VRT Rules 2014-11-11
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS14-064: Coding deficiencies exist in Microsoft Windows OLE that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 7070.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 32470 through 32473.

Microsoft Security Bulletin MS14-065: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32424 through 32427, 32430 through 32431, 32436 through 32443, 32458 through 32461, 32476 through 32479, 32481 through 32485, 32491 through 32492, and 32495 through 32500.

Microsoft Security Bulletin MS14-066: A coding deficiency exists in Microsoft Schannel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32404 through 32423.

Microsoft Security Bulletin MS14-067: A coding deficiency exists in Microsoft XML Core Services that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32501 through 32502.

Microsoft Security Bulletin MS14-069: Microsoft Office suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32428 through 32429 and 32432 through 32435.

Microsoft Security Bulletin MS14-070: Programming errors exist in Microsoft TCP/IP that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32489 through 32490.

Microsoft Security Bulletin MS14-071: A coding deficiency exists in the Microsoft Windows Audio Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32518 through 32519.

Microsoft Security Bulletin MS14-072: A coding deficiency exists in Microsoft .NET Framework that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32474 through 32475.

Microsoft Security Bulletin MS14-073: A coding deficiency exists in Microsoft SharePoint Foundation that may lead to an escalation of privilege.

A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 7070.

The VRT has also added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-office, file-other, malware-cnc, os-windows, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-11-13 17:19:08 UTC

Sourcefire VRT Rules Update

Date: 2014-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32520 <-> DISABLED <-> DELETED hrt67yu467e56yeher6ywe5rtw45y356yert (deleted.rules)
 * 1:32519 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32518 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32517 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32516 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32515 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32514 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32513 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Havex outbound connection attempt (malware-cnc.rules)
 * 1:32512 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection attempt (malware-cnc.rules)
 * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32507 <-> DISABLED <-> DELETED asdfasdfwefasfadfadfa (deleted.rules)
 * 1:32506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Secdeskinf outbound connection attempt (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32504 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32503 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string myupdate (blacklist.rules)
 * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32500 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32499 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32496 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32495 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:32491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:32490 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 1:32489 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 1:32488 <-> DISABLED <-> DELETED INDICATOR-COMPROMISE .com- potentially malicious hostname (deleted.rules)
 * 1:32487 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog variant outbound connection attempt (malware-cnc.rules)
 * 1:32486 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog outbound connection attempt (malware-cnc.rules)
 * 1:32485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32483 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32481 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules)
 * 1:32480 <-> DISABLED <-> DELETED deleted stuff that was pulled etc (deleted.rules)
 * 1:32479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32475 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32474 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection attempt (malware-cnc.rules)
 * 1:32468 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32467 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32466 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32465 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker variant outbound connection (malware-cnc.rules)
 * 1:32463 <-> DISABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:32462 <-> DISABLED <-> SERVER-WEBAPP Belkin Multiple Devices buffer overflow attempt (server-webapp.rules)
 * 1:32461 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32460 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32459 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32458 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32457 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant inbound connection (malware-cnc.rules)
 * 1:32456 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant outbound connection (malware-cnc.rules)
 * 1:32455 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent VUPHTTP - Win.Trojan.Puvespia (blacklist.rules)
 * 1:32454 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-updates.com (blacklist.rules)
 * 1:32453 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.ru (blacklist.rules)
 * 1:32452 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.com (blacklist.rules)
 * 1:32451 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backoff initial outbound connection (malware-cnc.rules)
 * 1:32450 <-> ENABLED <-> BLACKLIST DNS request for known malware domain visit-ankara.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32449 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-update.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellerpro.in.ua - Win.Trojan.Backoff (blacklist.rules)
 * 1:32447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cyberwise.biz - Win.Trojan.Backoff (blacklist.rules)
 * 1:32446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Backoff (blacklist.rules)
 * 1:32445 <-> DISABLED <-> DELETED er56ye56747356yet7je5rtstfur6ysfdtytfh (deleted.rules)
 * 1:32444 <-> DISABLED <-> DELETED 456yhdhetu467ue5rtywr6u37uw5rgwtdhst (deleted.rules)
 * 1:32443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32442 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32441 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32437 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32430 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32427 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32426 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
 * 1:32422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
 * 1:32421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32418 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32403 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32402 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent globalupdate - Osx.Trojan.Wirelurker (blacklist.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 3:32398 <-> ENABLED <-> SERVER-OTHER Cisco RV180W Router cross-site request forgery attempt (server-other.rules)

Modified Rules:


 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)

2014-11-13 17:19:08 UTC

Sourcefire VRT Rules Update

Date: 2014-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32402 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent globalupdate - Osx.Trojan.Wirelurker (blacklist.rules)
 * 1:32403 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32418 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
 * 1:32423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
 * 1:32424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32426 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32427 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32430 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32437 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32441 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32442 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32444 <-> DISABLED <-> DELETED 456yhdhetu467ue5rtywr6u37uw5rgwtdhst (deleted.rules)
 * 1:32445 <-> DISABLED <-> DELETED er56ye56747356yet7je5rtstfur6ysfdtytfh (deleted.rules)
 * 1:32446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Backoff (blacklist.rules)
 * 1:32447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cyberwise.biz - Win.Trojan.Backoff (blacklist.rules)
 * 1:32448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellerpro.in.ua - Win.Trojan.Backoff (blacklist.rules)
 * 1:32449 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-update.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32450 <-> ENABLED <-> BLACKLIST DNS request for known malware domain visit-ankara.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32451 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backoff initial outbound connection (malware-cnc.rules)
 * 1:32452 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.com (blacklist.rules)
 * 1:32453 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.ru (blacklist.rules)
 * 1:32454 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-updates.com (blacklist.rules)
 * 1:32455 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent VUPHTTP - Win.Trojan.Puvespia (blacklist.rules)
 * 1:32456 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant outbound connection (malware-cnc.rules)
 * 1:32457 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant inbound connection (malware-cnc.rules)
 * 1:32458 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32459 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32460 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32461 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32462 <-> DISABLED <-> SERVER-WEBAPP Belkin Multiple Devices buffer overflow attempt (server-webapp.rules)
 * 1:32463 <-> DISABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:32464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker variant outbound connection (malware-cnc.rules)
 * 1:32465 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32466 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32467 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32468 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection attempt (malware-cnc.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32474 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32475 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32480 <-> DISABLED <-> DELETED deleted stuff that was pulled etc (deleted.rules)
 * 1:32481 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules)
 * 1:32482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32483 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32486 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog outbound connection attempt (malware-cnc.rules)
 * 1:32487 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog variant outbound connection attempt (malware-cnc.rules)
 * 1:32488 <-> DISABLED <-> DELETED INDICATOR-COMPROMISE .com- potentially malicious hostname (deleted.rules)
 * 1:32489 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 1:32490 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 1:32520 <-> DISABLED <-> DELETED hrt67yu467e56yeher6ywe5rtw45y356yert (deleted.rules)
 * 1:32519 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32518 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32517 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32516 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32515 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32514 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32513 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Havex outbound connection attempt (malware-cnc.rules)
 * 1:32512 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection attempt (malware-cnc.rules)
 * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32507 <-> DISABLED <-> DELETED asdfasdfwefasfadfadfa (deleted.rules)
 * 1:32506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Secdeskinf outbound connection attempt (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32504 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32503 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string myupdate (blacklist.rules)
 * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32500 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32499 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32496 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32495 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:32492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 3:32398 <-> ENABLED <-> SERVER-OTHER Cisco RV180W Router cross-site request forgery attempt (server-other.rules)

Modified Rules:


 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)

