Sourcefire VRT Rules Update

Date: 2011-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:17721 <-> ENABLED <-> EXPLOIT WINS replication inform2 request memory corruption attempt  (exploit.rules)
 * 1:17709 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMBED element memory corruption attempt  (web-client.rules)
 * 1:17695 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint paragraph format array inner header overflow attempt  (web-client.rules)
 * 1:17691 <-> ENABLED <-> EXPLOIT Microsoft Word remote code execution attempt  (exploit.rules)
 * 1:17690 <-> ENABLED <-> EXPLOIT Microsoft Word remote code execution attempt  (exploit.rules)
 * 1:17462 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt  (web-client.rules)
 * 1:17142 <-> ENABLED <-> EXPLOIT Adobe Flash Player SWF ActionScript exploit attempt  (exploit.rules)
 * 1:17114 <-> ENABLED <-> WEB-CLIENT Microsoft SilverLight ImageSource remote code execution attempt  (web-client.rules)
 * 1:16636 <-> ENABLED <-> MISC .NET framework XMLDsig data tampering attempt  (misc.rules)
 * 1:16586 <-> ENABLED <-> WEB-CLIENT Microsoft Word Document remote code execution attempt  (web-client.rules)
 * 1:16553 <-> ENABLED <-> EXPLOIT Microsoft Office Excel ptg index parsing code execution attempt  (exploit.rules)
 * 1:16422 <-> ENABLED <-> EXPLOIT JPEG with malformed SOFx field  (exploit.rules)
 * 1:16421 <-> ENABLED <-> EXPLOIT Microsoft PowerPoint out of bounds value remote code execution attempt  (exploit.rules)
 * 1:16417 <-> ENABLED <-> NETBIOS SMB Negotiate Protocol Response overflow attempt  (netbios.rules)
 * 1:16416 <-> ENABLED <-> WEB-CLIENT Malformed XLS MSODrawing Record  (web-client.rules)
 * 1:16414 <-> ENABLED <-> WEB-CLIENT Windows Shell Handler remote code execution attempt  (web-client.rules)
 * 1:16412 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt  (web-client.rules)
 * 1:16411 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint out of bounds value remote code execution attempt  (web-client.rules)
 * 1:16410 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt  (web-client.rules)
 * 1:16409 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint improper filename remote code execution attempt  (web-client.rules)
 * 1:14647 <-> ENABLED <-> NETBIOS SMB Search Search filename size integer underflow attempt  (netbios.rules)
 * 1:14648 <-> ENABLED <-> NETBIOS SMB Search unicode Search filename size integer underflow attempt  (netbios.rules)
 * 1:14649 <-> ENABLED <-> NETBIOS SMB Search Search filename size integer underflow attempt  (netbios.rules)
 * 1:14650 <-> ENABLED <-> NETBIOS SMB Search unicode Search filename size integer underflow attempt  (netbios.rules)
 * 1:14651 <-> ENABLED <-> NETBIOS SMB Search andx Search filename size integer underflow attempt  (netbios.rules)
 * 1:14652 <-> ENABLED <-> NETBIOS SMB Search unicode andx Search filename size integer underflow attempt  (netbios.rules)
 * 1:14653 <-> ENABLED <-> NETBIOS SMB Search andx Search filename size integer underflow attempt  (netbios.rules)
 * 1:14654 <-> ENABLED <-> NETBIOS SMB Search unicode andx Search filename size integer underflow attempt  (netbios.rules)
 * 1:14782 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt  (netbios.rules)
 * 1:14783 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt  (netbios.rules)
 * 1:15015 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt  (netbios.rules)
 * 1:15082 <-> ENABLED <-> EXPLOIT rtf malformed dpcallout buffer overflow attempt  (exploit.rules)
 * 1:15083 <-> ENABLED <-> EXPLOIT Microsoft Word .rtf file double free attempt  (exploit.rules)
 * 1:15084 <-> ENABLED <-> WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid access  (web-activex.rules)
 * 1:15085 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid unicode access  (deleted.rules)
 * 1:15086 <-> ENABLED <-> WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call access  (web-activex.rules)
 * 1:15087 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call unicode access  (deleted.rules)
 * 1:15088 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid access  (web-activex.rules)
 * 1:15089 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid unicode access  (deleted.rules)
