VRT Rules 2014-09-16
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-multimedia, file-office, malware-cnc, os-windows, protocol-snmp, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)