VRT Rules 2015-01-06
The VRT is aware of a vulnerability affecting products from Microsoft Corporation.

CVE-2015-0002: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32965 through 32966.

The VRT has also added and modified multiple rules in the blacklist, deleted, file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, os-linux, os-windows, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-01-06 17:31:28 UTC

Sourcefire VRT Rules Update

Date: 2015-01-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32925 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32919 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32921 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32917 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32912 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32956 <-> ENABLED <-> MALWARE-CNC Android.CoolReaper.Trojan outbound connection attempt (malware-cnc.rules)
 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32935 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32902 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt (malware-cnc.rules)
 * 1:32958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot response connection attempt (malware-cnc.rules)
 * 1:32959 <-> DISABLED <-> PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt (protocol-dns.rules)
 * 1:32960 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32961 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32962 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32963 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32964 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32905 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32906 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32907 <-> DISABLED <-> POLICY-OTHER PirateBrowser User-Agent detected (policy-other.rules)
 * 1:32910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32911 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32913 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32914 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32916 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32915 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32918 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32920 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32922 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32923 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32924 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32926 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32927 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32928 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32929 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32934 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32936 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt (malware-tools.rules)
 * 1:32937 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt (malware-tools.rules)
 * 1:32938 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt (malware-tools.rules)
 * 1:32939 <-> DISABLED <-> SERVER-WEBAPP Wordpress XSS Clean and Simple Contact Form plugin cross-site scripting attempt (server-webapp.rules)
 * 1:32940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:32941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32942 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32943 <-> ENABLED <-> FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt (file-other.rules)
 * 1:32944 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realUpdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules)
 * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules)
 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)
 * 1:32955 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:32954 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32952 <-> DISABLED <-> SERVER-WEBAPP iCloud Apple ID brute-force login attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:32901 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)
 * 1:32953 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)

Modified Rules:


 * 1:27590 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:27580 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27588 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27587 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27591 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27586 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules)
 * 1:27589 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27581 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)

2015-01-06 17:31:28 UTC

Sourcefire VRT Rules Update

Date: 2015-01-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32902 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32905 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32906 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32907 <-> DISABLED <-> POLICY-OTHER PirateBrowser User-Agent detected (policy-other.rules)
 * 1:32909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32911 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32912 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32913 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32915 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32914 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32916 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32917 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32918 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32920 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32919 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32921 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32922 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32923 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32925 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32924 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32926 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32927 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32928 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32929 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32934 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32935 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32936 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt (malware-tools.rules)
 * 1:32937 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt (malware-tools.rules)
 * 1:32938 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt (malware-tools.rules)
 * 1:32939 <-> DISABLED <-> SERVER-WEBAPP Wordpress XSS Clean and Simple Contact Form plugin cross-site scripting attempt (server-webapp.rules)
 * 1:32940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:32941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32942 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32943 <-> ENABLED <-> FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt (file-other.rules)
 * 1:32944 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realUpdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules)
 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)
 * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:32901 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)
 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32964 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32963 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32962 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32961 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32960 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32959 <-> DISABLED <-> PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt (protocol-dns.rules)
 * 1:32958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot response connection attempt (malware-cnc.rules)
 * 1:32957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt (malware-cnc.rules)
 * 1:32956 <-> ENABLED <-> MALWARE-CNC Android.CoolReaper.Trojan outbound connection attempt (malware-cnc.rules)
 * 1:32954 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32955 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32953 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32952 <-> DISABLED <-> SERVER-WEBAPP iCloud Apple ID brute-force login attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)

Modified Rules:


 * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules)
 * 1:27590 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:27588 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27589 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27587 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27586 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27581 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27580 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27591 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)

2015-01-06 17:31:28 UTC

Sourcefire VRT Rules Update

Date: 2015-01-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32964 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32963 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32962 <-> DISABLED <-> SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:32961 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32960 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:32959 <-> DISABLED <-> PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt (protocol-dns.rules)
 * 1:32958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot response connection attempt (malware-cnc.rules)
 * 1:32957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt (malware-cnc.rules)
 * 1:32956 <-> ENABLED <-> MALWARE-CNC Android.CoolReaper.Trojan outbound connection attempt (malware-cnc.rules)
 * 1:32955 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32954 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32953 <-> DISABLED <-> SERVER-OTHER XCat Blind XPath Injection attempt (server-other.rules)
 * 1:32952 <-> DISABLED <-> SERVER-WEBAPP iCloud Apple ID brute-force login attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:32949 <-> DISABLED <-> MALWARE-OTHER Download of executable screensaver file (malware-other.rules)
 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)
 * 1:32947 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file download request (file-identify.rules)
 * 1:32946 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32945 <-> ENABLED <-> FILE-IDENTIFY .scr executable screensaver file attachment detected (file-identify.rules)
 * 1:32944 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realUpdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32943 <-> ENABLED <-> FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt (file-other.rules)
 * 1:32942 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt (file-office.rules)
 * 1:32940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:32939 <-> DISABLED <-> SERVER-WEBAPP Wordpress XSS Clean and Simple Contact Form plugin cross-site scripting attempt (server-webapp.rules)
 * 1:32938 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt (malware-tools.rules)
 * 1:32937 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt (malware-tools.rules)
 * 1:32936 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt (malware-tools.rules)
 * 1:32935 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32934 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32929 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32928 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32927 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32926 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32925 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32924 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32923 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32922 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper listener download attempt (malware-other.rules)
 * 1:32921 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32920 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32919 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Wiper download attempt (malware-other.rules)
 * 1:32918 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32917 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32916 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32915 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32914 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32913 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper download attempt (malware-backdoor.rules)
 * 1:32912 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt (malware-backdoor.rules)
 * 1:32911 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt (malware-backdoor.rules)
 * 1:32910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TinyZBot outbound communication (malware-cnc.rules)
 * 1:32907 <-> DISABLED <-> POLICY-OTHER PirateBrowser User-Agent detected (policy-other.rules)
 * 1:32906 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32905 <-> DISABLED <-> DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt (deleted.rules)
 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32902 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)
 * 1:32901 <-> DISABLED <-> FILE-OTHER Advantech ADAMView GeniDAQ display designer stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:27580 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27581 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27586 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27587 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27588 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27589 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27590 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27591 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules)