15220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules) * 1:15219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules) * 1:15215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules) * 1:15212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules) * 1:15211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules) * 1:15209 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15208 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules) * 1:15207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules) * 1:15205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules) * 1:15203 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15202 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15201 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules) * 1:15200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules) * 1:15199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules) * 1:15198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules) * 1:15197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
