VRT Rules 2014-05-27
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-snmp, pua-toolbars, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)

Modified Rules:


 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)

2014-07-07 21:00:52 UTC

Sourcefire VRT Rules Update

Date: 2014-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinSpy variant outbound communication (malware-cnc.rules)
 * 1:31080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)
 * 1:31078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31077 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo (blacklist.rules)
 * 1:31076 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net (pua-toolbars.rules)
 * 1:31075 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net (pua-toolbars.rules)
 * 1:31074 <-> DISABLED <-> PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com (pua-toolbars.rules)
 * 1:31073 <-> ENABLED <-> MALWARE-CNC RemoteSpy connection to CNC server (malware-cnc.rules)
 * 1:31072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryfile variant outbound connection (malware-cnc.rules)
 * 1:31071 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile (blacklist.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection attempt (malware-cnc.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31067 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt (server-webapp.rules)
 * 1:31066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tobinload variant outbound connection (malware-cnc.rules)
 * 1:31065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload (blacklist.rules)
 * 1:31064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Diatraha variant outbound connection (malware-cnc.rules)
 * 1:31063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone FTP login attempt (malware-cnc.rules)
 * 1:31062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expone variant outbound connection (malware-cnc.rules)
 * 1:31061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone (blacklist.rules)
 * 1:31060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone (blacklist.rules)
 * 1:31059 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt (protocol-snmp.rules)
 * 1:31058 <-> DISABLED <-> PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt (protocol-snmp.rules)
 * 1:31057 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31056 <-> DISABLED <-> PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31055 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31054 <-> ENABLED <-> BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload (blacklist.rules)

Modified Rules:


 * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Reader api call handling arbitrary execution attempt (file-pdf.rules)
 * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules)
 * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules)
 * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value (file-other.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)
 * 1:30877 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt (file-multimedia.rules)
 * 1:30540 <-> DISABLED <-> FILE-FLASH Adobe Flash Player navigateToUrl hidden channel to file creation (file-flash.rules)
 * 1:30509 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 swapNode use after free attempt (browser-ie.rules)
 * 1:30218 <-> DISABLED <-> FILE-JAVA Oracle Java font rendering remote code execution attempt (file-java.rules)
 * 1:30201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:29735 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:30132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ruby element in media element use after free attempt (browser-ie.rules)
 * 1:30121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30120 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pastHTML use after free (browser-ie.rules)
 * 1:30119 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setEndPoint use after free attempt (browser-ie.rules)
 * 1:30117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer button element onreadystatechange use after free attempt (browser-ie.rules)
 * 1:29736 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer selectall use after free (browser-ie.rules)
 * 1:29732 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer list element use after free attempt (browser-ie.rules)
 * 1:29722 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:29679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swap node user after free (browser-ie.rules)
 * 1:18206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Address Book msoeres32.dll dll-load exploit attempt (os-windows.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability (server-webapp.rules)
 * 1:18550 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint with embedded Flash file attachment (file-office.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:20879 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Embedded Package Object packager.exe file load exploit attempt (os-windows.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability (server-webapp.rules)
 * 1:23666 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:29546 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:29545 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29544 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29543 <-> ENABLED <-> FILE-MULTIMEDIA WAV processing buffer overflow attempt (file-multimedia.rules)
 * 1:29185 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29184 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer RMP stack buffer overflow attempt (file-other.rules)
 * 1:29010 <-> DISABLED <-> FILE-OTHER GIMP XWD file heap buffer overflow attempt (file-other.rules)
 * 1:28995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download (malware-cnc.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alurewo outbound connection (malware-cnc.rules)