VRT Rules 2015-03-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, malware-other, policy-other, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-31 14:35:16 UTC

Sourcefire VRT Rules Update

Date: 2015-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33966 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mafusc variant outbound connection attempt (malware-cnc.rules)
 * 1:33963 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33961 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33958 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33952 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33953 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33951 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33979 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33942 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33945 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33946 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33944 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33937 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tempedreve Samba probe (malware-cnc.rules)
 * 1:33933 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Penget variant outbound connection attempt (malware-cnc.rules)
 * 1:33931 <-> ENABLED <-> MALWARE-CNC Win.Worm.Goldrv variant outbound connection attempt (malware-cnc.rules)
 * 1:33930 <-> ENABLED <-> MALWARE-CNC Vicepass outbound connection initial request to the CNC sending system information (malware-cnc.rules)
 * 1:33938 <-> DISABLED <-> SERVER-WEBAPP Seagate BlackArmor NAS send_test_email command injection attempt (server-webapp.rules)
 * 1:33936 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33935 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin privilege escalation attempt (server-webapp.rules)
 * 1:33934 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin directory traversal attempt (server-webapp.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33975 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33976 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33947 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33948 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33982 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules)
 * 1:33949 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33981 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit flash file download (exploit-kit.rules)
 * 1:33950 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33954 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33955 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33957 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33956 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33959 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33962 <-> DISABLED <-> BROWSER-CHROME Google Chrome Pepper Flash same-origin-policy bypass attempt (browser-chrome.rules)
 * 1:33960 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33964 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33967 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33969 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33970 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33965 <-> DISABLED <-> BLACKLIST DNS request for known malware domain synergy-dev.sytes.net - Worm.MSIL.Mafusc.A (blacklist.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33980 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

Modified Rules:


 * 1:23258 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:820 <-> DISABLED <-> SERVER-WEBAPP anaconda directory traversal attempt (server-webapp.rules)
 * 1:360 <-> DISABLED <-> PROTOCOL-FTP serv-u directory traversal (protocol-ftp.rules)
 * 1:26704 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:27908 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:23259 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:27909 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:19223 <-> DISABLED <-> SERVER-OTHER SAP Crystal Reports 2008 directory traversal attempt (server-other.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:2125 <-> DISABLED <-> PROTOCOL-FTP CWD Root directory traversal attempt (protocol-ftp.rules)

2015-03-31 14:35:16 UTC

Sourcefire VRT Rules Update

Date: 2015-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33937 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33938 <-> DISABLED <-> SERVER-WEBAPP Seagate BlackArmor NAS send_test_email command injection attempt (server-webapp.rules)
 * 1:33935 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin privilege escalation attempt (server-webapp.rules)
 * 1:33936 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33933 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Penget variant outbound connection attempt (malware-cnc.rules)
 * 1:33934 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin directory traversal attempt (server-webapp.rules)
 * 1:33932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tempedreve Samba probe (malware-cnc.rules)
 * 1:33931 <-> ENABLED <-> MALWARE-CNC Win.Worm.Goldrv variant outbound connection attempt (malware-cnc.rules)
 * 1:33930 <-> ENABLED <-> MALWARE-CNC Vicepass outbound connection initial request to the CNC sending system information (malware-cnc.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33942 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33945 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33946 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33947 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33948 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33949 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33950 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33951 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33953 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33954 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33955 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33956 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33957 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33952 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33958 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33959 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33961 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33960 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33962 <-> DISABLED <-> BROWSER-CHROME Google Chrome Pepper Flash same-origin-policy bypass attempt (browser-chrome.rules)
 * 1:33963 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33964 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33966 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mafusc variant outbound connection attempt (malware-cnc.rules)
 * 1:33965 <-> DISABLED <-> BLACKLIST DNS request for known malware domain synergy-dev.sytes.net - Worm.MSIL.Mafusc.A (blacklist.rules)
 * 1:33967 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33969 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33970 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33976 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33975 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules)
 * 1:33944 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33982 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:33980 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33979 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33981 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit flash file download (exploit-kit.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)