 * 1:15090 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call access  (web-activex.rules)
 * 1:15091 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call unicode access  (deleted.rules)
 * 1:15092 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid access  (web-activex.rules)
 * 1:15093 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid unicode access  (deleted.rules)
 * 1:15094 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call access  (web-activex.rules)
 * 1:15095 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call unicode access  (deleted.rules)
 * 1:15096 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid access  (web-activex.rules)
 * 1:15097 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid unicode access  (deleted.rules)
 * 1:15098 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call access  (web-activex.rules)
 * 1:15099 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call unicode access  (deleted.rules)
 * 1:15100 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid access  (web-activex.rules)
 * 1:15101 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid unicode access  (deleted.rules)
 * 1:15102 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call access  (web-activex.rules)
 * 1:15103 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call unicode access  (deleted.rules)
 * 1:15104 <-> ENABLED <-> WEB-CLIENT Visual Basic 6.0 malformed AVI buffer overflow attempt  (web-client.rules)
 * 1:15107 <-> ENABLED <-> WEB-CLIENT Microsoft Word .rtf file stylesheet buffer overflow attempt  (web-client.rules)
 * 1:15108 <-> ENABLED <-> WEB-CLIENT Microsoft Office Sharepoint Server elevation of privilege exploit attempt  (web-client.rules)
 * 1:15109 <-> ENABLED <-> WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid access  (web-activex.rules)
 * 1:15110 <-> DISABLED <-> DELETED WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid unicode access  (deleted.rules)
 * 1:15111 <-> DISABLED <-> DELETED WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid unicode access  (deleted.rules)
 * 1:15112 <-> ENABLED <-> WEB-ACTIVEX Shell.Explorer 2 ActiveX function call access  (web-activex.rules)
 * 1:15113 <-> DISABLED <-> DELETED WEB-ACTIVEX Shell.Explorer 2 ActiveX function call unicode access  (deleted.rules)
 * 1:15114 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer embed src buffer overflow attempt  (web-client.rules)
 * 1:15115 <-> ENABLED <-> WEB-CLIENT WebDAV pathname buffer overflow attempt  (web-client.rules)
 * 1:15116 <-> ENABLED <-> WEB-CLIENT Windows search protocol handler access attempt  (web-client.rules)
 * 1:15122 <-> ENABLED <-> WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid access  (web-activex.rules)
 * 1:15196 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode param_count underflow attempt  (netbios.rules)
 * 1:15197 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE param_count underflow attempt  (netbios.rules)
 * 1:15198 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode param_count underflow attempt  (netbios.rules)
 * 1:15199 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE param_count underflow attempt  (netbios.rules)
 * 1:15200 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode andx param_count underflow attempt  (netbios.rules)
 * 1:15201 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE andx param_count underflow attempt  (netbios.rules)
 * 1:15202 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode andx param_count underflow attempt  (netbios.rules)
 * 1:15203 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE andx param_count underflow attempt  (netbios.rules)
 * 1:15204 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode max_param_count underflow attempt  (netbios.rules)
 * 1:15205 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode max_param_count underflow attempt  (netbios.rules)
 * 1:15206 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE max_param_count underflow attempt  (netbios.rules)
 * 1:15207 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE max_param_count underflow attempt  (netbios.rules)
 * 1:15208 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt  (netbios.rules)
 * 1:15209 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt  (netbios.rules)
