VRT Rules 2014-12-04
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-office, file-other, indicator-compromise, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)

Modified Rules:


 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)

Modified Rules:


 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2014-12-04 16:16:38 UTC

Sourcefire VRT Rules Update

Date: 2014-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32673 <-> DISABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 1:32672 <-> DISABLED <-> SERVER-OTHER Cisco ios ftp proxy overflow attempt (server-other.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection attempt (malware-cnc.rules)
 * 1:32669 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32668 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray.uncompress use after free attempt (file-flash.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74 (blacklist.rules)
 * 1:32663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74 (blacklist.rules)
 * 1:32662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rnil.am - Group 74 (blacklist.rules)
 * 1:32661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qov.hu.com - Group 74 (blacklist.rules)
 * 1:32660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain q0v.pl - Group 74 (blacklist.rules)
 * 1:32659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain novinitie.com - Group 74 (blacklist.rules)
 * 1:32658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74 (blacklist.rules)
 * 1:32657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74 (blacklist.rules)
 * 1:32656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n0vinite.com - Group 74 (blacklist.rules)
 * 1:32655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74 (blacklist.rules)
 * 1:32654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login-osce.org - Group 74 (blacklist.rules)
 * 1:32653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74 (blacklist.rules)
 * 1:32652 <-> ENABLED <-> BLACKLIST DNS request for known malware domain baltichost.org - Group 74 (blacklist.rules)
 * 1:32651 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32650 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32649 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32648 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32647 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt (server-mysql.rules)
 * 1:32646 <-> DISABLED <-> INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (indicator-compromise.rules)
 * 1:32645 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RUpdate (blacklist.rules)
 * 1:32644 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32643 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:32642 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:16635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:18199 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:21794 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:23207 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:25310 <-> ENABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:31784 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:31785 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 C1DLayout ruby element use-after-free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:4177 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX clsid access attempt (browser-plugins.rules)