Sourcefire VRT Rules Update

Date: 2011-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19717 <-> DISABLED <-> SPYWARE-PUT Virus.Win32.Virut.ce contact to server attempt (spyware-put.rules)
 * 1:19726 <-> ENABLED <-> BOTNET-CNC Win32.Poison.AY outbound connection (botnet-cnc.rules)
 * 1:19783 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Banload.agcw runtime detection (backdoor.rules)
 * 1:19781 <-> DISABLED <-> BACKDOOR Trojan-Dropper.Win32.Agent.aqpn Runtime Detection (backdoor.rules)
 * 1:19782 <-> DISABLED <-> BACKDOOR Trojan.Win32.AVKill.bc contact to server attempt (backdoor.rules)
 * 1:19780 <-> ENABLED <-> POLICY logmein.com connection attempt (policy.rules)
 * 1:19779 <-> ENABLED <-> WEB-MISC sqlmap SQL injection scan attempt (web-misc.rules)
 * 1:19778 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /games/java_trust.php?f= (blacklist.rules)
 * 1:19776 <-> DISABLED <-> BACKDOOR Trojan.Win32.Agent2.guy dropper runtime detection (backdoor.rules)
 * 1:19777 <-> DISABLED <-> SPYWARE-PUT Fast Antivirus 2009 runtime detection (spyware-put.rules)
 * 1:19774 <-> DISABLED <-> BACKDOOR Gen-Trojan.Heur runtime detection (backdoor.rules)
 * 1:19775 <-> DISABLED <-> SPYWARE-PUT PWS.Win32.Ldpinch.gen runtime detection (spyware-put.rules)
 * 1:19772 <-> DISABLED <-> BACKDOOR Virus.Win32.Parite.B runtime detection (backdoor.rules)
 * 1:19773 <-> DISABLED <-> BACKDOOR Virus.Win32.Parite.B runtime detection (backdoor.rules)
 * 1:19770 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Yoddos.A outbound connection (botnet-cnc.rules)
 * 1:19771 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Yoddos.A outbound connection (botnet-cnc.rules)
 * 1:19768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sxzyong.com (blacklist.rules)
 * 1:19769 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Yoddos.A outbound indicator (botnet-cnc.rules)
 * 1:19766 <-> DISABLED <-> BOTNET-CNC Worm Win32.Autorun.hi outbound connection (botnet-cnc.rules)
 * 1:19767 <-> ENABLED <-> BACKDOOR Win32.Msposer.A outbound connection (backdoor.rules)
 * 1:19759 <-> DISABLED <-> BACKDOOR Trojan-PSW.Win32.FireThief.h Runtime Detection (backdoor.rules)
 * 1:19761 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Ftpharvxqq.A outbound connection (botnet-cnc.rules)
 * 1:19758 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Small.yw contact to server attempt (backdoor.rules)
 * 1:19757 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Agent.bqlu contact to server attempt (backdoor.rules)
 * 1:19738 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xzrw0q.com (blacklist.rules)
 * 1:19741 <-> DISABLED <-> SPYWARE-PUT PWS.Win32.Scofted keylogger runtime detection (spyware-put.rules)
 * 1:19739 <-> DISABLED <-> BACKDOOR Win32.Apptom runtime detection (backdoor.rules)
 * 1:19742 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Agent.atff runtime detection (backdoor.rules)
 * 1:19743 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.Hupigon.eqlo runtime detection (spyware-put.rules)
 * 1:19730 <-> ENABLED <-> BOTNET-CNC Win32.KukuBot.A outbound connection (botnet-cnc.rules)
 * 1:19725 <-> ENABLED <-> BOTNET-CNC Win32.Poison.AY outbound connection (botnet-cnc.rules)
 * 1:19744 <-> DISABLED <-> BACKDOOR Worm.Win32.Deecee.a runtime detection (backdoor.rules)
 * 1:19745 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.FraudLoad.dyl runtime detection (backdoor.rules)
 * 1:19746 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Agent.biiw runtime detection (backdoor.rules)
 * 1:19747 <-> DISABLED <-> BACKDOOR Backdoor.Win32.GGDoor.22 runtime detection (backdoor.rules)
 * 1:19748 <-> DISABLED <-> BACKDOOR Trojan.Crypt.ULPM.Gen IRC runtime detection (backdoor.rules)
 * 1:19749 <-> DISABLED <-> BACKDOOR Trojan.Win32.Agent.chgp contact to server attempt (backdoor.rules)
 * 1:19750 <-> DISABLED <-> BACKDOOR PWS.Win32.Zbot.PJ contact to server attempt (backdoor.rules)
 * 1:19751 <-> DISABLED <-> BACKDOOR Worm.Win32.Sohanad.bm contact to server attempt (backdoor.rules)
 * 1:19752 <-> DISABLED <-> BACKDOOR Trojan.Downloader.Win32.Agent.bkwx contact to server attempt (backdoor.rules)
 * 1:19754 <-> DISABLED <-> SPYWARE-PUT Trojan.Downloader.Delf.RGL Runtime Detection (spyware-put.rules)
 * 1:19753 <-> DISABLED <-> SPYWARE-PUT Trojan TrojanSpy.Win32.Zbot.gen.C Runtime Detection (spyware-put.rules)
 * 1:19756 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm (blacklist.rules)
 * 1:19755 <-> DISABLED <-> BACKDOOR Trojan.Win32.Alphabet contact to server attempt (backdoor.rules)
 * 1:19715 <-> DISABLED <-> SPYWARE-PUT Trojan.URLZone contact to server attempt (spyware-put.rules)
 * 1:19731 <-> ENABLED <-> BOTNET-CNC Win32.Darkwebot.A outbound connection (botnet-cnc.rules)
 * 1:19721 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.IRCBot.mlh contact to server attempt (spyware-put.rules)
 * 1:19719 <-> DISABLED <-> SPYWARE-PUT Email-Worm.Win32.Bagle.of Runtime Detection (spyware-put.rules)
 * 1:19720 <-> DISABLED <-> SPYWARE-PUT Trojan-Downloader.Win32.Onestage.ws contact to server attempt (spyware-put.rules)
 * 1:19718 <-> DISABLED <-> SPYWARE-PUT Trojan-Downloader.Win32.Agent.bkap contact to server attempt (spyware-put.rules)
 * 1:19729 <-> DISABLED <-> BOTNET-CNC Win32.Yayih.A outbound connection (botnet-cnc.rules)
 * 1:19716 <-> DISABLED <-> BACKDOOR TrojanSpy.Win32.Banker.OO Runtime Detection (backdoor.rules)
 * 1:19732 <-> ENABLED <-> BOTNET-CNC Win32.Idicaf.B outbound connection (botnet-cnc.rules)
 * 1:19733 <-> DISABLED <-> BACKDOOR Trojan Win32.Jorik.BRU outbound connection (backdoor.rules)
 * 1:19734 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 770304123.cn (blacklist.rules)
 * 1:19735 <-> ENABLED <-> POLICY Filesonic file-sharing site contacted (policy.rules)
 * 1:19736 <-> ENABLED <-> POLICY Megaupload file-sharing site contacted (policy.rules)