 * 1:15210 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE andx max_param_count underflow attempt  (netbios.rules)
 * 1:15211 <-> ENABLED <-> NETBIOS SMB NT Trans NT CREATE andx max_param_count underflow attempt  (netbios.rules)
 * 1:15212 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 max_param_count underflow attempt  (netbios.rules)
 * 1:15213 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode max_param_count underflow attempt  (netbios.rules)
 * 1:15214 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 max_param_count underflow attempt  (netbios.rules)
 * 1:15215 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode max_param_count underflow attempt  (netbios.rules)
 * 1:15216 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 andx max_param_count underflow attempt  (netbios.rules)
 * 1:15217 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt  (netbios.rules)
 * 1:15218 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 andx max_param_count underflow attempt  (netbios.rules)
 * 1:15219 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt  (netbios.rules)
 * 1:15220 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode param_count underflow attempt  (netbios.rules)
 * 1:15221 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 param_count underflow attempt  (netbios.rules)
 * 1:15222 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 param_count underflow attempt  (netbios.rules)
 * 1:15223 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode param_count underflow attempt  (netbios.rules)
 * 1:15224 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode andx param_count underflow attempt  (netbios.rules)
 * 1:15225 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 andx param_count underflow attempt  (netbios.rules)
 * 1:15226 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 andx param_count underflow attempt  (netbios.rules)
 * 1:15227 <-> ENABLED <-> NETBIOS SMB Trans2 OPEN2 unicode andx param_count underflow attempt  (netbios.rules)
 * 1:15299 <-> ENABLED <-> WEB-CLIENT Microsoft Office Visio invalid ho tag attempt  (web-client.rules)
 * 1:15302 <-> ENABLED <-> DOS Microsoft Exchange System Attendant denial of service attempt  (dos.rules)
 * 1:15303 <-> ENABLED <-> WEB-CLIENT Malformed Visio IconBitsComponent arbitrary code execution attempt  (web-client.rules)
 * 1:15304 <-> ENABLED <-> WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt  (web-client.rules)
 * 1:15305 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt  (web-client.rules)
 * 1:15386 <-> ENABLED <-> BAD-TRAFFIC wpad dynamic update request  (bad-traffic.rules)
 * 1:15387 <-> ENABLED <-> NETBIOS udp WINS WPAD registration attempt  (netbios.rules)
 * 1:15455 <-> ENABLED <-> EXPLOIT WordPad and Office Text Converters XST parsing buffer overflow attempt  (exploit.rules)
 * 1:15457 <-> ENABLED <-> EXPLOIT DirectShow MJPEG arbitrary code execution attempt  (exploit.rules)
 * 1:15458 <-> ENABLED <-> EXPLOIT Internet Explorer navigating between pages race condition attempt  (exploit.rules)
 * 1:15459 <-> ENABLED <-> EXPLOIT Internet Explorer deleted/unitialized object memory corruption attempt  (exploit.rules)
 * 1:15460 <-> ENABLED <-> EXPLOIT Internet Explorer ActiveX load/unload race condition attempt  (exploit.rules)
 * 1:15461 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer marquee tag onstart memory corruption  (web-client.rules)
 * 1:15466 <-> ENABLED <-> EXPLOIT WordPad WordPerfect 6.x converter buffer overflow attempt  (exploit.rules)
 * 1:15467 <-> ENABLED <-> EXPLOIT WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt  (exploit.rules)
 * 1:15469 <-> ENABLED <-> WEB-CLIENT Microsoft WordPad and Office text converters integer underflow attempt  (web-client.rules)
 * 1:15475 <-> ENABLED <-> WEB-CLIENT ISA Server cross-site scripting attempt  (web-client.rules)
 * 1:15499 <-> ENABLED <-> WEB-CLIENT PowerPoint 95 converter CString in ExEmbed container buffer overflow attempt  (web-client.rules)
 * 1:15500 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint LinkedSlide memory corruption  (web-client.rules)
 * 1:15501 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint ParaBuildAtom memory corruption attempt  (web-client.rules)
