Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-12-04

This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-office, file-other, indicator-compromise, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)

Modified Rules:


 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2962

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)

Modified Rules:


 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2970

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)