The VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-ie, chat, dos, exploit, file-flash, file-other, file-pdf, icmp, imap, malware-cnc, misc, multimedia, netbios, nntp, p2p, smtp, snmp, specific-threats, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules) * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules) * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules) * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules) * 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules) * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules) * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules) * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules) * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules)
* 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules) * 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules) * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules) * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules) * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules) * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules) * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules) * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules) * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules) * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules) * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules) * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules) * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules) * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules) * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules) * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules) * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules) * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules) * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules) * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules) * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules) * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules) * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules) * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules) * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules) * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules) * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules) * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules) * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules) * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules) * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules) * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules) * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules) * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules) * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules) * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules) * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules) * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules) * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules) * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules) * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules) * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules) * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules) * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules) * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules) * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules) * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules) * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules) * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules) * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules) * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules) * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules) * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules) * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules) * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules) * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules) * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules) * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules) * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules) * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules) * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules) * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules) * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules) * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules) * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules) * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules) * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules) * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules) * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules) * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules) * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules) * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules) * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules) * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules) * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules) * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules) * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules) * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules) * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules) * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules) * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules) * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules) * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules) * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules) * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules) * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules) * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules) * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules) * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules) * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules) * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules) * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules) * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules) * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules) * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules) * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules) * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules) * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules) * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules) * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules) * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules) * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules) * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules) * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules) * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules) * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules) * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules) * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules) * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules) * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules) * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules) * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules) * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules) * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules) * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules) * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules) * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules) * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules) * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules) * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules) * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules) * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules) * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules) * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules) * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules) * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules) * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules) * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules) * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules) * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules) * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules) * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules) * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules) * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules) * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules) * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules) * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules) * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules) * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules) * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules) * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules) * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules) * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules) * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules) * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules) * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules) * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules) * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules) * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules) * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules) * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules) * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules) * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules) * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules) * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules) * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules) * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules) * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules) * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules) * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules) * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules) * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules) * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules) * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules) * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules) * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules) * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules) * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules) * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules) * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules) * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules) * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules) * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules) * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules) * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules) * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules) * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules) * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules) * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules) * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules) * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules) * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules) * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules) * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules) * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules) * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules) * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules) * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules) * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules) * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules) * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules) * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules) * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules) * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules) * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules) * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules) * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules) * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules) * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules) * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules) * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules) * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules) * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules) * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules) * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules) * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules) * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules) * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules) * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules)
* 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules) * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules) * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules) * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules) * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules) * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules) * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules) * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules) * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules) * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules) * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules) * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules) * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules) * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules) * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules) * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules) * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules) * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules) * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules) * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules) * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules) * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules) * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules) * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules) * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules) * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules) * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules) * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules) * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules) * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules) * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules) * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules) * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules) * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules) * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules) * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules) * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules) * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules) * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules) * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules) * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules) * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules) * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules) * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules) * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules) * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules) * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules) * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules) * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules) * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules) * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules) * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules) * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules) * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules) * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules) * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules) * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules) * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules) * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules) * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules) * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules) * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules) * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules) * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules) * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules) * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules) * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules) * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules) * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules) * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules) * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules) * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules) * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules) * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules) * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules) * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules) * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules) * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules) * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules) * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules) * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules) * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules) * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules) * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules) * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules) * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules) * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules) * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules) * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules) * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules) * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules) * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules) * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules) * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules) * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules) * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules) * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules) * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules) * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules) * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules) * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules) * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules) * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules) * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules) * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules) * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules) * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules) * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules) * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules) * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules) * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules) * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules) * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules) * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules) * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules) * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules) * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules) * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules) * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules) * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules) * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules) * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules) * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules) * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules) * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules) * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules) * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules) * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules) * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules) * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules) * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules) * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules) * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules) * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules) * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules) * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules) * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules) * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules) * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules) * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules) * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules) * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules) * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules) * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules) * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules) * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules) * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules) * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules) * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules) * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules) * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules) * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules) * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules) * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules) * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules) * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules) * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules) * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules) * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules) * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules) * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules) * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules) * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules) * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules) * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules) * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules) * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules) * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules) * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules) * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules) * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules) * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules) * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules) * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules) * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules) * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules) * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules) * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules) * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules) * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules) * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules) * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules) * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules) * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules) * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules) * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules) * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules) * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules) * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules) * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules) * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules) * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules) * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules) * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules) * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules) * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules) * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules) * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules) * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules) * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules) * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules) * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:31688 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (blacklist.rules) * 1:31687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31686 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules) * 1:31684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross-origin security policy bypass attempt (file-flash.rules) * 1:31683 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur variant outbound connection (malware-cnc.rules) * 1:31682 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Badur download attempt (malware-cnc.rules) * 1:31680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tirabot variant outbound connection (malware-cnc.rules) * 1:31679 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31678 <-> ENABLED <-> FILE-FLASH Adobe Flash valueOf memory leak attempt (file-flash.rules) * 1:31677 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31676 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31675 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31674 <-> ENABLED <-> FILE-FLASH Adobe Flash Broker write to junction exploit attempt (file-flash.rules) * 1:31673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URL handling remote code execution attempt (file-flash.rules) * 1:31672 <-> ENABLED <-> MALWARE-CNC Inbound command to php based DoS bot (malware-cnc.rules) * 1:31671 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules) * 1:31670 <-> ENABLED <-> FILE-OTHER Symantec Endpoint Protection Sysplant kernel pool overflow exploit attempt (file-other.rules) * 1:31669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
* 1:18403 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Data Source Object memory corruption attempt (browser-ie.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules) * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules) * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules) * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules) * 3:13718 <-> ENABLED <-> SMTP BDAT buffer overflow attempt (smtp.rules) * 3:13676 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI emf filename buffer overflow attempt (web-client.rules) * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules) * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules) * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules) * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules) * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules) * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules) * 3:13471 <-> ENABLED <-> EXPLOIT Microsoft Publisher invalid pathname overwrite (exploit.rules) * 3:13469 <-> ENABLED <-> WEB-CLIENT Microsoft Word ole stream memory corruption attempt (web-client.rules) * 3:13450 <-> ENABLED <-> BAD-TRAFFIC invalid dhcp offer denial of service attempt (bad-traffic.rules) * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules) * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules) * 3:13417 <-> ENABLED <-> EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt (exploit.rules) * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules) * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules) * 3:12636 <-> ENABLED <-> NNTP XHDR buffer overflow attempt (nntp.rules) * 3:8351 <-> ENABLED <-> BAD-TRAFFIC PGM nak list overflow attempt (bad-traffic.rules) * 3:8092 <-> ENABLED <-> DOS IGMP IP Options validation attempt (dos.rules) * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules) * 3:7019 <-> ENABLED <-> P2P WinNY connection attempt (p2p.rules) * 3:31616 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:31615 <-> ENABLED <-> BAD-TRAFFIC Cisco IOS EnergyWise malformed packet denial of service attempt (bad-traffic.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules) * 3:31361 <-> ENABLED <-> EXPLOIT OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (exploit.rules) * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules) * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules) * 3:30933 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN remote code execution attempt (web-misc.rules) * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules) * 3:30931 <-> ENABLED <-> WEB-MISC Cisco RV180W remote file inclusion attempt (web-misc.rules) * 3:30929 <-> ENABLED <-> WEB-MISC Cisco RV180 VPN CSRF attempt (web-misc.rules) * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules) * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules) * 3:30901 <-> ENABLED <-> WEB-CLIENT known malicious flash actionscript decryption routine (web-client.rules) * 3:30890 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:30889 <-> ENABLED <-> BAD-TRAFFIC Content-Type media type overflow denial of service attempt (bad-traffic.rules) * 3:30888 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:30887 <-> ENABLED <-> WEB-MISC Cisco Tshell command injection attempt (web-misc.rules) * 3:30886 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:30885 <-> ENABLED <-> BAD-TRAFFIC Cisco SIP malformed date header buffer overflow attempt (bad-traffic.rules) * 3:30884 <-> ENABLED <-> BAD-TRAFFIC Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (bad-traffic.rules) * 3:30881 <-> ENABLED <-> BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (bad-traffic.rules) * 3:30283 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:30282 <-> ENABLED <-> DOS Cisco IOS SIP header denial of service attempt (dos.rules) * 3:29945 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:29944 <-> ENABLED <-> EXPLOIT Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (exploit.rules) * 3:28488 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:28487 <-> ENABLED <-> WEB-CLIENT Microsoft GDI library TIFF handling memory corruption attempt (web-client.rules) * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules) * 3:26972 <-> ENABLED <-> EXPLOIT CUPS IPP multi-valued attribute memory corruption attempt (exploit.rules) * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules) * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules) * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules) * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules) * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules) * 3:24671 <-> ENABLED <-> EXPLOIT Microsoft Windows Explorer briefcase database memory corruption attempt (exploit.rules) * 3:24666 <-> ENABLED <-> EXPLOIT Excel invalid data item buffer overflow attempt (exploit.rules) * 3:24597 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:24596 <-> ENABLED <-> EXPLOIT Oracle Reports Servlet information disclosure attempt (exploit.rules) * 3:24595 <-> ENABLED <-> EXPLOIT Oracle Reports Server information disclosure attempt (exploit.rules) * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules) * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules) * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules) * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules) * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules) * 3:21619 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules) * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules) * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules) * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules) * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules) * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules) * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules) * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules) * 3:18676 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel DV record buffer overflow attempt (web-client.rules) * 3:18673 <-> ENABLED <-> WEB-CLIENT Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules) * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules) * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules) * 3:18660 <-> ENABLED <-> NETBIOS SMB2 write packet buffer overflow attempt (netbios.rules) * 3:18641 <-> ENABLED <-> SPECIFIC_THREATS Excel OBJ record invalid cmo.ot exploit attempt (specific-threats.rules) * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules) * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules) * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules) * 3:18449 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat font definition memory corruption attempt (specific-threats.rules) * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules) * 