 * 1:15502 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint DiagramBuildContainer memory corruption attempt  (web-client.rules)
 * 1:15504 <-> ENABLED <-> WEB-CLIENT Download of PowerPoint 4.0 file  (web-client.rules)
 * 1:15505 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint HashCode10Atom memory corruption attempt  (web-client.rules)
 * 1:15506 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CurrentUserAtom remote code execution attempt  (web-client.rules)
 * 1:15517 <-> ENABLED <-> WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt  (web-client.rules)
 * 1:15523 <-> ENABLED <-> EXPLOIT srvsvc NetrShareEnum netname overflow attempt  (exploit.rules)
 * 1:15524 <-> ENABLED <-> EXPLOIT Microsoft Word remote code execution attempt  (exploit.rules)
 * 1:15525 <-> ENABLED <-> EXPLOIT Microsoft Word remote code execution attempt  (exploit.rules)
 * 1:15527 <-> ENABLED <-> EXPLOIT Microsoft Active Directory LDAP denial of service attempt  (exploit.rules)
 * 1:15531 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer Unexpected method call remote code execution attempt  (web-client.rules)
 * 1:15534 <-> ENABLED <-> WEB-CLIENT IE XML HttpRequest race condition exploit attempt  (web-client.rules)
 * 1:15535 <-> ENABLED <-> WEB-CLIENT IE setCapture heap corruption exploit attempt  (web-client.rules)
 * 1:15536 <-> ENABLED <-> WEB-CLIENT IE invalid object modification exploit attempt  (web-client.rules)
 * 1:15538 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer onreadystatechange memory corruption attempt  (web-client.rules)
 * 1:15539 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel Formula record remote code execution attempt  (web-client.rules)
 * 1:15540 <-> ENABLED <-> WEB-CLIENT Microsoft IE DOM memory corruption attempt  (web-client.rules)
 * 1:15541 <-> ENABLED <-> WEB-CLIENT Excel SST record remote code execution attempt  (web-client.rules)
 * 1:15542 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel Qsir and Qsif record remote code execution attempt  (web-client.rules)
 * 1:15680 <-> ENABLED <-> EXPLOIT Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt  (exploit.rules)
 * 1:15681 <-> ENABLED <-> EXPLOIT Publisher 2007 file format arbitrary code execution attempt  (exploit.rules)
 * 1:15682 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow QuickTime file stsc atom parsing heap corruption attempt  (web-client.rules)
 * 1:15685 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access  (web-activex.rules)
 * 1:15686 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid unicode access  (deleted.rules)
 * 1:15687 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call access  (web-activex.rules)
 * 1:15688 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call unicode access  (deleted.rules)
 * 1:15689 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access  (web-activex.rules)
 * 1:15690 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid unicode access  (deleted.rules)
 * 1:15691 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call access  (web-activex.rules)
 * 1:15692 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call unicode access  (deleted.rules)
 * 1:15693 <-> ENABLED <-> WEB-CLIENT Embedded Open Type Font malformed name table overflow attempt  (web-client.rules)
 * 1:15694 <-> ENABLED <-> WEB-CLIENT Embedded Open Type Font malformed name table integer overflow attempt   (web-client.rules)
 * 1:15695 <-> ENABLED <-> WEB-CLIENT Embedded Open Type Font malformed name table platform type 3 integer overflow attempt   (web-client.rules)
 * 1:15731 <-> ENABLED <-> EXPLOIT javascript deleted reference arbitrary code execution attempt  (exploit.rules)
 * 1:15732 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer CSS handling memory corruption attempt  (exploit.rules)
 * 1:15849 <-> ENABLED <-> EXPLOIT WINS replication inform2 request memory corruption attempt  (exploit.rules)
 * 1:15850 <-> ENABLED <-> EXPLOIT Remote Desktop orderType remote code execution attempt  (exploit.rules)
 * 1:15854 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file processing memory corruption attempt  (web-client.rules)
 * 1:15860 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrGetJoinInformation attempt  (netbios.rules)
