VRT Rules 2014-08-21
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-ie, chat, dos, exploit, file-flash, file-other, file-pdf, icmp, imap, malware-cnc, misc, multimedia, netbios, nntp, p2p, smtp, snmp, specific-threats, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-08-21 14:41:59 UTC

Sourcefire VRT Rules Update

Date: 2014-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
 * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules)
 * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules)
 * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
 * 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules)
 * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules)
 * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules)
 * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules)
 * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
 * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)

Modified Rules:


 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules)
 * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules)
 * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules)
 * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules)
 * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules)
 * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules)
 * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules)
 * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules)
 * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules)
 * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules)
 * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules)
 * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules)
 * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules)
 * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules)
 * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules)
 * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules)
 * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules)
 * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules)
 * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules)
 * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules)
 * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules)
 * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules)
 * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules)
 * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules)
 * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules)
 * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules)
 * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules)
 * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules)
 * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules)
 * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules)
 * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules)
 * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules)
 * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules)
 * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules)
 * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules)
 * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules)
 * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules)
 * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules)
 * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules)
 * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules)
 * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules)
 * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules)
 * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules)
 * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules)
 * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules)
 * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules)
 * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules)
 * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules)
 * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules)
 * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules)
 * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules)
 * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules)
 * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules)
 * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules)
 * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules)
 * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)
 * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules)
 * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules)
 * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules)
 * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules)
 * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules)
 * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules)
 * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules)
 * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules)
 * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules)
 * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules)
 * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules)
 * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules)
 * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules)
 * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules)
 * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules)
 * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules)
 * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules)
 * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules)
 * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules)
 * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules)
 * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules)
 * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules)
 * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules)
 * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules)
 * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
 * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules)
 * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules)
 * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules)
 * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules)
 * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules)
 * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules)
 * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules)
 * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules)
 * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules)
 * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules)
 * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules)
 * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules)
 * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules)
 * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules)
 * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules)
 * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules)
 * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules)
 * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules)
 * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules)
 * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules)
 * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules)
 * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules)
 * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules)
 * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules)
 * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules)
 * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules)
 * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules)
 * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules)
 * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules)
 * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules)
 * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules)
 * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules)
 * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules)
 * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules)
 * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules)
 * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules)
 * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules)
 * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules)
 * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)
 * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules)
 * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules)
 * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules)
 * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules)
 * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules)
 * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules)
 * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules)
 * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules)
 * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules)
 * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules)
 * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules)
 * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules)
 * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules)
 * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)
 * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules)
 * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules)
 * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules)
 * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules)
 * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules)
 * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules)
 * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules)
 * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules)
 * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules)
 * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules)
 * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules)
 * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules)
 * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules)
 * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules)
 * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules)
 * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules)
 * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules)
 * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules)
 * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules)
 * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules)
 * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules)
 * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules)
 * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules)
 * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
 * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules)
 * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules)
 * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules)
 * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules)
 * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules)
 * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules)
 * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules)
 * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules)
 * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules)
 * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules)
 * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules)
 * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules)
 * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules)
 * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules)
 * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules)
 * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules)
 * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules)
 * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules)
 * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules)
 * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)
 * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules)
 * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules)
 * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules)
 * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules)
 * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules)
 * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules)
 * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules)
 * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules)
 * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules)
 * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules)
 * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)

2014-08-21 14:41:59 UTC

Sourcefire VRT Rules Update

Date: 2014-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
 * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules)
 * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules)
 * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules)
 * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules)
 * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
 * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules)
 * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules)
 * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
 * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)

Modified Rules:


 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules)
 * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules)
 * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules)
 * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules)
 * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules)
 * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules)
 * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules)
 * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules)
 * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules)
 * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules)
 * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules)
 * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules)
 * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules)
 * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules)
 * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules)
 * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules)
 * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules)
 * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules)
 * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules)
 * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules)
 * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules)
 * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules)
 * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules)
 * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules)
 * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules)
 * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules)
 * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules)
 * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)
 * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules)
 * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules)
 * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules)
 * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules)
 * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules)
 * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules)
 * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules)
 * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules)
 * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules)
 * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules)
 * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules)
 * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules)
 * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules)
 * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules)
 * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)
 * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules)
 * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules)
 * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules)
 * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules)
 * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules)
 * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules)
 * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules)
 * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules)
 * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules)
 * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules)
 * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules)
 * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules)
 * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules)
 * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules)
 * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules)
 * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules)
 * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules)
 * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules)
 * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules)
 * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules)
 * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules)
 * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules)
 * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules)
 * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules)
 * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules)
 * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules)
 * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules)
 * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules)
 * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules)
 * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules)
 * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules)
 * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules)
 * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules)
 * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules)
 * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules)
 * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules)
 * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules)
 * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules)
 * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules)
 * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules)
 * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules)
 * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
 * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules)
 * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules)
 * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules)
 * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules)
 * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules)
 * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules)
 * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules)
 * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules)
 * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules)
 * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules)
 * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules)
 * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules)
 * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules)
 * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules)
 * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules)
 * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules)
 * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules)
 * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules)
 * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules)
 * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules)
 * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules)
 * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules)
 * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)
 * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules)
 * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules)
 * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules)
 * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules)
 * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules)
 * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules)
 * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules)
 * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules)
 * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules)
 * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules)
 * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules)
 * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules)
 * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules)
 * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules)
 * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules)
 * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules)
 * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules)
 * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules)
 * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules)
 * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules)
 * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules)
 * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules)
 * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules)
 * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules)
 * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules)
 * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules)
 * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules)
 * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules)
 * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules)
 * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules)
 * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules)
 * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules)
 * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules)
 * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules)
 * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules)
 * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules)
 * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules)
 * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules)
 * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules)
 * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules)
 * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules)
 * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules)
 * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules)
 * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules)
 * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules)
 * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules)
 * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules)
 * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules)
 * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules)
 * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules)
 * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules)
 * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules)
 * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules)
 * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules)
 * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules)
 * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules)
 * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules)
 * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules)
 * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules)
 * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules)
 * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules)
 * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
 * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules)
 * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules)
 * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules)
 * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules)
 * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules)
 * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules)
 * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules)
 * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules)
 * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules)
 * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules)
 * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules)
 * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules)
 * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules)
 * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules)
 * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules)
 * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules)
 * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)
 * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules)
 * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules)
 * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules)
 * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules)
 * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules)

2014-08-21 14:41:58 UTC

Sourcefire VRT Rules Update

Date: 2014-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules)
 * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules)
 * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
 * 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
 * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules)
 * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules)
 * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules)
 * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules)
 * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules)
 * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules)
 * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules)
 * 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
 * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
 * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)
 * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules)
 * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules)
 * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules)
 * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules)
 * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules)
 * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules)
 * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules)
 * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules)
 * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules)
 * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules)
 * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules)
 * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules)
 * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules)
 * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules)
 * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules)
 * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules)
 * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules)
 * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules)
 * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules)
 * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules)
 * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules)
 * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules)
 * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules)
 * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
 * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
 * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules)
 * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules)
 * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules)
 * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules)
 * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules)
 * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules)
 * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules)
 * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules)
 * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules)
 * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules)
 * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules)
 * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules)
 * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules)
 * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules)
 * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules)
 * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules)
 * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules)
 * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules)
 * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules)
 * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules)
 * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules)
 * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules)
 * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules)
 * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules)
 * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules)
 * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules)
 * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules)
 * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)
 * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules)
 * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules)
 * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules)
 * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules)
 * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)
 * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules)
 * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules)
 * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules)
 * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules)
 * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules)
 * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules)
 * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules)
 * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules)
 * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules)
 * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules)
 * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules)
 * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules)
 * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules)
 * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules)
 * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules)
 * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules)
 * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules)
 * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules)
 * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules)
 * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules)
 * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules)
 * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules)
 * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules)
 * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules)
 * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules)
 * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules)
 * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules)
 * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules)
 * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules)
 * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules)
 * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules)
 * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules)
 * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules)
 * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules)
 * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules)
 * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules)
 * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules)
 * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules)
 * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules)
 * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules)
 * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules)
 * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules)
 * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules)
 * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules)
 * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules)
 * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules)
 * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules)
 * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules)
 * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules)
 * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules)
 * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules)
 * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules)
 * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules)
 * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules)
 * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)
 * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules)
 * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules)
 * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules)
 * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules)
 * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules)
 * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules)
 * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules)
 * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules)
 * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules)
 * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules)
 * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules)
 * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules)
 * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules)
 * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules)
 * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules)
 * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules)
 * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules)
 * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules)
 * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules)
 * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules)
 * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules)
 * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules)
 * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules)
 * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
 * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules)
 * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules)
 * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules)
 * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules)
 * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules)
 * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules)
 * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules)
 * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules)
 * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules)
 * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules)
 * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules)
 * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules)
 * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules)
 * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules)
 * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules)
 * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules)
 * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules)
 * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules)
 * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules)
 * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules)
 * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules)
 * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules)
 * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules)
 * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules)
 * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules)
 * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules)
 * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules)
 * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules)
 * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules)
 * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules)
 * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules)
 * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules)
 * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules)
 * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules)
 * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules)
 * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules)
 * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules)
 * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules)
 * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules)
 * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules)
 * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)
 * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules)
 * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules)
 * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules)
 * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules)
 * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules)
 * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules)
 * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules)
 * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules)
 * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules)
 * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules)
 * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules)
 * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules)
 * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules)
 * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)
 * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules)
 * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules)
 * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules)
 * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules)
 * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules)
 * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules)
 * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules)
 * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules)
 * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules)
 * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules)