VRT Rules 2014-09-16
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-multimedia, file-office, malware-cnc, os-windows, protocol-snmp, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)

2014-09-16 21:46:13 UTC

Sourcefire VRT Rules Update

Date: 2014-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection attempt (malware-cnc.rules)
 * 1:31850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31851 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31852 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31853 <-> DISABLED <-> PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31898 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:31897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory kerberos encryption type downgrade attempt (os-windows.rules)
 * 1:31873 <-> DISABLED <-> SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt (server-webapp.rules)
 * 1:31872 <-> ENABLED <-> BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent (blacklist.rules)
 * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31864 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in (blacklist.rules)
 * 1:31863 <-> ENABLED <-> BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker (blacklist.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:31862 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31859 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit exfiltration attempt (exploit-kit.rules)
 * 1:31857 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Netmaster CBW700N WPA key enumeration attempt (protocol-snmp.rules)
 * 1:31848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp compilation heap overflow attempt (file-flash.rules)
 * 1:31906 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection attempt (malware-cnc.rules)
 * 1:31858 <-> ENABLED <-> EXPLOIT-KIT Scanbox exploit kit enumeration code detected (exploit-kit.rules)
 * 1:31899 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (exploit-kit.rules)
 * 1:31900 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (exploit-kit.rules)
 * 1:31901 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (exploit-kit.rules)
 * 1:31902 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31903 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit flash file download (exploit-kit.rules)
 * 1:31904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:31905 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt (server-webapp.rules)
 * 1:31861 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt image memory leak (file-flash.rules)
 * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:31875 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31876 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:31877 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31879 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31880 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31881 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31882 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waterspout outbound communication (malware-cnc.rules)
 * 1:31884 <-> ENABLED <-> BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte (blacklist.rules)
 * 1:31885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte variant outbound connection (malware-cnc.rules)
 * 1:31886 <-> DISABLED <-> SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt (server-webapp.rules)
 * 1:31887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31890 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31892 <-> DISABLED <-> SERVER-WEBAPP HybridAuth install.php code injection attempt (server-webapp.rules)
 * 1:31888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer URL domain spoof attempt (browser-ie.rules)
 * 1:31889 <-> DISABLED <-> SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt (server-mail.rules)
 * 1:31878 <-> DISABLED <-> SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt (server-other.rules)
 * 1:31893 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer (blacklist.rules)
 * 1:31894 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer (blacklist.rules)
 * 3:31891 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:30151 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)
 * 1:29061 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt (file-multimedia.rules)
 * 1:6270 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyBrowser (blacklist.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt (protocol-snmp.rules)
 * 1:29484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection (malware-cnc.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)