VRT Rules 2014-11-24
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-identify, file-office, file-other, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

New rules to detect attacks from the Regin malware are also included in this release and are identified with GID 1, SIDs 32621 through 32624.

Change logs

2014-11-24 21:29:31 UTC

Sourcefire VRT Rules Update

Date: 2014-11-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32620 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 1:32626 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32627 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32598 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)
 * 1:32599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad outbound connection attempt (malware-cnc.rules)
 * 1:32600 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)
 * 1:32601 <-> DISABLED <-> SERVER-OTHER Hikvision DVR RTSP request buffer overflow attempt (server-other.rules)
 * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules)
 * 1:32603 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer information disclosure attempt (policy-other.rules)
 * 1:32604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geodo variant outbound connection attempt (malware-cnc.rules)
 * 1:32605 <-> ENABLED <-> MALWARE-CNC Win.Worm.Jenxcus variant outbound connection attempt (malware-cnc.rules)
 * 1:32606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral variant outbound connection attempt (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:32612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cechire.com (blacklist.rules)
 * 1:32613 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32614 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32615 <-> DISABLED <-> OS-WINDOWS Microsoft Windows search protocol remote command injection attempt (os-windows.rules)
 * 1:32618 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file download request (file-identify.rules)
 * 1:32616 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32617 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32619 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:19593 <-> DISABLED <-> MALWARE-CNC Win.Worm.Agent.btxm variant outbound connection IRC (malware-cnc.rules)
 * 1:19584 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection (malware-cnc.rules)
 * 1:19585 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection - notification (malware-cnc.rules)
 * 1:19575 <-> DISABLED <-> MALWARE-CNC Win.Worm.Emold.U variant outbound connection (malware-cnc.rules)
 * 1:19580 <-> DISABLED <-> MALWARE-CNC Win.Worm.Basun.wsc inbound connection (malware-cnc.rules)
 * 1:19573 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:19574 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:19401 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:19495 <-> DISABLED <-> MALWARE-CNC Win.Worm.Pilleuz variant outbound connection (malware-cnc.rules)
 * 1:19367 <-> DISABLED <-> MALWARE-CNC Win.Worm.Vaubeg.A variant outbound connection (malware-cnc.rules)
 * 1:19400 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:17742 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:19357 <-> ENABLED <-> MALWARE-CNC Win.Worm.Sohanad.ila variant outbound connection (malware-cnc.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:19703 <-> ENABLED <-> MALWARE-CNC Win.Worm.Dusta.br outbound connnection (malware-cnc.rules)
 * 1:19766 <-> DISABLED <-> MALWARE-CNC Win.Worm.Autorun variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20022 <-> DISABLED <-> MALWARE-CNC Win.Worm.Padobot.z variant outbound connection (malware-cnc.rules)
 * 1:20017 <-> DISABLED <-> MALWARE-CNC Win.Worm.Koobface.dq variant outbound connection (malware-cnc.rules)
 * 1:20449 <-> DISABLED <-> MALWARE-CNC Win.Worm.Busifom.A variant outbound connection (malware-cnc.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:28054 <-> ENABLED <-> FILE-OTHER VBScript potential executable write attempt (file-other.rules)

2014-11-24 21:29:31 UTC

Sourcefire VRT Rules Update

Date: 2014-11-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32627 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32626 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32620 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32619 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32618 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file download request (file-identify.rules)
 * 1:32617 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32616 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32615 <-> DISABLED <-> OS-WINDOWS Microsoft Windows search protocol remote command injection attempt (os-windows.rules)
 * 1:32614 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32613 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cechire.com (blacklist.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral variant outbound connection attempt (malware-cnc.rules)
 * 1:32605 <-> ENABLED <-> MALWARE-CNC Win.Worm.Jenxcus variant outbound connection attempt (malware-cnc.rules)
 * 1:32604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geodo variant outbound connection attempt (malware-cnc.rules)
 * 1:32603 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer information disclosure attempt (policy-other.rules)
 * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules)
 * 1:32601 <-> DISABLED <-> SERVER-OTHER Hikvision DVR RTSP request buffer overflow attempt (server-other.rules)
 * 1:32600 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)
 * 1:32599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad outbound connection attempt (malware-cnc.rules)
 * 1:32598 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)

Modified Rules:


