Talos Rules 2020-05-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-office, file-other, indicator-shellcode, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)

Modified Rules:


 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)

Modified Rules:


 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)

Modified Rules:


 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)

Modified Rules:


 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (snort3-malware-cnc.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (snort3-malware-other.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (snort3-malware-other.rules)
 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (snort3-malware-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (snort3-malware-cnc.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (snort3-malware-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (snort3-malware-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (snort3-malware-cnc.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (snort3-malware-cnc.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (snort3-browser-ie.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (snort3-browser-ie.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (snort3-indicator-shellcode.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)

2020-05-21 11:59:34 UTC

Snort Subscriber Rules Update

Date: 2020-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules)
 * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules)
 * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules)
 * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules)
 * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules)
 * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules)
 * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules)
 * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
 * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
 * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)

Modified Rules:


 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)