 * 1:19728 <-> DISABLED <-> BOTNET-CNC Win32.Yayih.A outbound connection (botnet-cnc.rules)
 * 1:19727 <-> ENABLED <-> BACKDOOR Trojan Win32.Bancos.DI outbound connection (backdoor.rules)

Modified Rules:


 * 1:9441 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath overflow attempt (netbios.rules)
 * 1:9772 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt (netbios.rules)
 * 1:15702 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 1:15508 <-> DISABLED <-> SPECIFIC-THREATS DCERPC NCADG-IP-UDP lsarpc LsarLookupSids translated_names overflow attempt (specific-threats.rules)
 * 1:7210 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrPathCanonicalize overflow attempt (netbios.rules)
 * 1:4755 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
 * 1:4334 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (netbios.rules)
 * 1:9914 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP tapisrv ClientRequest LSetAppPriority overflow attempt (netbios.rules)
 * 1:9769 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt (netbios.rules)
 * 1:9806 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt (netbios.rules)
 * 1:9773 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:9132 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt (netbios.rules)
 * 1:8253 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt (netbios.rules)
 * 1:10018 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt (netbios.rules)
 * 1:10024 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ClientDBMiniAgentClose attempt (netbios.rules)
 * 1:10030 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt (netbios.rules)
 * 1:10036 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt (netbios.rules)
 * 1:15710 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x3B null strings attempt (netbios.rules)
 * 1:10050 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 ASDBLoginToComputer overflow attempt (netbios.rules)
 * 1:10117 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules)
 * 1:10202 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
 * 1:3397 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (netbios.rules)
 * 1:10208 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
 * 1:10285 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP svcctl ChangeServiceConfig2A attempt (netbios.rules)
 * 1:15911 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt (netbios.rules)
 * 1:10486 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 15,16,17 attempt (netbios.rules)
 * 1:10603 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (netbios.rules)
 * 1:17378 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules)
 * 1:17379 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules)
 * 1:17640 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opnum 43 overflow attempt (netbios.rules)
 * 1:17702 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (netbios.rules)
 * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules)
 * 1:17715 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:17714 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:18189 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18190 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18191 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18192 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18266 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt (netbios.rules)
 * 1:18285 <-> DISABLED <-> NETBIOS BrightStor ARCserve backup tape engine buffer overflow attempt (netbios.rules)
 * 1:18315 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (netbios.rules)
 * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules)
 * 1:19657 <-> ENABLED <-> BOTNET-CNC FakeAV variant traffic (botnet-cnc.rules)
 * 1:19701 <-> DISABLED <-> BOTNET-CNC Backdoor Win32.Hassar.A outbound connection (botnet-cnc.rules)
 * 1:19708 <-> ENABLED <-> SMTP Postfix SMTP Server SASL AUTH Handle Reuse Memory Corruption (smtp.rules)
 * 1:2349 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt (netbios.rules)
 * 1:2508 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt (netbios.rules)
 * 1:2511 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (netbios.rules)
 * 1:2936 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt (netbios.rules)
 * 1:2942 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt (netbios.rules)
 * 1:3114 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt (netbios.rules)
 * 1:3158 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt (netbios.rules)
 * 1:3159 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (netbios.rules)
 * 1:3171 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt (netbios.rules)
 * 1:3218 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt (netbios.rules)
 * 1:3238 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt (netbios.rules)
 * 1:3239 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (netbios.rules)
 * 1:3398 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (netbios.rules)
 * 1:3409 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (netbios.rules)
 * 1:3590 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt (netbios.rules)
 * 1:3697 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt (netbios.rules)
 * 1:3591 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject overflow attempt (netbios.rules)
 * 1:3967 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt (netbios.rules)
 * 1:4072 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt (netbios.rules)
 * 1:9228 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt (netbios.rules)
 * 1:4245 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt (netbios.rules)
 * 1:4246 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (netbios.rules)
 * 1:4358 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (netbios.rules)
 * 1:4413 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt (netbios.rules)
 * 1:4608 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt (netbios.rules)
 * 1:13367 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss GetPrinterData attempt (netbios.rules)
 * 1:12808 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss OpenPrinter overflow attempt (netbios.rules)
 * 1:12934 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt (netbios.rules)
 * 1:12984 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt (netbios.rules)
 * 1:12985 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt (netbios.rules)
 * 1:12978 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt (netbios.rules)
 * 1:12940 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt (netbios.rules)
 * 1:12489 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrWkstaGetInfo attempt (netbios.rules)
 * 1:12910 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt (netbios.rules)
 * 1:13162 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt (netbios.rules)
 * 1:12928 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt (netbios.rules)
 * 1:12977 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt (netbios.rules)
 * 1:12922 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt (netbios.rules)
 * 1:12916 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt (netbios.rules)
 * 1:10900 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (netbios.rules)
 * 1:4754 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
 * 1:4826 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt (netbios.rules)
 * 1:4918 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList dos attempt (netbios.rules)
 * 1:11073 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt (netbios.rules)
 * 1:5095 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt (netbios.rules)
 * 1:5096 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (netbios.rules)
 * 1:529 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:6584 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt (netbios.rules)
 * 1:5485 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 1:11074 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP rpcss _RemoteGetClassObject attempt (netbios.rules)
 * 1:6419 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid uuid size attempt (netbios.rules)
 * 1:6432 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid second uuid size attempt (netbios.rules)
 * 1:14988 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:11442 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:6420 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid uuid size attempt (netbios.rules)
 * 1:11443 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:11843 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt (netbios.rules)
 * 1:6431 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid second uuid size attempt (netbios.rules)
 * 1:6443 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt (netbios.rules)
 * 1:6444 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (netbios.rules)
 * 1:14900 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:6455 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt (netbios.rules)
 * 1:15169 <-> ENABLED <-> POLICY XBOX Live Kerberos authentication request (policy.rules)
 * 1:12100 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23 overflow attempt (netbios.rules)
 * 1:12307 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
 * 1:12317 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules)
 * 1:12326 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
 * 1:12332 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
 * 1:12335 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
 * 1:13211 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt (netbios.rules)
 * 1:12341 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
 * 1:12347 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
 * 1:15448 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:13210 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt (netbios.rules)
 * 1:6456 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (netbios.rules)
 * 1:6714 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt (netbios.rules)
 * 1:6810 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt (netbios.rules)
 * 1:6906 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt (netbios.rules)
 * 1:7209 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt (netbios.rules)
 * 1:7722 <-> ENABLED <-> BACKDOOR prorat 1.9 cgi notification detection (backdoor.rules)
 * 1:9027 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt (netbios.rules)
 * 1:8925 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (netbios.rules)
 * 1:8157 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt (netbios.rules)
 * 3:14737 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP host-integration bind attempt (netbios.rules)
 * 3:14782 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt (netbios.rules)
 * 3:15015 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt (netbios.rules)
 * 3:14661 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt (netbios.rules)
 * 3:14726 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt (netbios.rules)
 * 3:15860 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrGetJoinInformation attempt (netbios.rules)
 * 3:16238 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 3:16239 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 3:18215 <-> ENABLED <-> NETBIOS NETAPI RPC interface reboot attempt (netbios.rules)
 * 3:14725 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt (netbios.rules)
 * 3:14783 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt (netbios.rules)
 * 3:14710 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt (netbios.rules)
 * 3:15528 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (netbios.rules)