2014-11-13 17:19:08 UTC

Sourcefire VRT Rules Update

Date: 2014-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32504 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32460 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32461 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPtsTextParaclient out of bounds error remote code execution attempt (browser-ie.rules)
 * 1:32458 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32459 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer clipboardData unauthorized JavaScript read and write attempt (browser-ie.rules)
 * 1:32456 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant outbound connection (malware-cnc.rules)
 * 1:32457 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Effseart variant inbound connection (malware-cnc.rules)
 * 1:32455 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent VUPHTTP - Win.Trojan.Puvespia (blacklist.rules)
 * 1:32453 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.ru (blacklist.rules)
 * 1:32454 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-updates.com (blacklist.rules)
 * 1:32451 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Backoff initial outbound connection (malware-cnc.rules)
 * 1:32452 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msframeworkx86.com (blacklist.rules)
 * 1:32449 <-> ENABLED <-> BLACKLIST DNS request for known malware domain total-update.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32450 <-> ENABLED <-> BLACKLIST DNS request for known malware domain visit-ankara.com - Win.Trojan.Backoff (blacklist.rules)
 * 1:32447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cyberwise.biz - Win.Trojan.Backoff (blacklist.rules)
 * 1:32448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellerpro.in.ua - Win.Trojan.Backoff (blacklist.rules)
 * 1:32445 <-> DISABLED <-> DELETED er56ye56747356yet7je5rtstfur6ysfdtytfh (deleted.rules)
 * 1:32446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Backoff (blacklist.rules)
 * 1:32443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32444 <-> DISABLED <-> DELETED 456yhdhetu467ue5rtywr6u37uw5rgwtdhst (deleted.rules)
 * 1:32442 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElementIDContextList use after free attempt (browser-ie.rules)
 * 1:32441 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:32437 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer document.URL override information disclosure attempt (browser-ie.rules)
 * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Word fcPlfguidUim out-of-bounds attempt (file-office.rules)
 * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules)
 * 1:32430 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use-after-free remote code execution attempt (browser-ie.rules)
 * 1:32428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32426 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32427 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer contentEditable use after free attempt (browser-ie.rules)
 * 1:32424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:32422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
 * 1:32423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
 * 1:32420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32418 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32417 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32403 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32402 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent globalupdate - Osx.Trojan.Wirelurker (blacklist.rules)
 * 1:32516 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32507 <-> DISABLED <-> DELETED asdfasdfwefasfadfadfa (deleted.rules)
 * 1:32506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Secdeskinf outbound connection attempt (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules)
 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32509 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection attempt (malware-cnc.rules)
 * 1:32512 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:32513 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Havex outbound connection attempt (malware-cnc.rules)
 * 1:32514 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32515 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32517 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff validation exploit attempt (file-office.rules)
 * 1:32518 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32519 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer registry symbolic link attack attempt (file-other.rules)
 * 1:32520 <-> DISABLED <-> DELETED hrt67yu467e56yeher6ywe5rtw45y356yert (deleted.rules)
 * 1:32462 <-> DISABLED <-> SERVER-WEBAPP Belkin Multiple Devices buffer overflow attempt (server-webapp.rules)
 * 1:32463 <-> DISABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:32464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker variant outbound connection (malware-cnc.rules)
 * 1:32465 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32466 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32467 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32468 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt (server-other.rules)
 * 1:32469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection attempt (malware-cnc.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32474 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32475 <-> ENABLED <-> OS-WINDOWS .NET Framework BinaryServerFormatterSink-ProcessMessage IMessage corruption attempt (os-windows.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext use after free attempt (browser-ie.rules)
 * 1:32480 <-> DISABLED <-> DELETED deleted stuff that was pulled etc (deleted.rules)
 * 1:32481 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules)
 * 1:32482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32483 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pasteHTML use after free attempt (browser-ie.rules)
 * 1:32484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer immutable application settings sandbox escape attempt (browser-ie.rules)
 * 1:32489 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 1:32486 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog outbound connection attempt (malware-cnc.rules)
 * 1:32487 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog variant outbound connection attempt (malware-cnc.rules)
 * 1:32488 <-> DISABLED <-> DELETED INDICATOR-COMPROMISE .com- potentially malicious hostname (deleted.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32502 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32503 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string myupdate (blacklist.rules)
 * 1:32500 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32495 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32501 <-> ENABLED <-> FILE-OTHER Microsoft XML invalid priority in xsl template (file-other.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32499 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer EPM sandbox escape attempt (file-other.rules)
 * 1:32496 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CStyleSheet object use after free attempt (browser-ie.rules)
 * 1:32492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:32490 <-> ENABLED <-> OS-WINDOWS Microsoft Windows tcpip.sys null pointer dereference attempt (os-windows.rules)
 * 3:32398 <-> ENABLED <-> SERVER-OTHER Cisco RV180W Router cross-site request forgery attempt (server-other.rules)

Modified Rules:


 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)