3:18412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18411 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (specific-threats.rules) * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules) * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules) * 3:18400 <-> ENABLED <-> SPECIFIC-THREATS MS CRSS local process allowed to persist through logon or logoff attempt (specific-threats.rules) * 3:18249 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (icmp.rules) * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules) * 3:18213 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher column and row remote code execution attempt (specific-threats.rules) * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules) * 3:18064 <-> ENABLED <-> EXPLOIT Microsoft .NET framework EntityObject execution attempt (exploit.rules) * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules) * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules) * 3:17765 <-> ENABLED <-> WEB-CLIENT OpenType Font file parsing buffer overflow attempt (web-client.rules) * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules) * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules) * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules) * 3:17699 <-> ENABLED <-> SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (snmp.rules) * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules) * 3:17696 <-> ENABLED <-> EXPLOIT Microsoft DNS Server ANY query cache weakness (exploit.rules) * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules) * 3:17667 <-> ENABLED <-> MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (misc.rules) * 3:17665 <-> ENABLED <-> WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt (web-client.rules) * 3:17663 <-> ENABLED <-> EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (exploit.rules) * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules) * 3:17632 <-> ENABLED <-> SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (snmp.rules) * 3:17608 <-> ENABLED <-> WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt (web-client.rules) * 3:17300 <-> ENABLED <-> MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (multimedia.rules) * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules) * 3:17242 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt (web-client.rules) * 3:17201 <-> ENABLED <-> WEB-CLIENT Adobe Director file file LsCM overflow attempt (web-client.rules) * 3:17199 <-> ENABLED <-> WEB-CLIENT Adobe Director file file lRTX overflow attempt (web-client.rules) * 3:17126 <-> ENABLED <-> NETBIOS SMB large session length with small packet (netbios.rules) * 3:17118 <-> ENABLED <-> EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt (exploit.rules) * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules) * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules) * 3:16577 <-> ENABLED <-> NETBIOS Microsoft Windows SMBv2 compound request DoS attempt (netbios.rules) * 3:16564 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 (exploit.rules) * 3:16563 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 (exploit.rules) * 3:16562 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 (exploit.rules) * 3:16561 <-> ENABLED <-> EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 (exploit.rules) * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules) * 3:16533 <-> ENABLED <-> BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (bad-traffic.rules) * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules) * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules) * 3:16408 <-> ENABLED <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt (dos.rules) * 3:16405 <-> ENABLED <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (icmp.rules) * 3:16395 <-> ENABLED <-> NETBIOS SMB COPY command oversized pathname attempt (netbios.rules) * 3:16394 <-> ENABLED <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt (dos.rules) * 3:16375 <-> ENABLED <-> EXPLOIT LDAP object parameter name buffer overflow attempt (exploit.rules) * 3:16370 <-> ENABLED <-> WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt (web-client.rules) * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules) * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules) * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules) * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules) * 3:16232 <-> ENABLED <-> WEB-CLIENT Windows TrueType font file parsing integer overflow attempt (web-client.rules) * 3:16230 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt (web-client.rules) * 3:16228 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt (web-client.rules) * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules) * 3:16222 <-> ENABLED <-> WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt (web-client.rules) * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules) * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules) * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules) * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules) * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules) * 3:15976 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt (web-client.rules) * 3:15975 <-> ENABLED <-> WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt (web-client.rules) * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules) * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules) * 3:15968 <-> ENABLED <-> EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt (exploit.rules) * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules) * 3:15920 <-> ENABLED <-> WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt (web-client.rules) * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules) * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules) * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules) * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules) * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules) * 3:15700 <-> ENABLED <-> EXPLOIT dhclient subnet mask option buffer overflow attempt (exploit.rules) * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules) * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules) * 3:15522 <-> ENABLED <-> DOS Active Directory invalid OID denial of service attempt (dos.rules) * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules) * 3:15519 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt (web-client.rules) * 3:15503 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 95 file (web-client.rules) * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules) * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules) * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules) * 3:15465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt (web-client.rules) * 3:15456 <-> ENABLED <-> EXPLOIT WinHTTP SSL/TLS impersonation attempt (exploit.rules) * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules) * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules) * 3:15452 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 2 (exploit.rules) * 3:15451 <-> ENABLED <-> EXPLOIT possible Conficker.C HTTP traffic 1 (exploit.rules) * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules) * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules) * 3:15433 <-> ENABLED <-> WEB-CLIENT Winamp MAKI parsing integer overflow attempt (web-client.rules) * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules) * 3:15329 <-> ENABLED <-> SMTP Microsoft Exchange MODPROPS memory corruption attempt (smtp.rules) * 3:15328 <-> ENABLED <-> WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt (web-client.rules) * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules) * 3:15301 <-> ENABLED <-> SMTP Exchange compressed RTF remote code execution attempt (smtp.rules) * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules) * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules) * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules) * 3:15148 <-> ENABLED <-> DOS Microsoft SMS remote control client message length denial of service attempt (dos.rules) * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules) * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules) * 3:15121 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access (web-activex.rules) * 3:15120 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access (web-activex.rules) * 3:15119 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access (web-activex.rules) * 3:15118 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access (web-activex.rules) * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules) * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules) * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules) * 3:14655 <-> ENABLED <-> WEB-CLIENT Excel rept integer underflow attempt (web-client.rules) * 3:14646 <-> ENABLED <-> DOS Active Directory malformed baseObject denial of service attempt (dos.rules) * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules) * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules) * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules) * 3:14251 <-> ENABLED <-> EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt (exploit.rules) * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules) * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules) * 3:13977 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call access (web-client.rules) * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules) * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules) * 3:13969 <-> ENABLED <-> WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (web-client.rules) * 3:13958 <-> ENABLED <-> WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt (web-client.rules) * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules) * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules) * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules) * 3:13922 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules) * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules) * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules) * 3:13887 <-> ENABLED <-> BAD-TRAFFIC dns root nameserver poisoning attempt (bad-traffic.rules) * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules) * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules) * 3:13826 <-> ENABLED <-> EXPLOIT Microsoft WINS arbitrary memory modification attempt (exploit.rules) * 3:13825 <-> ENABLED <-> DOS Microsoft PGM fragment denial of service attempt (dos.rules) * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules) * 3:13802 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:13798 <-> ENABLED <-> WEB-CLIENT Microsoft malware protection engine denial of service attempt (web-client.rules) * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules) * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules) * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules) * 3:10480 <-> ENABLED <-> EXPLOIT imail ldap buffer overflow exploit attempt (exploit.rules) * 3:10127 <-> ENABLED <-> DOS Microsoft IP Options denial of service (dos.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