 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:17742 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:19357 <-> ENABLED <-> MALWARE-CNC Win.Worm.Sohanad.ila variant outbound connection (malware-cnc.rules)
 * 1:19367 <-> DISABLED <-> MALWARE-CNC Win.Worm.Vaubeg.A variant outbound connection (malware-cnc.rules)
 * 1:19400 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:19401 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:19495 <-> DISABLED <-> MALWARE-CNC Win.Worm.Pilleuz variant outbound connection (malware-cnc.rules)
 * 1:19573 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:19574 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:19575 <-> DISABLED <-> MALWARE-CNC Win.Worm.Emold.U variant outbound connection (malware-cnc.rules)
 * 1:19580 <-> DISABLED <-> MALWARE-CNC Win.Worm.Basun.wsc inbound connection (malware-cnc.rules)
 * 1:19584 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection (malware-cnc.rules)
 * 1:19585 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection - notification (malware-cnc.rules)
 * 1:19593 <-> DISABLED <-> MALWARE-CNC Win.Worm.Agent.btxm variant outbound connection IRC (malware-cnc.rules)
 * 1:19703 <-> ENABLED <-> MALWARE-CNC Win.Worm.Dusta.br outbound connnection (malware-cnc.rules)
 * 1:19766 <-> DISABLED <-> MALWARE-CNC Win.Worm.Autorun variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20017 <-> DISABLED <-> MALWARE-CNC Win.Worm.Koobface.dq variant outbound connection (malware-cnc.rules)
 * 1:20022 <-> DISABLED <-> MALWARE-CNC Win.Worm.Padobot.z variant outbound connection (malware-cnc.rules)
 * 1:20449 <-> DISABLED <-> MALWARE-CNC Win.Worm.Busifom.A variant outbound connection (malware-cnc.rules)
 * 1:28054 <-> ENABLED <-> FILE-OTHER VBScript potential executable write attempt (file-other.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)

2014-11-24 21:29:31 UTC

Sourcefire VRT Rules Update

Date: 2014-11-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32617 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32616 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file attachment detected (file-identify.rules)
 * 1:32614 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32615 <-> DISABLED <-> OS-WINDOWS Microsoft Windows search protocol remote command injection attempt (os-windows.rules)
 * 1:32612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cechire.com (blacklist.rules)
 * 1:32613 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection (malware-cnc.rules)
 * 1:32598 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)
 * 1:32600 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt (malware-cnc.rules)
 * 1:32602 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt (policy-other.rules)
 * 1:32599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad outbound connection attempt (malware-cnc.rules)
 * 1:32604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geodo variant outbound connection attempt (malware-cnc.rules)
 * 1:32601 <-> DISABLED <-> SERVER-OTHER Hikvision DVR RTSP request buffer overflow attempt (server-other.rules)
 * 1:32605 <-> ENABLED <-> MALWARE-CNC Win.Worm.Jenxcus variant outbound connection attempt (malware-cnc.rules)
 * 1:32603 <-> DISABLED <-> POLICY-OTHER ManageEngine Eventlog Analyzer information disclosure attempt (policy-other.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral variant outbound connection attempt (malware-cnc.rules)
 * 1:32622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 1:32626 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32627 <-> ENABLED <-> BROWSER-PLUGINS Adobe Flash broker privilege escalation file creation attempt (browser-plugins.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:32620 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32619 <-> DISABLED <-> FILE-OTHER MostGear EasyLanFolderShare serial key overflow attempt (file-other.rules)
 * 1:32618 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Registry file download request (file-identify.rules)

Modified Rules:


 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20449 <-> DISABLED <-> MALWARE-CNC Win.Worm.Busifom.A variant outbound connection (malware-cnc.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:19574 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:19703 <-> ENABLED <-> MALWARE-CNC Win.Worm.Dusta.br outbound connnection (malware-cnc.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:19357 <-> ENABLED <-> MALWARE-CNC Win.Worm.Sohanad.ila variant outbound connection (malware-cnc.rules)
 * 1:19367 <-> DISABLED <-> MALWARE-CNC Win.Worm.Vaubeg.A variant outbound connection (malware-cnc.rules)
 * 1:19400 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:17742 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:19495 <-> DISABLED <-> MALWARE-CNC Win.Worm.Pilleuz variant outbound connection (malware-cnc.rules)
 * 1:19401 <-> DISABLED <-> MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection (malware-cnc.rules)
 * 1:19584 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection (malware-cnc.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:19575 <-> DISABLED <-> MALWARE-CNC Win.Worm.Emold.U variant outbound connection (malware-cnc.rules)
 * 1:19580 <-> DISABLED <-> MALWARE-CNC Win.Worm.Basun.wsc inbound connection (malware-cnc.rules)
 * 1:20022 <-> DISABLED <-> MALWARE-CNC Win.Worm.Padobot.z variant outbound connection (malware-cnc.rules)
 * 1:19585 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dref.C variant outbound connection - notification (malware-cnc.rules)
 * 1:19593 <-> DISABLED <-> MALWARE-CNC Win.Worm.Agent.btxm variant outbound connection IRC (malware-cnc.rules)
 * 1:19766 <-> DISABLED <-> MALWARE-CNC Win.Worm.Autorun variant outbound connection (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:19573 <-> DISABLED <-> MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection (malware-cnc.rules)
 * 1:20017 <-> DISABLED <-> MALWARE-CNC Win.Worm.Koobface.dq variant outbound connection (malware-cnc.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:28054 <-> ENABLED <-> FILE-OTHER VBScript potential executable write attempt (file-other.rules)