Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-03-22

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, protocol-dns, protocol-rpc and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-03-22 14:19:34 UTC

Snort Subscriber Rules Update

Date: 2016-03-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38281 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38280 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38272 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38287 <-> ENABLED <-> SERVER-OTHER Reprise License Server akey command buffer overflow attempt (server-other.rules)
 * 1:38288 <-> ENABLED <-> SERVER-OTHER Reprise License Server licfile command buffer overflow attempt (server-other.rules)
 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection attempt (exploit-kit.rules)
 * 1:38279 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38276 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38273 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38282 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38286 <-> ENABLED <-> SERVER-OTHER Reprise License Server actserver command buffer overflow attempt (server-other.rules)
 * 1:38283 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38278 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38277 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38284 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38274 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 3:38285 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download attempt (exploit-kit.rules)

Modified Rules:


 * 1:27041 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp (exploit-kit.rules)
 * 1:27040 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jorg (exploit-kit.rules)
 * 1:26947 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26948 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26900 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26898 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26899 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26865 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:26807 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri (exploit-kit.rules)
 * 1:26805 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit encrypted binary download (exploit-kit.rules)
 * 1:26806 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit short JNLP request (exploit-kit.rules)
 * 1:26666 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt (browser-ie.rules)
 * 1:26668 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26638 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26617 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26552 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26569 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26551 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26550 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass (exploit-kit.rules)
 * 1:26549 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26539 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit pdf download detection (exploit-kit.rules)
 * 1:26540 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26537 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit jar download detection (exploit-kit.rules)
 * 1:26538 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit landing page received (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit redirection structure (exploit-kit.rules)
 * 1:26526 <-> ENABLED <-> EXPLOIT-KIT Portable Executable downloaded with bad DOS stub (exploit-kit.rules)
 * 1:26500 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26509 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit java payload detection (exploit-kit.rules)
 * 1:26487 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26499 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26485 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26486 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26390 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26484 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26384 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26383 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT TDS redirection - may lead to exploit kit (exploit-kit.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26348 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit delivery (exploit-kit.rules)
 * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules)
 * 1:26345 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26346 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:26297 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit redirection page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26296 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26252 <-> ENABLED <-> EXPLOIT-KIT Impact exploit kit landing page (exploit-kit.rules)
 * 1:26233 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26232 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26185 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26186 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26100 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26125 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26099 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26094 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26095 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26039 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26090 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26033 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt (exploit-kit.rules)
 * 1:26038 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26030 <-> ENABLED <-> FILE-OTHER Known malicious jar archive download attempt (file-other.rules)
 * 1:26031 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26013 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit redirection page received (exploit-kit.rules)
 * 1:26025 <-> ENABLED <-> INDICATOR-COMPROMISE Java user-agent request to svchost.jpg (indicator-compromise.rules)
 * 1:25988 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25989 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25833 <-> ENABLED <-> FILE-JAVA Oracle Java malicious class download attempt (file-java.rules)
 * 1:25834 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25831 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit landing page (exploit-kit.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:25590 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25591 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:25538 <-> ENABLED <-> EXPLOIT-KIT Red Dot landing page (exploit-kit.rules)
 * 1:25473 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25301 <-> ENABLED <-> EXPLOIT-KIT redirect to malicious java archive attempt (exploit-kit.rules)
 * 1:25302 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit malicious jar archive download (exploit-kit.rules)
 * 1:25235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25255 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit redirection attempt (exploit-kit.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:25234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25138 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit pdf outbound connection (exploit-kit.rules)
 * 1:25139 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:25134 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection (exploit-kit.rules)
 * 1:25132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25131 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25128 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25126 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25127 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25042 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:25125 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:24865 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24993 <-> DISABLED <-> FILE-JAVA Oracle Java Applet remote code execution attempt (file-java.rules)
 * 1:24863 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24864 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24861 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24862 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt (exploit-kit.rules)
 * 1:24860 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:24151 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:23365 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v3 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23366 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23363 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23364 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html (exploit-kit.rules)
 * 1:23225 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit (exploit-kit.rules)
 * 1:23222 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt (exploit-kit.rules)
 * 1:23223 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code (exploit-kit.rules)
 * 1:23220 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar (exploit-kit.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT Redkit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:23219 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file (exploit-kit.rules)
 * 1:27067 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
 * 1:17505 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17506 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17507 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:21100 <-> DISABLED <-> PROTOCOL-RPC Novell Netware xdr decode string length buffer overflow attempt (protocol-rpc.rules)
 * 1:38000 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:37997 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:33568 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:33567 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31044 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:31043 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:29505 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:29504 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:29452 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29453 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:29450 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29449 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29448 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29445 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit fonts download page (exploit-kit.rules)
 * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27062 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:28854 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27083 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:27140 <-> DISABLED <-> EXPLOIT-KIT Private exploit kit numerically named exe file dowload (exploit-kit.rules)
 * 1:27142 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27143 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27144 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit outbound traffic (exploit-kit.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:27706 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit possible jar download (exploit-kit.rules)
 * 1:27814 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27815 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit malicious redirection attempt (exploit-kit.rules)
 * 1:28439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bspire variant connection (malware-cnc.rules)
 * 1:27141 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:28475 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection (exploit-kit.rules)
 * 1:27042 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jovf (exploit-kit.rules)
 * 1:28424 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request (exploit-kit.rules)
 * 1:28307 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit landing page (exploit-kit.rules)
 * 1:27061 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)

2980