The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, netbios, os-linux, os-other, os-windows, policy-social, protocol-dns, protocol-icmp, protocol-nntp, protocol-snmp, protocol-voip, pua-p2p, server-apache, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules) * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules) * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules) * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules) * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules) * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules) * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules) * 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules) * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules) * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules) * 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
* 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules) * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules) * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules) * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules) * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules) * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules) * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules) * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules) * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules) * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules) * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules) * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules) * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules) * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules) * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules) * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules) * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules) * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules) * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules) * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules) * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules) * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules) * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules) * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules) * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules) * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules) * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules) * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules) * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules) * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules) * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules) * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules) * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules) * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules) * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules) * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules) * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules) * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules) * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules) * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules) * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules) * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules) * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules) * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules) * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules) * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules) * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules) * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules) * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules) * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules) * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules) * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules) * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules) * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules) * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules) * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules) * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules) * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules) * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules) * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules) * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules) * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules) * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules) * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules) * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules) * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules) * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules) * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules) * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules) * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules) * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules) * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules) * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules) * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules) * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules) * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules) * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules) * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules) * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules) * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules) * 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules) * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules) * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules) * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules) * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules) * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules) * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules) * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
* 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules) * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules) * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules) * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules) * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules) * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules) * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules) * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules) * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules) * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules) * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules) * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules) * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules) * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules) * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules) * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules) * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules) * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules) * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules) * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules) * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules) * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules) * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules) * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules) * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules) * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules) * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules) * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules) * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules) * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules) * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules) * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules) * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules) * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules) * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules) * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules) * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules) * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules) * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules) * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules) * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules) * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules) * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules) * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules) * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules) * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules) * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules) * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules) * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules) * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules) * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules) * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules) * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules) * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules) * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules) * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules) * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules) * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules) * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules) * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules) * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules) * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules) * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules) * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules) * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules) * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules) * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules) * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules) * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules) * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules) * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules) * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules) * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules) * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules) * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules) * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules) * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules) * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules) * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules) * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules) * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules) * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules) * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules) * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules) * 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules) * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules) * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules) * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules) * 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules) * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules) * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules) * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules) * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules)
* 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules) * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules) * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules) * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules) * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules) * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules) * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules) * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules) * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules) * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules) * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules) * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules) * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules) * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules) * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules) * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules) * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules) * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules) * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules) * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules) * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules) * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules) * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules) * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules) * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules) * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules) * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules) * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules) * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules) * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules) * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules) * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules) * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules) * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules) * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules) * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules) * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules) * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules) * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules) * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules) * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules) * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules) * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules) * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules) * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules) * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules) * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules) * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules) * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules) * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules) * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules) * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules) * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules) * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules) * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules) * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules) * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules) * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules) * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules) * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules) * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules) * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules) * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules) * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules) * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules) * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules) * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules) * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules) * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules) * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules) * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules) * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules) * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules) * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules) * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules) * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules) * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules) * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules) * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules) * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules) * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules) * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules) * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules) * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules) * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules) * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules) * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules) * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules) * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules) * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules) * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules) * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules) * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules) * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules) * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules) * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules) * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules) * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules) * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules) * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
