Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-05-27

This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-snmp, pua-toolbars, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)

Modified Rules:


 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)

2960

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)

2961

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)

Modified Rules:


 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)
 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)