 * 1:15861 <-> ENABLED <-> WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid access   (web-activex.rules)
 * 1:15862 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid unicode access   (deleted.rules)
 * 1:15863 <-> ENABLED <-> WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call access   (web-activex.rules)
 * 1:15864 <-> DISABLED <-> DELETED WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call unicode access   (deleted.rules)
 * 1:15913 <-> ENABLED <-> WEB-CLIENT javascript arguments keyword override rce attempt  (web-client.rules)
 * 1:15914 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media sample duration header RCE attempt  (web-client.rules)
 * 1:15915 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Timecode header RCE attempt  (web-client.rules)
 * 1:15916 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media file name header RCE attempt  (web-client.rules)
 * 1:15917 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media content type header RCE attempt  (web-client.rules)
 * 1:15918 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media pixel aspect ratio header RCE attempt  (web-client.rules)
 * 1:15919 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt  (web-client.rules)
 * 1:16149 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer data stream header remote code execution attempt  (exploit.rules)
 * 1:16151 <-> ENABLED <-> WEB-CLIENT Internet Explorer unitialized or deleted object access attempt  (web-client.rules)
 * 1:16152 <-> ENABLED <-> EXPLOIT Internet Explorer table layout unitialized or deleted object access attempt  (exploit.rules)
 * 1:16153 <-> ENABLED <-> WEB-CLIENT malformed WMF meta escape record memory corruption  (web-client.rules)
 * 1:16155 <-> ENABLED <-> WEB-CLIENT Internet Explorer indexing service malformed parameters  (web-client.rules)
 * 1:16157 <-> ENABLED <-> WEB-CLIENT malformed ASF voice codec memory corruption  (web-client.rules)
 * 1:16167 <-> ENABLED <-> DOS Microsoft LSASS integer wrap denial of service attempt  (dos.rules)
 * 1:16168 <-> ENABLED <-> DOS Microsoft SMBv2 integer overflow denial of service attempt  (dos.rules)
 * 1:16169 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt  (web-client.rules)
 * 1:16172 <-> ENABLED <-> EXPLOIT Adobe Acrobat Reader U3D line set heap corruption attempt  (exploit.rules)
 * 1:16173 <-> ENABLED <-> EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt  (exploit.rules)
 * 1:16174 <-> ENABLED <-> EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation off by one index attempt  (exploit.rules)
 * 1:16175 <-> ENABLED <-> EXPLOIT Adobe collab.removeStateModel denial of service attempt  (exploit.rules)
 * 1:16176 <-> ENABLED <-> EXPLOIT Adobe collab.addStateModel remote corruption attempt  (exploit.rules)
 * 1:16177 <-> ENABLED <-> EXPLOIT Microsoft GDI+ Word file Office Art Property Table remote code execution attempt  (exploit.rules)
 * 1:16178 <-> ENABLED <-> EXPLOIT Microsoft GDI+ Excel file Office Art Property Table remote code execution attempt  (exploit.rules)
 * 1:16181 <-> ENABLED <-> WEB-CLIENT Windows CryptoAPI ASN.1 integer overflow attempt  (web-client.rules)
 * 1:16183 <-> ENABLED <-> WEB-CLIENT Microsoft .NET MSIL CombineImpl suspicious usage  (web-client.rules)
 * 1:16184 <-> ENABLED <-> EXPLOIT Microsoft GDI+ TIFF file parsing heap overflow attempt  (exploit.rules)
 * 1:16185 <-> ENABLED <-> EXPLOIT Microsoft GDI+ compressed TIFF file parsing remote code execution attempt  (exploit.rules)
 * 1:16186 <-> ENABLED <-> WEB-CLIENT Microsoft GDI+ interlaced PNG file parsing heap overflow attempt  (web-client.rules)
 * 1:16187 <-> ENABLED <-> EXPLOIT DirectShow MJPEG arbitrary code execution attempt  (exploit.rules)
 * 1:16220 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave director file malformed lcsr block memory corruption attempt  (web-client.rules)
 * 1:16221 <-> ENABLED <-> EXPLOIT Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt  (exploit.rules)
 * 1:16223 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave tSAC pointer overwrite attempt  (web-client.rules)
 * 1:16225 <-> ENABLED <-> EXPLOIT Adobe Shockwave arbitrary memory access attempt  (exploit.rules)