Modified Rules:


 * 1:820 <-> DISABLED <-> SERVER-WEBAPP anaconda directory traversal attempt (server-webapp.rules)
 * 1:360 <-> DISABLED <-> PROTOCOL-FTP serv-u directory traversal (protocol-ftp.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:27908 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:27909 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:19223 <-> DISABLED <-> SERVER-OTHER SAP Crystal Reports 2008 directory traversal attempt (server-other.rules)
 * 1:2125 <-> DISABLED <-> PROTOCOL-FTP CWD Root directory traversal attempt (protocol-ftp.rules)
 * 1:23258 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:23259 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:26704 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)

2015-03-31 14:35:16 UTC

Sourcefire VRT Rules Update

Date: 2015-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33983 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit obfuscated file download (exploit-kit.rules)
 * 1:33982 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:33981 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit flash file download (exploit-kit.rules)
 * 1:33980 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33979 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33976 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33975 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF object type mismatch attempt (file-flash.rules)
 * 1:33974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed file cross domain policy bypass attempt (file-flash.rules)
 * 1:33972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player cross domain policy bypass attempt (file-flash.rules)
 * 1:33970 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33969 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33967 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:33966 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mafusc variant outbound connection attempt (malware-cnc.rules)
 * 1:33965 <-> DISABLED <-> BLACKLIST DNS request for known malware domain synergy-dev.sytes.net - Worm.MSIL.Mafusc.A (blacklist.rules)
 * 1:33964 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33963 <-> DISABLED <-> POLICY-OTHER Evercookie persistent cookie storage attempt (policy-other.rules)
 * 1:33962 <-> DISABLED <-> BROWSER-CHROME Google Chrome Pepper Flash same-origin-policy bypass attempt (browser-chrome.rules)
 * 1:33961 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33960 <-> DISABLED <-> SERVER-OTHER PHP unserialize code execution attempt (server-other.rules)
 * 1:33959 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33958 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33957 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33956 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33955 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33954 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33953 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33952 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33951 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33950 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33949 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33948 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33947 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33946 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33945 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33944 <-> DISABLED <-> FILE-OTHER WordPerfect converter buffer overflow attempt (file-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33942 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33940 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33939 <-> DISABLED <-> MALWARE-OTHER Executable control panel file attachment detected (malware-other.rules)
 * 1:33938 <-> DISABLED <-> SERVER-WEBAPP Seagate BlackArmor NAS send_test_email command injection attempt (server-webapp.rules)
 * 1:33937 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33936 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt (server-webapp.rules)
 * 1:33935 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin privilege escalation attempt (server-webapp.rules)
 * 1:33934 <-> DISABLED <-> SERVER-WEBAPP Wordpress WP Marketplace plugin directory traversal attempt (server-webapp.rules)
 * 1:33933 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Penget variant outbound connection attempt (malware-cnc.rules)
 * 1:33932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tempedreve Samba probe (malware-cnc.rules)
 * 1:33931 <-> ENABLED <-> MALWARE-CNC Win.Worm.Goldrv variant outbound connection attempt (malware-cnc.rules)
 * 1:33930 <-> ENABLED <-> MALWARE-CNC Vicepass outbound connection initial request to the CNC sending system information (malware-cnc.rules)

Modified Rules:


 * 1:19223 <-> DISABLED <-> SERVER-OTHER SAP Crystal Reports 2008 directory traversal attempt (server-other.rules)
 * 1:2125 <-> DISABLED <-> PROTOCOL-FTP CWD Root directory traversal attempt (protocol-ftp.rules)
 * 1:23258 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:23259 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:26704 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt (server-webapp.rules)
 * 1:27908 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:27909 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:360 <-> DISABLED <-> PROTOCOL-FTP serv-u directory traversal (protocol-ftp.rules)
 * 1:820 <-> DISABLED <-> SERVER-WEBAPP anaconda directory traversal attempt (server-webapp.rules)