 * 1:16226 <-> ENABLED <-> EXPLOIT Microsoft Office Excel integer field in row record improper validation remote code execution attempt  (exploit.rules)
 * 1:16229 <-> ENABLED <-> WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt  (web-client.rules)
 * 1:16231 <-> ENABLED <-> WEB-CLIENT Windows kernel-mode drivers core font parsing integer overflow attempt  (web-client.rules)
 * 1:16233 <-> ENABLED <-> EXPLOIT Microsoft Excel oversized ptgFuncVar cparams value buffer overflow attempt  (exploit.rules)
 * 1:16234 <-> ENABLED <-> WEB-CLIENT Microsoft Word Document remote code execution attempt  (web-client.rules)
 * 1:16235 <-> ENABLED <-> EXPLOIT Microsoft Excel file SXDB record exploit attempt  (exploit.rules)
 * 1:16236 <-> ENABLED <-> WEB-CLIENT Microsoft Excel file SxView record exploit attempt  (web-client.rules)
 * 1:16238 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt  (netbios.rules)
 * 1:16239 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt  (netbios.rules)
 * 1:16240 <-> ENABLED <-> EXPLOIT Microsoft Excel file Window/Pane record exploit attempt  (exploit.rules)
 * 1:16241 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel FeatHdr BIFF record remote code execution attempt  (web-client.rules)
 * 1:16294 <-> ENABLED <-> EXPLOIT Microsoft Windows TCP stack zero window size exploit attempt  (exploit.rules)
 * 1:16312 <-> ENABLED <-> WEB-IIS ADFS custom header arbitrary code execution attempt  (web-iis.rules)
 * 1:16314 <-> ENABLED <-> EXPLOIT Microsoft WordPad and Office text converter integer overflow attempt  (exploit.rules)
 * 1:16315 <-> ENABLED <-> WEB-MISC Adobe Flash PlugIn check if file exists attempt  (web-misc.rules)
 * 1:16316 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player malformed getPropertyLate actioncode attempt  (web-client.rules)
 * 1:16317 <-> ENABLED <-> EXPLOIT Internet Explorer mouse move during refresh memory corruption attempt  (exploit.rules)
 * 1:16318 <-> ENABLED <-> WEB-CLIENT Microsoft Office Visio invalid ho tag attempt  (web-client.rules)
 * 1:16321 <-> ENABLED <-> WEB-CLIENT Adobe tiff oversized image length attempt  (web-client.rules)
 * 1:16322 <-> ENABLED <-> WEB-CLIENT Adobe Reader oversized object width attempt  (web-client.rules)
 * 1:16323 <-> ENABLED <-> EXPLOIT Adobe JPEG2k uninitialized QCC memory corruption attempt  (exploit.rules)
 * 1:16324 <-> ENABLED <-> WEB-CLIENT Adobe doc.export arbitrary file write attempt  (web-client.rules)
 * 1:16325 <-> ENABLED <-> SPECIFIC-THREATS Adobe JPEG2k uninitialized QCC memory corruption attempt  (specific-threats.rules)
 * 1:16326 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer 8 DOM memory corruption attempt  (exploit.rules)
 * 1:16327 <-> ENABLED <-> EXPLOIT Microsoft Windows GDIplus TIFF RLE compressed data buffer overflow attempt  (exploit.rules)
 * 1:16328 <-> ENABLED <-> EXPLOIT Microsoft Office Project file parsing arbitrary memory access attempt  (exploit.rules)
 * 1:16330 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer orphan DOM objects memory corruption attempt  (web-client.rules)
 * 1:16331 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player JPEG parsing heap overflow attempt  (web-client.rules)
 * 1:20231 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Mozilla//4.0 (blacklist.rules)
 * 1:20230 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string 0pera 10 (blacklist.rules)
 * 1:20229 <-> ENABLED <-> BOTNET-CNC Win32.Jinchodz variant outbound connection (botnet-cnc.rules)
 * 1:20228 <-> ENABLED <-> BOTNET-CNC Win32.Hupigon variant outbound connection (botnet-cnc.rules)
 * 1:20227 <-> ENABLED <-> EXPLOIT VideoLAN VLC webm memory corruption attempt (exploit.rules)
 * 1:20225 <-> ENABLED <-> NETBIOS SMI file download request (netbios.rules)
 * 1:20226 <-> ENABLED <-> NETBIOS MPlayer SMI file buffer overflow attempt (netbios.rules)
 * 1:20224 <-> ENABLED <-> WEB-CLIENT MPlayer SMI file buffer overflow attempt (web-client.rules)
 * 1:20223 <-> ENABLED <-> WEB-CLIENT SMI file download request (web-client.rules)
 * 1:20222 <-> DISABLED <-> BACKDOOR Trojan.Win32.Payazol.B outbound connection (backdoor.rules)
 * 1:20221 <-> DISABLED <-> BOTNET-CNC Trojan.Injector outbound connection (botnet-cnc.rules)
 * 1:20220 <-> DISABLED <-> SPYWARE-PUT Adware.Wizpop outbound connection (spyware-put.rules)
 * 1:20219 <-> DISABLED <-> BACKDOOR Win32.ToriaSpy.A outbound connection (backdoor.rules)
 * 1:20218 <-> DISABLED <-> BACKDOOR Win32.Ramagedos.A outbound connection (backdoor.rules)
 * 1:20217 <-> DISABLED <-> BACKDOOR Win32.Ramagedos.A outbound connection (backdoor.rules)
 * 1:20216 <-> DISABLED <-> SCADA Beckhoff TwinCAT DoS (scada.rules)
 * 1:20215 <-> DISABLED <-> SCADA Measuresoft ScadaPro directory traversal file operation attempt (scada.rules)
 * 1:20214 <-> DISABLED <-> SCADA Measuresoft ScadaPro msvcrt.dll local command execution attempt (scada.rules)
 * 1:20213 <-> ENABLED <-> BOTNET-CNC Win32.Swisyn variant outbound connection (botnet-cnc.rules)
 * 1:18401 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Internet Explorer Base64 encoded script overflow attempt  (web-client.rules)
 * 1:18399 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel BRAI record remote code execution attempt  (specific-threats.rules)
 * 1:17742 <-> ENABLED <-> EXPLOIT Microsoft Word remote code execution attempt  (exploit.rules)
 * 1:17731 <-> ENABLED <-> BAD-TRAFFIC wpad dynamic update request  (bad-traffic.rules)
 * 1:17723 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected  (netbios.rules)
 * 1:16404 <-> ENABLED <-> NETBIOS SMB unicode invalid server name share access  (netbios.rules)
 * 1:16403 <-> ENABLED <-> NETBIOS SMB unicode andx invalid server name share access  (netbios.rules)
 * 1:16402 <-> ENABLED <-> NETBIOS SMB invalid server name share access  (netbios.rules)
 * 1:16401 <-> ENABLED <-> NETBIOS SMB andx invalid server name share access  (netbios.rules)
 * 1:16400 <-> ENABLED <-> NETBIOS SMB unicode invalid server name share access  (netbios.rules)
 * 1:16399 <-> ENABLED <-> NETBIOS SMB unicode andx invalid server name share access  (netbios.rules)
 * 1:16398 <-> ENABLED <-> NETBIOS SMB invalid server name share access  (netbios.rules)
 * 1:16397 <-> ENABLED <-> NETBIOS SMB andx invalid server name share access  (netbios.rules)
 * 1:16389 <-> DISABLED <-> DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access  (deleted.rules)
 * 1:16388 <-> ENABLED <-> WEB-ACTIVEX AcroPDF.PDF ActiveX function call access  (web-activex.rules)
 * 1:16387 <-> DISABLED <-> DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access  (deleted.rules)
 * 1:16386 <-> ENABLED <-> WEB-ACTIVEX AcroPDF.PDF ActiveX clsid access  (web-activex.rules)
 * 1:16378 <-> ENABLED <-> WEB-CLIENT Internet Explorer deleted object cells reference memory corruption vulnerability  (web-client.rules)
 * 1:16377 <-> ENABLED <-> EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt  (exploit.rules)
 * 1:16376 <-> ENABLED <-> EXPLOIT Internet Explorer onPropertyChange deleteTable memory corruption attempt  (exploit.rules)
 * 1:16373 <-> ENABLED <-> WEB-CLIENT Adobe Acrobat Reader U3D CLODMeshContinuation code execution attempt  (web-client.rules)
 * 1:16372 <-> DISABLED <-> DELETED WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access  (deleted.rules)
 * 1:16371 <-> ENABLED <-> WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid access  (web-activex.rules)
 * 1:16366 <-> ENABLED <-> EXPLOIT Microsoft embedded OpenType font engine LZX decompression buffer overflow attempt  (exploit.rules)
 * 1:16342 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile truncated media file processing memory corruption attempt  (web-client.rules)
 * 1:16338 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media extended stream properties object RCE attempt  (web-client.rules)
 * 1:16339 <-> ENABLED <-> WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt - obfuscated  (web-client.rules)

Modified Rules:


 * 1:18353 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string SelectRebates (blacklist.rules)
 * 1:20070 <-> ENABLED <-> WEB-CLIENT BIN file download request (web-client.rules)
 * 1:4135 <-> DISABLED <-> WEB-CLIENT IE JPEG heap overflow single packet attempt (web-client.rules)
 * 1:4136 <-> DISABLED <-> WEB-CLIENT IE JPEG heap overflow multipacket attempt (web-client.rules)
 * 1:5741 <-> ENABLED <-> WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt (web-client.rules)
 * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules)
 * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules)