Sourcefire VRT Rules Update

Date: 2011-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20721 <-> ENABLED <-> WEB-CLIENT Microsoft Publisher PLC object memory corruption attempt (web-client.rules)
 * 1:20702 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint pp7x32.dll dll-load exploit attempt (web-client.rules)
 * 1:20724 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word border use-after-free attempt (specific-threats.rules)
 * 1:20725 <-> DISABLED <-> DOS Sun Solaris in.rwhod hostname denial of service attempt (dos.rules)
 * 1:20692 <-> DISABLED <-> WEB-MISC Cisco network registrar default credentials authentication attempt (web-misc.rules)
 * 1:20699 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer XSRF timing attack against XSS filter (exploit.rules)
 * 1:20682 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Agent.NMS connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20718 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel Lel record memory corruption attempt (specific-threats.rules)
 * 1:20669 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - w.php?f= (blacklist.rules)
 * 1:20684 <-> ENABLED <-> BOTNET-CNC Cleanvaccine connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20726 <-> DISABLED <-> WEB-MISC F-Secure web console username overflow attempt (web-misc.rules)
 * 1:20679 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.Syrutrk connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20696 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Ransom.CK connect to cnc server attempt (botnet-cnc.rules)
 * 1:20667 <-> DISABLED <-> EXPLOIT Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt (exploit.rules)
 * 1:20701 <-> ENABLED <-> NETBIOS Microsoft PowerPoint pp4x322.dll dll-load exploit attempt (netbios.rules)
 * 1:20693 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Blackcontrol.A contact to cnc-server attempt (botnet-cnc.rules)
 * 1:20665 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (web-iis.rules)
 * 1:20664 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (web-iis.rules)
 * 1:20735 <-> ENABLED <-> SPECIFIC-THREATS Microsoft TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (specific-threats.rules)
 * 1:20671 <-> ENABLED <-> EXPLOIT Microsoft Windows Active Directory Crafted LDAP ModifyRequest (exploit.rules)
 * 1:20707 <-> ENABLED <-> WEB-ACTIVEX Dell IT Assistant ActiveX clsid access (web-activex.rules)
 * 1:20689 <-> ENABLED <-> BOTNET-CNC Trojan-Spy.Win32.Zbot.Jeib connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20713 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20676 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.EggDrop.acn connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20710 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20730 <-> DISABLED <-> WEB-CLIENT Mozilla XBL.method.eval call (web-client.rules)
 * 1:20674 <-> DISABLED <-> WEB-PHP Sourceforge Gallery search engine cross-site scripting attempt (web-php.rules)
 * 1:20720 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher 2003 EscherStm memory corruption attempt (specific-threats.rules)
 * 1:20712 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20663 <-> ENABLED <-> WEB-PHP Comet WebFileManager remote file include in CheckUpload.php Language (web-php.rules)
 * 1:20716 <-> ENABLED <-> WEB-ACTIVEX Yahoo!  CD Player ActiveX clsid access (web-activex.rules)
 * 1:20705 <-> ENABLED <-> WEB-ACTIVEX Microsoft Time DATIME.DLL ActiveX clsid access (web-activex.rules)
 * 1:20700 <-> ENABLED <-> NETBIOS Microsoft PowerPoint pp7x32.dll dll-load exploit attempt (netbios.rules)
 * 1:20672 <-> DISABLED <-> FILE-IDENTIFY xspf file download attempt (file-identify.rules)
 * 1:20660 <-> ENABLED <-> SPECIFIC-THREATS sl.php script injection (specific-threats.rules)
 * 1:20732 <-> ENABLED <-> WEB-PHP Sabdrimer remote file include in advanced1.php pluginpath[0] (web-php.rules)
 * 1:20690 <-> ENABLED <-> SPECIFIC-THREAT Quest NetVault SmartDisk libnvbasics.dll denial of service attempt (specific-threats.rules)
 * 1:20695 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Banker.GZW connect to cnc server attempt (botnet-cnc.rules)
 * 1:20691 <-> DISABLED <-> WEB-MISC Cisco Network Registrar default credentials authentication attempt (web-misc.rules)
 * 1:20711 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20685 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.Heloag.A connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20678 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Genome.aior contact to cnc-server attempt (botnet-cnc.rules)
 * 1:20686 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.Virut.BM connect to client attempt (botnet-cnc.rules)
 * 1:20681 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Agent.NMS connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20698 <-> DISABLED <-> WEB-CLIENT Telnet protocol specifier command injection attempt (web-client.rules)
 * 1:20728 <-> ENABLED <-> WEB-PHP WoW Roster remote file include with hslist.php and conf.php (web-php.rules)
 * 1:20706 <-> ENABLED <-> WEB-ACTIVEX Microsoft Time DATIME.DLL ActiveX clsid access (web-activex.rules)
 * 1:20733 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Media Player DVR file download request (file-identify.rules)
 * 1:20666 <-> DISABLED <-> EXPLOIT Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt (exploit.rules)
 * 1:20709 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20734 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Player digital video recording buffer overflow attempt (web-client.rules)
 * 1:20680 <-> ENABLED <-> WEB-PHP Flashchat remote file include in aedating4CMS.php (web-php.rules)
 * 1:20668 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /content/v1.jar (blacklist.rules)
 * 1:20727 <-> DISABLED <-> WEB-CLIENT Mozilla Firefox user interface event dispatcher dos attempt (web-client.rules)
 * 1:20697 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Ransom.CK connect to cnc server attempt (botnet-cnc.rules)
 * 1:20703 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint pp4x322.dll dll-load exploit attempt (web-client.rules)
 * 1:20729 <-> DISABLED <-> WEB-CLIENT Mozilla XBL object valueOf code execution attempt (web-client.rules)
 * 1:20719 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher Opltc memory corruption attempt (specific-threats.rules)
 * 1:20662 <-> ENABLED <-> SPECIFIC-THREATS Dameware Mini Remote Control username buffer overflow (specific-threats.rules)
 * 1:20722 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint invalid OfficeArtBlipDIB record exploit attempt (web-client.rules)
 * 1:20715 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20677 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.EggDrop.acn connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20731 <-> ENABLED <-> WEB-PHP TSEP remote file include in colorswitch.php tsep_config[absPath] (web-php.rules)
 * 1:20704 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer #default#time behavior attack attempt (web-activex.rules)
 * 1:20675 <-> DISABLED <-> WEB-IIS Microsoft Active Directory Federation Services code execution attempt (web-iis.rules)
 * 1:20683 <-> ENABLED <-> BOTNET-CNC Cleanvaccine connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20673 <-> DISABLED <-> EXPLOIT invalid VLC media player SMB URI download attempt (exploit.rules)
 * 1:20723 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docx file download request (file-identify.rules)
 * 1:20688 <-> ENABLED <-> BOTNET-CNC Trojan-Spy.Win32.Zbot.Jeib connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20717 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows OLE versioned stream missing data stream (specific-threats.rules)
 * 1:20661 <-> ENABLED <-> BOTNET-CNC Simbda variant outbound connection (botnet-cnc.rules)
 * 1:20714 <-> ENABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:20670 <-> ENABLED <-> SPECIFIC-THREATS Asterisk data length field overflow attempt (specific-threats.rules)
 * 1:20687 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Genome.akhg connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20694 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.SSonce.A backdoor access attempt (botnet-cnc.rules)
 * 1:20708 <-> ENABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)

Modified Rules:


 * 1:9829 <-> ENABLED <-> SPYWARE-PUT Trackware relevantknowledge runtime detection (spyware-put.rules)
 * 1:7083 <-> DISABLED <-> BACKDOOR mosucker3.0 runtime detection - server-to-client1 (backdoor.rules)
 * 1:7081 <-> ENABLED <-> BACKDOOR up and run v1.0 beta runtime detection (backdoor.rules)
 * 1:7091 <-> ENABLED <-> BACKDOOR serveme runtime detection (backdoor.rules)
 * 1:7088 <-> DISABLED <-> BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client (backdoor.rules)
 * 1:7112 <-> ENABLED <-> BACKDOOR fearless lite 1.01 runtime detection (backdoor.rules)
 * 1:7107 <-> ENABLED <-> BACKDOOR girlfriend runtime detection (backdoor.rules)
 * 1:7108 <-> ENABLED <-> BACKDOOR undetected runtime detection (backdoor.rules)
 * 1:7158 <-> ENABLED <-> SPYWARE-PUT Keylogger win-spy runtime detection - remote conn server-to-client (spyware-put.rules)
 * 1:715 <-> DISABLED <-> TELNET Attempted SU from wrong group (telnet.rules)
 * 1:7115 <-> ENABLED <-> BACKDOOR ghost 2.3 runtime detection (backdoor.rules)
 * 1:7164 <-> ENABLED <-> SPYWARE-PUT Keylogger win-spy runtime detection - execute file server-to-client (spyware-put.rules)
 * 1:717 <-> DISABLED <-> TELNET not on console (telnet.rules)
 * 1:7162 <-> ENABLED <-> SPYWARE-PUT Keylogger win-spy runtime detection - download file server-to-client (spyware-put.rules)
 * 1:718 <-> DISABLED <-> TELNET login incorrect (telnet.rules)
 * 1:7180 <-> ENABLED <-> SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - init connection (spyware-put.rules)
 * 1:7178 <-> ENABLED <-> SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - init connection (spyware-put.rules)
 * 1:7507 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool coma runtime detection - init connection (spyware-put.rules)
 * 1:7509 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool coma runtime detection - ping (spyware-put.rules)
 * 1:7504 <-> ENABLED <-> SPYWARE-PUT Keylogger actualspy runtime detection - ftp-data (spyware-put.rules)
 * 1:7542 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool mini oblivion runtime detection - successful init connection (spyware-put.rules)
 * 1:7585 <-> DISABLED <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set image (spyware-put.rules)
 * 1:7515 <-> ENABLED <-> SPYWARE-PUT Keylogger watchdog runtime detection - remote monitoring (spyware-put.rules)
 * 1:7605 <-> ENABLED <-> BACKDOOR katux 2.0 runtime detection - screen capture (backdoor.rules)
 * 1:7607 <-> ENABLED <-> BACKDOOR katux 2.0 runtime detection - get system info (backdoor.rules)
 * 1:7603 <-> ENABLED <-> SPYWARE-PUT Snoopware big brother v3.5.1 runtime detection - connect to receiver (spyware-put.rules)
 * 1:7619 <-> ENABLED <-> BACKDOOR theef 2.0 runtime detection - connection request with password (backdoor.rules)
 * 1:7616 <-> ENABLED <-> BACKDOOR theef 2.0 runtime detection - connection without password (backdoor.rules)
 * 1:7617 <-> ENABLED <-> BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 1 (backdoor.rules)
 * 1:7626 <-> ENABLED <-> BACKDOOR skyrat show runtime detection - initial connection - flowbit 2 (backdoor.rules)
 * 1:7623 <-> ENABLED <-> BACKDOOR remote control 1.7 runtime detection - connection request (backdoor.rules)
 * 1:7624 <-> DISABLED <-> BACKDOOR remote control 1.7 runtime detection - data communication (backdoor.rules)
 * 1:7630 <-> ENABLED <-> BACKDOOR helios 3.1 runtime detection - initial connection (backdoor.rules)
 * 1:7628 <-> ENABLED <-> BACKDOOR skyrat show runtime detection - initial connection - flowbit 4 (backdoor.rules)
 * 1:7629 <-> ENABLED <-> BACKDOOR skyrat show runtime detection - initial connection (backdoor.rules)
 * 1:7638 <-> ENABLED <-> BACKDOOR ncph runtime detection - initial connection (backdoor.rules)
 * 1:7634 <-> ENABLED <-> BACKDOOR hornet 1.0 runtime detection - irc connection (backdoor.rules)
 * 1:7636 <-> ENABLED <-> BACKDOOR hornet 1.0 runtime detection - fetch processes list (backdoor.rules)
 * 1:7646 <-> DISABLED <-> BACKDOOR snipernet 2.1 runtime detection (backdoor.rules)
 * 1:7649 <-> DISABLED <-> BACKDOOR minicom lite runtime detection - server-to-client (backdoor.rules)
 * 1:7643 <-> DISABLED <-> BACKDOOR netcontrol takeover runtime detection (backdoor.rules)
 * 1:7663 <-> ENABLED <-> BACKDOOR snid x2 v1.2 runtime detection - initial connection (backdoor.rules)
 * 1:7665 <-> ENABLED <-> BACKDOOR screen control 1.0 runtime detection - initial connection (backdoor.rules)
 * 1:7658 <-> ENABLED <-> BACKDOOR jodeitor 1.1 runtime detection - initial connection (backdoor.rules)
 * 1:7671 <-> ENABLED <-> BACKDOOR digital upload runtime detection - chat (backdoor.rules)
 * 1:7672 <-> ENABLED <-> BACKDOOR remoter runtime detection - initial connection (backdoor.rules)
 * 1:7669 <-> DISABLED <-> BACKDOOR screen control 1.0 runtime detection - capture on port 2213 (backdoor.rules)
 * 1:7679 <-> ENABLED <-> BACKDOOR cool remote control 1.12 runtime detection - upload file (backdoor.rules)
 * 1:7677 <-> ENABLED <-> BACKDOOR cool remote control or crackdown runtime detection - initial connection (backdoor.rules)
 * 1:7675 <-> ENABLED <-> BACKDOOR remote havoc runtime detection (backdoor.rules)
 * 1:7684 <-> ENABLED <-> BACKDOOR hrat 1.0 runtime detection (backdoor.rules)
 * 1:7686 <-> ENABLED <-> BACKDOOR illusion runtime detection - get remote info server-to-client (backdoor.rules)
 * 1:7683 <-> ENABLED <-> BACKDOOR acid head 1.00 runtime detection (backdoor.rules)
 * 1:7697 <-> DISABLED <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection (backdoor.rules)
 * 1:7695 <-> DISABLED <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1 (backdoor.rules)
 * 1:7691 <-> DISABLED <-> BACKDOOR evade runtime detection - file manager (backdoor.rules)
 * 1:7706 <-> DISABLED <-> BACKDOOR omniquad instant remote control runtime detection - initial connection (backdoor.rules)
 * 1:13360 <-> DISABLED <-> POLICY failed FTP login attempt (policy.rules)
 * 1:13506 <-> ENABLED <-> BACKDOOR evilotus 1.3.2 runtime detection - init connection (backdoor.rules)
 * 1:13509 <-> ENABLED <-> BACKDOOR xploit 1.4.5 pc runtime detection (backdoor.rules)
 * 1:13570 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel cf record arbitrary code excecution attempt (web-client.rules)
 * 1:13586 <-> DISABLED <-> POLICY SSH server detected on non-standard port (policy.rules)
 * 1:13655 <-> ENABLED <-> BACKDOOR nuclear rat 2.1 runtime detection - init connection (backdoor.rules)
 * 1:13665 <-> ENABLED <-> WEB-CLIENT Microsoft Office Visio DXF file invalid memory allocation exploit attempt (web-client.rules)
 * 1:13678 <-> DISABLED <-> FILE-IDENTIFY Microsoft EMF metafile file download request (file-identify.rules)
 * 1:13709 <-> DISABLED <-> MYSQL yaSSL SSLv2 Server_Hello request (mysql.rules)
 * 1:13711 <-> DISABLED <-> MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt (mysql.rules)
 * 1:13712 <-> DISABLED <-> MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt (mysql.rules)
 * 1:13713 <-> DISABLED <-> MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt (mysql.rules)
 * 1:13714 <-> DISABLED <-> MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt (mysql.rules)
 * 1:13764 <-> ENABLED <-> SPYWARE-PUT Snoopware xpress remote runtime detection - init connection (spyware-put.rules)
 * 1:13813 <-> ENABLED <-> SPYWARE-PUT Trickler mm.exe runtime detection (spyware-put.rules)
 * 1:13824 <-> ENABLED <-> WEB-CLIENT Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt (web-client.rules)
 * 1:13855 <-> ENABLED <-> SPYWARE-PUT Trackware speed runner runtime detection (spyware-put.rules)
 * 1:13878 <-> ENABLED <-> BACKDOOR trojan-spy.win32.delf.uv runtime detection (backdoor.rules)
 * 1:13936 <-> ENABLED <-> SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home (spyware-put.rules)
 * 1:13939 <-> ENABLED <-> SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update (spyware-put.rules)
 * 1:141 <-> DISABLED <-> BACKDOOR HackAttack 1.20 Connect (backdoor.rules)
 * 1:1436 <-> DISABLED <-> MULTIMEDIA Apple Quicktime User Agent access (multimedia.rules)
 * 1:1437 <-> DISABLED <-> FILE-IDENTIFY Windows Media download detection (file-identify.rules)
 * 1:1439 <-> DISABLED <-> MULTIMEDIA Shoutcast playlist redirection (multimedia.rules)
 * 1:1440 <-> DISABLED <-> MULTIMEDIA Icecast playlist redirection (multimedia.rules)
 * 1:1447 <-> DISABLED <-> MISC Microsoft Windows Terminal server request RDP (misc.rules)
 * 1:1448 <-> DISABLED <-> MISC Microsoft Windows Terminal server request (misc.rules)
 * 1:146 <-> DISABLED <-> BACKDOOR NetSphere access (backdoor.rules)
 * 1:147 <-> DISABLED <-> BACKDOOR GateCrasher (backdoor.rules)
 * 1:14770 <-> DISABLED <-> FTP Ipswitch WS_FTP client format string attempt (ftp.rules)
 * 1:15079 <-> ENABLED <-> FILE-IDENTIFY WAV file download request (file-identify.rules)
 * 1:15080 <-> ENABLED <-> MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt (multimedia.rules)
 * 1:15166 <-> ENABLED <-> WEB-CLIENT VideoLAN VLC Media Player RealText buffer overflow attempt (web-client.rules)
 * 1:152 <-> DISABLED <-> BACKDOOR BackConstruction 2.1 Connection (backdoor.rules)
 * 1:15487 <-> ENABLED <-> MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt (multimedia.rules)
 * 1:158 <-> DISABLED <-> BACKDOOR BackConstruction 2.1 Server FTP Open Reply (backdoor.rules)
 * 1:15934 <-> DISABLED <-> DNS dns response for rfc1918 172.16/12 address detected (dns.rules)
 * 1:15935 <-> DISABLED <-> DNS dns response for rfc1918 192.168/16 address detected (dns.rules)
 * 1:15987 <-> DISABLED <-> FILE-IDENTIFY DXF file download request (file-identify.rules)
 * 1:16006 <-> DISABLED <-> SPECIFIC-THREATS Apple Quicktime color table id memory corruption attempt (specific-threats.rules)
 * 1:16093 <-> DISABLED <-> BACKDOOR bugsprey runtime detection - initial connection (backdoor.rules)
 * 1:16103 <-> ENABLED <-> BACKDOOR lost door 3.0 runtime detection - init (backdoor.rules)
 * 1:16107 <-> ENABLED <-> BACKDOOR synrat 2.1 pro runtime detection - init (backdoor.rules)
 * 1:16255 <-> ENABLED <-> BACKDOOR rogue software system security 2009 installtime detection (backdoor.rules)
 * 1:16315 <-> ENABLED <-> WEB-MISC Adobe Flash PlugIn check if file exists attempt (web-misc.rules)
 * 1:16325 <-> ENABLED <-> SPECIFIC-THREATS Adobe JPEG2k uninitialized QCC memory corruption attempt (specific-threats.rules)
 * 1:16461 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel EntExU2 write access violation attempt (specific-threats.rules)
 * 1:16542 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Publisher 2007 and earlier stack buffer overflow attempt (specific-threats.rules)
 * 1:16560 <-> ENABLED <-> WEB-MISC Microsoft Sharepoint XSS attempt (web-misc.rules)
 * 1:16636 <-> ENABLED <-> MISC Microsoft Windows .NET framework XMLDsig data tampering attempt  (misc.rules)
 * 1:16707 <-> DISABLED <-> MYSQL mysql_log COM_CREATE_DB format string vulnerability exploit attempt (mysql.rules)
 * 1:16708 <-> DISABLED <-> MYSQL mysql_log COM_DROP_DB format string vulnerability exploit attempt (mysql.rules)
 * 1:16786 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt (specific-threats.rules)
 * 1:16800 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel FRTWrapper record buffer overflow attempt (specific-threats.rules)
 * 1:17254 <-> ENABLED <-> WEB-MISC Microsoft Windows IIS stack exhaustion DoS attempt (web-misc.rules)
 * 1:17327 <-> DISABLED <-> IMAP Qualcomm WorldMail Server Response (imap.rules)
 * 1:17357 <-> ENABLED <-> CHAT Gaim AIM-ICQ Protocol Handling Buffer Overflow attempt (chat.rules)
 * 1:17367 <-> DISABLED <-> FTP Microsoft Internet Explorer FTP Response Parsing Memory Corruption (ftp.rules)
 * 1:17412 <-> ENABLED <-> MYSQL create function mysql.func arbitrary library injection attempt (mysql.rules)
 * 1:17420 <-> ENABLED <-> WEB-MISC Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt (web-misc.rules)
 * 1:17423 <-> ENABLED <-> WEB-MISC Citrix Program Neighborhood Agent Buffer Overflow attempt (web-misc.rules)
 * 1:17428 <-> ENABLED <-> WEB-MISC Microsoft ASP.NET information disclosure attempt (web-misc.rules)
 * 1:17429 <-> ENABLED <-> WEB-MISC Microsoft ASP.NET information disclosure attempt (web-misc.rules)
 * 1:17447 <-> ENABLED <-> WEB-MISC 407 Proxy Authentication Required (web-misc.rules)
 * 1:17534 <-> DISABLED <-> MISC IPP Application Content (misc.rules)
 * 1:17535 <-> ENABLED <-> MISC Apple CUPS Text to PostScript Filter Integer Overflow attempt (misc.rules)
 * 1:17587 <-> ENABLED <-> SPECIFIC-THREATS Adobe Multiple Product AcroPDF.PDF ActiveX exploit attempt (specific-threats.rules)
 * 1:17706 <-> DISABLED <-> MISC Veritas NetBackup java user interface service format string attack attempt (misc.rules)
 * 1:17758 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt (specific-threats.rules)
 * 1:17759 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid SerAr object exploit attempt (specific-threats.rules)
 * 1:17760 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel RealTimeData record exploit attempt (specific-threats.rules)
 * 1:17764 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel PtgName invalid index exploit attempt (specific-threats.rules)
 * 1:18072 <-> ENABLED <-> WEB-MISC Microsoft Forefront UAG external redirect attempt (web-misc.rules)
 * 1:18073 <-> ENABLED <-> WEB-MISC Microsoft Forefront UAG arbitrary embedded scripting attempt (web-misc.rules)
 * 1:1819 <-> DISABLED <-> MISC Alcatel PABX 4400 connection attempt (misc.rules)
 * 1:18208 <-> ENABLED <-> WEB-CLIENT Microsoft Windows wininet peerdist.dll dll-load exploit attempt (web-client.rules)
 * 1:18209 <-> ENABLED <-> NETBIOS Microsoft Windows wininet peerdist.dll dll-load exploit attempt (netbios.rules)
 * 1:18212 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher tyo.oty field heap overflow attempt (specific-threats.rules)
 * 1:18214 <-> ENABLED <-> SPECIFIC-THREATS MS Publisher 97 conversion remote code execution attempt (specific-threats.rules)
 * 1:18218 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer time element memory corruption attempt (specific-threats.rules)
 * 1:18229 <-> ENABLED <-> SPECIFIC-THREATS Microsoft FlashPix tile length overflow attempt (specific-threats.rules)
 * 1:18230 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Publisher memory corruption attempt (specific-threats.rules)
 * 1:18236 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office TIFFIM32.FLT filter memory corruption attempt (specific-threats.rules)
 * 1:18276 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Data Access Components library attempt (specific-threats.rules)
 * 1:18291 <-> ENABLED <-> MISC Arkeia Network Backup Client Buffer Overflow Type 77 Attempt (misc.rules)
 * 1:18292 <-> ENABLED <-> MISC Arkeia Network Backup Client Buffer Overflow Type 84 Attempt (misc.rules)
 * 1:18331 <-> ENABLED <-> WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt (web-client.rules)
 * 1:18397 <-> ENABLED <-> MISC HP DDMI Agent spoofing - command execution (misc.rules)
 * 1:18399 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel BRAI record remote code execution attempt (specific-threats.rules)
 * 1:18402 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD Adobe font driver remote code execution attempt (specific-threats.rules)
 * 1:18406 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows Server 2003 update service principal name spn dos executable attempt (specific-threats.rules)
 * 1:18407 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows Server 2003 update service principal name spn dos attempt (specific-threats.rules)
 * 1:18415 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio deserialization double free attempt (specific-threats.rules)
 * 1:18416 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio ORMinfo classes length overflow attempt (specific-threats.rules)
 * 1:18417 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio ORMinfo classes length overflow attempt (specific-threats.rules)
 * 1:18418 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash player ActionScript apply function memory corruption attempt (specific-threats.rules)
 * 1:1842 <-> DISABLED <-> IMAP login buffer overflow attempt (imap.rules)
 * 1:18420 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash player ActionScript ASnative function remote code execution attempt (specific-threats.rules)
 * 1:18448 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat Universal 3D stream memory corruption attempt (specific-threats.rules)
 * 1:18450 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed BMP RGBQUAD attempt (specific-threats.rules)
 * 1:18451 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat ICC color integer overflow attempt (specific-threats.rules)
 * 1:18452 <-> ENABLED <-> SPECIFIC-THREATS Adobe malicious IFF memory corruption attempt (specific-threats.rules)
 * 1:18453 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt (specific-threats.rules)
 * 1:18454 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt (specific-threats.rules)
 * 1:18455 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed jpeg2000 superbox attempt (specific-threats.rules)
 * 1:18457 <-> ENABLED <-> SPECIFIC-THREATS Adoboe Reader U3D rgba parsing overflow attempt (specific-threats.rules)
 * 1:18498 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Media Player dvr-ms file parsing remote code execution attempt (specific-threats.rules)
 * 1:18503 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt (specific-threats.rules)
 * 1:18543 <-> ENABLED <-> SPECIFIC-THREATS embedded Shockwave dropper download (specific-threats.rules)
 * 1:18544 <-> ENABLED <-> SPECIFIC-THREATS embedded Shockwave dropper in email attachment (specific-threats.rules)
 * 1:18588 <-> DISABLED <-> FTP Ipswitch Ws_ftp XCRC overflow attempt (ftp.rules)
 * 1:18635 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint malformed record call to freed object attempt (specific-threats.rules)
 * 1:18636 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint SlideAtom record exploit attempt (specific-threats.rules)
 * 1:18642 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word Converter sprmTSplit overflow attempt (specific-threats.rules)
 * 1:18643 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word Converter sprmTTextFflow overflow attempt (specific-threats.rules)
 * 1:18644 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt (specific-threats.rules)
 * 1:18645 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows GDI+ arbitrary code execution attempt (specific-threats.rules)
 * 1:18646 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer 6/7 CSS swapNode memory corruption attempt (specific-threats.rules)
 * 1:18691 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows AFD.SYS null write attempt (specific-threats.rules)
 * 1:18740 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel sheet object type confusion exploit attempt (specific-threats.rules)
 * 1:18755 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio Data Type Memory Corruption (specific-threats.rules)
 * 1:18771 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution (specific-threats.rules)
 * 1:18772 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel ADO Object Parsing Code Execution (specific-threats.rules)
 * 1:18806 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel RealTimeData record exploit attempt (specific-threats.rules)
 * 1:18937 <-> ENABLED <-> BOTNET-CNC URI request for known malicious URI - Win32.Krap (botnet-cnc.rules)
 * 1:18948 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint converter bad indirection remote code execution attempt (specific-threats.rules)
 * 1:19001 <-> DISABLED <-> MYSQL IN NULL argument denial of service attempt (mysql.rules)
 * 1:19048 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Darkness contact to server attempt (spyware-put.rules)
 * 1:19122 <-> DISABLED <-> PHISHING-SPAM appledownload.com known spam email attempt (phishing-spam.rules)
 * 1:19243 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer layout-grid-char value exploit attempt (web-client.rules)
 * 1:19324 <-> ENABLED <-> SPYWARE-PUT Keylogger WL-Keylogger inbound connection (spyware-put.rules)
 * 1:19326 <-> ENABLED <-> BACKDOOR Classroom Spy Professional runtime detection - initial connection (backdoor.rules)
 * 1:19327 <-> ENABLED <-> BACKDOOR Classroom Spy Professional runtime detection - initial connection (backdoor.rules)
 * 1:19395 <-> ENABLED <-> BOTNET-CNC Trojan Downloader Win32.Monkif.J inbound connection - dest ip infected (botnet-cnc.rules)
 * 1:19422 <-> ENABLED <-> FILE-IDENTIFY matroska file magic detection (file-identify.rules)
 * 1:19455 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.AutoRun.aw runtime detection (spyware-put.rules)
 * 1:19580 <-> DISABLED <-> BACKDOOR Worm Win32.Basun.wsc inbound connection (backdoor.rules)
 * 1:19588 <-> DISABLED <-> BACKDOOR Win32.Sereki.B successful connection (backdoor.rules)
 * 1:19595 <-> ENABLED <-> BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card! (blacklist.rules)
 * 1:19694 <-> ENABLED <-> WEB-CGI Microsoft Windows .NET Chart Control directory traversal attempt (web-cgi.rules)
 * 1:19696 <-> DISABLED <-> BACKDOOR Win32.SdBot.nng inbound connection (backdoor.rules)
 * 1:19775 <-> DISABLED <-> SPYWARE-PUT PWS.Win32.Ldpinch.gen runtime detection (spyware-put.rules)
 * 1:1985 <-> DISABLED <-> BACKDOOR Doly 1.5 server response (backdoor.rules)
 * 1:19950 <-> DISABLED <-> BACKDOOR DarkstRat 2008 inbound connection (backdoor.rules)
 * 1:19952 <-> DISABLED <-> BACKDOOR Biodox inbound connection (backdoor.rules)
 * 1:19954 <-> DISABLED <-> BACKDOOR Hack Style RAT outbound connection (backdoor.rules)
 * 1:19955 <-> DISABLED <-> BACKDOOR PaiN RAT 0.1 outbound connection (backdoor.rules)
 * 1:2008 <-> DISABLED <-> MISC CVS invalid user authentication response (misc.rules)
 * 1:2009 <-> DISABLED <-> MISC CVS invalid repository response (misc.rules)
 * 1:20097 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir infected host at destination ip (botnet-cnc.rules)
 * 1:2010 <-> DISABLED <-> MISC CVS double free exploit attempt response (misc.rules)
 * 1:2011 <-> DISABLED <-> MISC CVS invalid directory response (misc.rules)
 * 1:2012 <-> DISABLED <-> MISC CVS missing cvsroot response (misc.rules)
 * 1:2013 <-> DISABLED <-> MISC CVS invalid module response (misc.rules)
 * 1:20212 <-> DISABLED <-> MISC SSL CBC encryption mode weakness brute force attempt (misc.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:20290 <-> DISABLED <-> BACKDOOR Win32.Doschald.A inbound connection (backdoor.rules)
 * 1:20463 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:20475 <-> DISABLED <-> FILE-IDENTIFY ARJ file magic detection (file-identify.rules)
 * 1:20476 <-> DISABLED <-> FILE-IDENTIFY TNEF file magic detection (file-identify.rules)
 * 1:20477 <-> DISABLED <-> FILE-IDENTIFY ELF file magic detection (file-identify.rules)
 * 1:20479 <-> DISABLED <-> FILE-IDENTIFY CryptFF file magic detection (file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:20484 <-> DISABLED <-> FILE-IDENTIFY SIS file magic detection (file-identify.rules)
 * 1:20518 <-> DISABLED <-> FILE-IDENTIFY rmf file download request (file-identify.rules)
 * 1:20519 <-> DISABLED <-> FILE-IDENTIFY vmd file download request (file-identify.rules)
 * 1:20540 <-> ENABLED <-> POLICY Microsoft Word document with embedded TrueType font (policy.rules)
 * 1:20563 <-> DISABLED <-> FILE-IDENTIFY amf file download request (file-identify.rules)
 * 1:20606 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.Domsingx.A contact to C&C server attempt (botnet-cnc.rules)
 * 1:20612 <-> ENABLED <-> SPECIFIC-THREATS Apache Tomcat Java AJP connector invalid header timeout DOS attempt (specific-threats.rules)
 * 1:20634 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer onscroll DOS attempt (specific-threats.rules)
 * 1:20649 <-> ENABLED <-> WEB-PHP ADNForum SQL injection in index.php fid attempt (web-php.rules)
 * 1:208 <-> DISABLED <-> BACKDOOR PhaseZero Server Active on Network (backdoor.rules)
 * 1:2100 <-> DISABLED <-> BACKDOOR SubSeven 2.1 Gold server connection response (backdoor.rules)
 * 1:2126 <-> DISABLED <-> MISC Microsoft Windows PPTP Start Control Request buffer overflow attempt (misc.rules)
 * 1:230 <-> DISABLED <-> DDOS shaft client login to handler (ddos.rules)
 * 1:2317 <-> DISABLED <-> MISC CVS non-relative path error response (misc.rules)
 * 1:2418 <-> DISABLED <-> MISC Microsoft Windows Terminal Server no encryption session initiation attempt (misc.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 1:2438 <-> DISABLED <-> WEB-CLIENT RealNetworks RealPlayer playlist file URL overflow attempt (web-client.rules)
 * 1:2439 <-> DISABLED <-> WEB-CLIENT RealNetworks RealPlayer playlist http URL overflow attempt (web-client.rules)
 * 1:2440 <-> DISABLED <-> WEB-CLIENT RealNetworks RealPlayer playlist rtsp URL overflow attempt (web-client.rules)
 * 1:2442 <-> DISABLED <-> WEB-MISC Apple Quicktime User-Agent buffer overflow attempt (web-misc.rules)
 * 1:2446 <-> ENABLED <-> EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (exploit.rules)
 * 1:2450 <-> ENABLED <-> CHAT Yahoo IM successful logon (chat.rules)
 * 1:2451 <-> ENABLED <-> CHAT Yahoo IM voicechat (chat.rules)
 * 1:2453 <-> ENABLED <-> CHAT Yahoo IM conference invitation (chat.rules)
 * 1:2454 <-> ENABLED <-> CHAT Yahoo IM conference logon success (chat.rules)
 * 1:2458 <-> ENABLED <-> CHAT Yahoo IM successful chat join (chat.rules)
 * 1:2461 <-> ENABLED <-> CHAT Yahoo IM conference watch (chat.rules)
 * 1:250 <-> DISABLED <-> DDOS mstream handler to client (ddos.rules)
 * 1:2587 <-> ENABLED <-> P2P eDonkey server response (p2p.rules)
 * 1:2649 <-> ENABLED <-> ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (oracle.rules)
 * 1:2657 <-> DISABLED <-> WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt (web-misc.rules)
 * 1:2660 <-> DISABLED <-> WEB-MISC SSLv2 Server_Hello request (web-misc.rules)
 * 1:2923 <-> ENABLED <-> NETBIOS SMB repeated logon failure (netbios.rules)
 * 1:2924 <-> ENABLED <-> NETBIOS SMB-DS repeated logon failure (netbios.rules)
 * 1:3014 <-> ENABLED <-> BACKDOOR Asylum 0.1 connection established (backdoor.rules)
 * 1:3015 <-> ENABLED <-> BACKDOOR Insane Network 4.0 connection established (backdoor.rules)
 * 1:3016 <-> ENABLED <-> BACKDOOR Insane Network 4.0 connection established port 63536 (backdoor.rules)
 * 1:3064 <-> ENABLED <-> BACKDOOR Vampire 1.2 connection confirmation (backdoor.rules)
 * 1:3081 <-> ENABLED <-> BACKDOOR Y3KRAT 1.5 Connect (backdoor.rules)
 * 1:3083 <-> ENABLED <-> BACKDOOR Y3KRAT 1.5 Connection confirmation (backdoor.rules)
 * 1:3152 <-> DISABLED <-> SQL sa brute force failed login attempt (sql.rules)
 * 1:3273 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules)
 * 1:3453 <-> DISABLED <-> MISC Arkeia client backup system info probe (misc.rules)
 * 1:3454 <-> DISABLED <-> MISC Arkeia client backup generic info probe (misc.rules)
 * 1:3486 <-> ENABLED <-> MISC Microsoft Windows SSLv3 invalid data version attempt (misc.rules)
 * 1:3491 <-> DISABLED <-> IMAP SSLv2 Server_Hello request (imap.rules)
 * 1:3503 <-> DISABLED <-> POP3 SSLv2 Server_Hello request (pop3.rules)
 * 1:3635 <-> ENABLED <-> BACKDOOR Amanda 2.0 connection established (backdoor.rules)
 * 1:3636 <-> ENABLED <-> BACKDOOR Crazzy Net 5.0 connection established (backdoor.rules)
 * 1:3665 <-> DISABLED <-> MYSQL server greeting (mysql.rules)
 * 1:3666 <-> DISABLED <-> MYSQL server greeting finished (mysql.rules)
 * 1:3680 <-> ENABLED <-> P2P AOL Instant Messenger file send attempt (p2p.rules)
 * 1:3826 <-> ENABLED <-> POLICY AOL Instant Messenger Message Receive (policy.rules)
 * 1:489 <-> DISABLED <-> FTP no password (ftp.rules)
 * 1:491 <-> DISABLED <-> FTP Bad login (ftp.rules)
 * 1:492 <-> DISABLED <-> TELNET login failed (telnet.rules)
 * 1:493 <-> ENABLED <-> POLICY psyBNC access (policy.rules)
 * 1:4984 <-> DISABLED <-> SQL sa brute force failed login unicode attempt (sql.rules)
 * 1:512 <-> DISABLED <-> MISC PCAnywhere Failed Login (misc.rules)
 * 1:555 <-> ENABLED <-> POLICY WinGate telnet server response (policy.rules)
 * 1:567 <-> ENABLED <-> POLICY SMTP relaying denied (policy.rules)
 * 1:5772 <-> DISABLED <-> SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection (spyware-put.rules)
 * 1:5814 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - create redirection (spyware-put.rules)
 * 1:5816 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory redirection (spyware-put.rules)
 * 1:5818 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status (spyware-put.rules)
 * 1:5819 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status (spyware-put.rules)
 * 1:5821 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory log (spyware-put.rules)
 * 1:5823 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - view netstat (spyware-put.rules)
 * 1:5896 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - tcp port 407 (spyware-put.rules)
 * 1:5957 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool ghostvoice 1.02 runtime detection (spyware-put.rules)
 * 1:6014 <-> DISABLED <-> BACKDOOR coolcat runtime connection detection - tcp 3 (backdoor.rules)
 * 1:6016 <-> ENABLED <-> BACKDOOR dsk lite 1.0 runtime detection - initial connection (backdoor.rules)
 * 1:6017 <-> ENABLED <-> BACKDOOR dsk lite 1.0 runtime detection - disconnect (backdoor.rules)
 * 1:6021 <-> ENABLED <-> BACKDOOR silent spy 2.10 command response port 4225 (backdoor.rules)
 * 1:6022 <-> ENABLED <-> BACKDOOR silent spy 2.10 command response port 4226 (backdoor.rules)
 * 1:6024 <-> ENABLED <-> BACKDOOR nuclear rat v6_21 runtime detection (backdoor.rules)
 * 1:6026 <-> ENABLED <-> BACKDOOR dimbus 1.0 runtime detection - get pc info (backdoor.rules)
 * 1:6035 <-> ENABLED <-> BACKDOOR minicommand runtime detection - initial connection server-to-client (backdoor.rules)
 * 1:6041 <-> DISABLED <-> BACKDOOR fade 1.0 runtime detection - enable keylogger (backdoor.rules)
 * 1:6044 <-> ENABLED <-> BACKDOOR fear 0.2 runtime detection - initial connection (backdoor.rules)
 * 1:6046 <-> ENABLED <-> BACKDOOR fear 0.2 runtime detection - initial connection (backdoor.rules)
 * 1:6048 <-> ENABLED <-> BACKDOOR fun factory runtime detection - connect (backdoor.rules)
 * 1:605 <-> ENABLED <-> RSERVICES rlogin login failure (rservices.rules)
 * 1:6050 <-> ENABLED <-> BACKDOOR fun factory runtime detection - upload (backdoor.rules)
 * 1:6052 <-> ENABLED <-> BACKDOOR fun factory runtime detection - set volume (backdoor.rules)
 * 1:6054 <-> ENABLED <-> BACKDOOR fun factory runtime detection - do script remotely (backdoor.rules)
 * 1:6056 <-> DISABLED <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules)
 * 1:6062 <-> ENABLED <-> BACKDOOR neurotickat1.3 runtime detection - initial connection (backdoor.rules)
 * 1:6064 <-> ENABLED <-> BACKDOOR schwindler 1.82 runtime detection (backdoor.rules)
 * 1:6066 <-> ENABLED <-> BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client (backdoor.rules)
 * 1:6073 <-> DISABLED <-> BACKDOOR freak 1.0 runtime detection - initial connection server-to-client (backdoor.rules)
 * 1:6075 <-> ENABLED <-> BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client (backdoor.rules)
 * 1:6078 <-> ENABLED <-> BACKDOOR autospy runtime detection - get information (backdoor.rules)
 * 1:6080 <-> ENABLED <-> BACKDOOR autospy runtime detection - show autospy (backdoor.rules)
 * 1:6082 <-> ENABLED <-> BACKDOOR autospy runtime detection - show nude pic (backdoor.rules)
 * 1:6084 <-> ENABLED <-> BACKDOOR autospy runtime detection - hide taskbar (backdoor.rules)
 * 1:6086 <-> ENABLED <-> BACKDOOR autospy runtime detection - make directory (backdoor.rules)
 * 1:9838 <-> ENABLED <-> BACKDOOR sun shadow 1.70 runtime detection - init connection (backdoor.rules)
 * 1:7750 <-> ENABLED <-> BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 1 (backdoor.rules)
 * 1:8083 <-> DISABLED <-> MISC Microsoft Windows UPnP Location overflow (misc.rules)
 * 1:7714 <-> ENABLED <-> BACKDOOR netdevil runtime detection - flowbit set 1 (backdoor.rules)
 * 1:8076 <-> ENABLED <-> BACKDOOR mithril runtime detection - get system information (backdoor.rules)
 * 1:8548 <-> ENABLED <-> BACKDOOR zzmm 2.0 runtime detection - init connection (backdoor.rules)
 * 1:9645 <-> ENABLED <-> SPYWARE-PUT Hijacker sogou runtime detection - keyword hijack (spyware-put.rules)
 * 1:7789 <-> DISABLED <-> BACKDOOR forced control uploader runtime detection directory listing - server to client (backdoor.rules)
 * 1:7749 <-> ENABLED <-> BACKDOOR bobo 1.0 runtime detection - send message (backdoor.rules)
 * 1:9646 <-> ENABLED <-> SPYWARE-PUT Hijacker sogou runtime detection - search through sogou toolbar (spyware-put.rules)
 * 1:7785 <-> DISABLED <-> BACKDOOR forced control uploader runtime detection - connection with password (backdoor.rules)
 * 1:7835 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing (spyware-put.rules)
 * 1:8361 <-> ENABLED <-> BACKDOOR black curse 4.0 runtime detection - inverse init connection (backdoor.rules)
 * 1:8467 <-> ENABLED <-> SPYWARE-PUT Keylogger netobserve runtime detection - remote login response (spyware-put.rules)
 * 1:7783 <-> ENABLED <-> BACKDOOR netdevil runtime detection - file manager (backdoor.rules)
 * 1:7084 <-> ENABLED <-> BACKDOOR erazer v1.1 runtime detection - sin notification (backdoor.rules)
 * 1:7814 <-> ENABLED <-> BACKDOOR darkmoon initial connection detection - stc (backdoor.rules)
 * 1:7765 <-> ENABLED <-> BACKDOOR nt remote controller 2000 runtime detection - sysinfo server-to-client (backdoor.rules)
 * 1:7755 <-> ENABLED <-> BACKDOOR buschtrommel 1.22 runtime detection - spy function (backdoor.rules)
 * 1:7821 <-> DISABLED <-> BACKDOOR nightcreature beta 0.01 runtime detection (backdoor.rules)
 * 1:7754 <-> ENABLED <-> BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 2 (backdoor.rules)
 * 1:9664 <-> ENABLED <-> BACKDOOR crossbow 1.12 runtime detection (backdoor.rules)
 * 1:8079 <-> ENABLED <-> BACKDOOR x2a runtime detection - init connection (backdoor.rules)
 * 1:7818 <-> ENABLED <-> BACKDOOR infector v1.0 runtime detection - init conn (backdoor.rules)
 * 1:7809 <-> ENABLED <-> BACKDOOR fatal wound 1.0 runtime detection - upload (backdoor.rules)
 * 1:9652 <-> ENABLED <-> SPYWARE-PUT Hijacker oemji bar runtime detection (spyware-put.rules)
 * 1:7731 <-> DISABLED <-> BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client (backdoor.rules)
 * 1:8549 <-> DISABLED <-> BACKDOOR zxshell runtime detection - setting information retrieve (backdoor.rules)
 * 1:7716 <-> ENABLED <-> BACKDOOR netdevil runtime detection (backdoor.rules)
 * 1:7741 <-> DISABLED <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set (backdoor.rules)
 * 1:8547 <-> ENABLED <-> BACKDOOR zzmm 2.0 runtime detection - init connection (backdoor.rules)
 * 1:9660 <-> ENABLED <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules)
 * 1:7777 <-> ENABLED <-> BACKDOOR messiah 4.0 runtime detection - get drives (backdoor.rules)
 * 1:7744 <-> ENABLED <-> BACKDOOR phoenix 2.1 runtime detection - flowbit set (backdoor.rules)
 * 1:7815 <-> ENABLED <-> BACKDOOR darkmoon reverse connection detection - stc (backdoor.rules)
 * 1:9655 <-> DISABLED <-> BACKDOOR apofis 1.0 runtime detection - remote controlling (backdoor.rules)
 * 1:7806 <-> ENABLED <-> BACKDOOR fatal wound 1.0 runtime detection - initial connection (backdoor.rules)
 * 1:9662 <-> DISABLED <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules)
 * 1:7729 <-> ENABLED <-> BACKDOOR radmin runtime detection - server-to-client (backdoor.rules)
 * 1:7733 <-> ENABLED <-> BACKDOOR outbreak_0.2.7 runtime detection - initial connection (backdoor.rules)
 * 1:7723 <-> DISABLED <-> BACKDOOR wollf runtime detection (backdoor.rules)
 * 1:10100 <-> ENABLED <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - open website (spyware-put.rules)
 * 1:7740 <-> DISABLED <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set (backdoor.rules)
 * 1:7720 <-> ENABLED <-> BACKDOOR desktop scout runtime detection (backdoor.rules)
 * 1:7769 <-> DISABLED <-> BACKDOOR data rape runtime detection - execute program server-to-client (backdoor.rules)
 * 1:7745 <-> ENABLED <-> BACKDOOR phoenix 2.1 runtime detection (backdoor.rules)
 * 1:8082 <-> DISABLED <-> MISC Microsoft Windows UPnP malformed advertisement (misc.rules)
 * 1:7746 <-> ENABLED <-> BACKDOOR bobo 1.0 runtime detection - initial connection - flowbit set (backdoor.rules)
 * 1:7830 <-> ENABLED <-> SPYWARE-PUT Botnet dacryptic runtime detection (spyware-put.rules)
 * 1:7721 <-> ENABLED <-> BACKDOOR prorat 1.9 initial connection detection (backdoor.rules)
 * 1:7090 <-> DISABLED <-> BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client (backdoor.rules)
 * 1:7810 <-> DISABLED <-> BACKDOOR nuclear uploader 1.0 runtime detection (backdoor.rules)
 * 1:9658 <-> ENABLED <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules)
 * 1:8074 <-> ENABLED <-> BACKDOOR mithril runtime detection - init connection (backdoor.rules)
 * 1:7829 <-> DISABLED <-> SPYWARE-PUT Adware gator user-agent detected (spyware-put.rules)
 * 1:9651 <-> ENABLED <-> SPYWARE-PUT Hijacker ricercadoppia runtime detection (spyware-put.rules)
 * 1:7738 <-> ENABLED <-> BACKDOOR alexmessomalex runtime detection - initial connection (backdoor.rules)
 * 1:7812 <-> ENABLED <-> BACKDOOR abacab runtime detection - banner (backdoor.rules)
 * 1:7811 <-> ENABLED <-> BACKDOOR abacab runtime detection - telnet initial (backdoor.rules)
 * 1:7752 <-> ENABLED <-> BACKDOOR buschtrommel 1.22 runtime detection - initial connection (backdoor.rules)
 * 1:7735 <-> DISABLED <-> BACKDOOR bionet 4.05 runtime detection - initial connection (backdoor.rules)
 * 1:7778 <-> ENABLED <-> BACKDOOR elfrat runtime detection - initial connection (backdoor.rules)
 * 1:7796 <-> ENABLED <-> BACKDOOR incommand 1.7 runtime detection - init connection (backdoor.rules)
 * 1:7776 <-> ENABLED <-> BACKDOOR messiah 4.0 runtime detection - get drives - flowbit set (backdoor.rules)
 * 1:9666 <-> ENABLED <-> BACKDOOR superra runtime detection - success init connection (backdoor.rules)
 * 1:7743 <-> ENABLED <-> BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client (backdoor.rules)
 * 1:9656 <-> ENABLED <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules)
 * 1:6087 <-> ENABLED <-> BACKDOOR a trojan 2.0 runtime detection (backdoor.rules)
 * 1:7767 <-> ENABLED <-> BACKDOOR nt remote controller 2000 runtime detection - foldermonitor server-to-client (backdoor.rules)
 * 1:8078 <-> ENABLED <-> BACKDOOR mithril runtime detection - get process list (backdoor.rules)
 * 1:7717 <-> ENABLED <-> BACKDOOR snake trojan runtime detection (backdoor.rules)
 * 1:10448 <-> ENABLED <-> BACKDOOR acessor 2.0 runtime detection - init connection (backdoor.rules)
 * 1:10103 <-> ENABLED <-> BACKDOOR hav-rat 1.1 runtime detection (backdoor.rules)
 * 1:10098 <-> ENABLED <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - get system info (spyware-put.rules)
 * 1:10090 <-> ENABLED <-> SPYWARE-PUT Trickler zango easymessenger runtime detection (spyware-put.rules)
 * 1:10096 <-> ENABLED <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - keylog (spyware-put.rules)
 * 1:10110 <-> ENABLED <-> BACKDOOR poison ivy 2.1.2 runtime detection (backdoor.rules)
 * 1:10111 <-> ENABLED <-> BACKDOOR poison ivy 2.1.2 runtime detection - init connection (backdoor.rules)
 * 1:10184 <-> DISABLED <-> BACKDOOR wow 23 runtime detection (backdoor.rules)
 * 1:10094 <-> ENABLED <-> SPYWARE-PUT Adware borlan runtime detection (spyware-put.rules)
 * 1:10450 <-> DISABLED <-> BACKDOOR only 1 rat runtime detection - control command (backdoor.rules)
 * 1:10095 <-> ENABLED <-> SPYWARE-PUT Trackware bydou runtime detection (spyware-put.rules)
 * 1:10168 <-> DISABLED <-> BACKDOOR one runtime detection (backdoor.rules)
 * 1:10112 <-> ENABLED <-> BACKDOOR rix3 1.0 runtime detection - init connection (backdoor.rules)
 * 1:10188 <-> DISABLED <-> FTP Ipswitch Ws_ftp XMD5 overflow attempt (ftp.rules)
 * 1:7710 <-> ENABLED <-> BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection (backdoor.rules)
 * 1:10407 <-> DISABLED <-> EXPLOIT Helix Server LoadTestPassword buffer overflow attempt (exploit.rules)
 * 1:10109 <-> ENABLED <-> BACKDOOR k-msnrat 1.0.0 runtime detection - init connection (backdoor.rules)
 * 1:6090 <-> ENABLED <-> BACKDOOR a trojan 2.0 runtime detection - get memory info (backdoor.rules)
 * 1:10092 <-> ENABLED <-> SPYWARE-PUT Trackware russian searchbar runtime detection (spyware-put.rules)
 * 1:6092 <-> ENABLED <-> BACKDOOR a trojan 2.0 runtime detection - get harddisk info (backdoor.rules)
 * 1:9831 <-> ENABLED <-> SPYWARE-PUT Adware u88 runtime detection (spyware-put.rules)
 * 1:7718 <-> ENABLED <-> BACKDOOR dameware mini remote control runtime detection - initial connection - flowbit set (backdoor.rules)
 * 1:10093 <-> ENABLED <-> SPYWARE-PUT Hijacker kuaiso toolbar runtime detection (spyware-put.rules)
 * 1:6094 <-> ENABLED <-> BACKDOOR a trojan 2.0 runtime detection - get drive info (backdoor.rules)
 * 1:6096 <-> ENABLED <-> BACKDOOR a trojan 2.0 runtime detection - get system info (backdoor.rules)
 * 1:6109 <-> ENABLED <-> BACKDOOR dagger v1.1.40 runtime detection (backdoor.rules)
 * 1:7708 <-> ENABLED <-> BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set (backdoor.rules)
 * 1:611 <-> ENABLED <-> RSERVICES rlogin login failure (rservices.rules)
 * 1:6110 <-> ENABLED <-> BACKDOOR forced entry v1.1 beta runtime detection (backdoor.rules)
 * 1:6111 <-> ENABLED <-> BACKDOOR optix 1.32 runtime detection - init conn (backdoor.rules)
 * 1:6113 <-> ENABLED <-> BACKDOOR optix 1.32 runtime detection - init conn (backdoor.rules)
 * 1:6117 <-> ENABLED <-> BACKDOOR fore v1.0 beta runtime detection - init conn (backdoor.rules)
 * 1:6119 <-> ENABLED <-> BACKDOOR net runner runtime detection - initial connection server-to-client (backdoor.rules)
 * 1:6121 <-> ENABLED <-> BACKDOOR net runner runtime detection - download file server-to-client (backdoor.rules)
 * 1:6130 <-> ENABLED <-> BACKDOOR chupacabra 1.0 runtime detection - get computer name (backdoor.rules)
 * 1:6132 <-> ENABLED <-> BACKDOOR chupacabra 1.0 runtime detection - get user name (backdoor.rules)
 * 1:6141 <-> DISABLED <-> BACKDOOR hellzaddiction v1.0e runtime detection - init conn (backdoor.rules)
 * 1:6142 <-> ENABLED <-> BACKDOOR hellzaddiction v1.0e runtime detection - ftp open (backdoor.rules)
 * 1:6145 <-> DISABLED <-> BACKDOOR mantis runtime detection - sent notify option server-to-client (backdoor.rules)
 * 1:6148 <-> ENABLED <-> BACKDOOR mantis runtime detection - go to address server-to-client (backdoor.rules)
 * 1:6150 <-> ENABLED <-> BACKDOOR netcontrol v1.0.8 runtime detection (backdoor.rules)
 * 1:6151 <-> ENABLED <-> BACKDOOR back attack v1.4 runtime detection (backdoor.rules)
 * 1:6161 <-> ENABLED <-> BACKDOOR furax 1.0 b2 runtime detection (backdoor.rules)
 * 1:6164 <-> ENABLED <-> BACKDOOR psyrat 1.0 runtime detection (backdoor.rules)
 * 1:6165 <-> ENABLED <-> BACKDOOR psyrat 1.0 runtime detection (backdoor.rules)
 * 1:6166 <-> ENABLED <-> BACKDOOR unicorn runtime detection - initial connection (backdoor.rules)
 * 1:6168 <-> ENABLED <-> BACKDOOR unicorn runtime detection - set wallpaper server-to-client (backdoor.rules)
 * 1:6170 <-> ENABLED <-> BACKDOOR digital rootbeer runtime detection (backdoor.rules)
 * 1:6172 <-> ENABLED <-> BACKDOOR cookie monster 0.24 runtime detection - get version info (backdoor.rules)
 * 1:6174 <-> DISABLED <-> BACKDOOR cookie monster 0.24 runtime detection - file explorer (backdoor.rules)
 * 1:6176 <-> DISABLED <-> BACKDOOR guptachar 2.0 runtime detection (backdoor.rules)
 * 1:6179 <-> ENABLED <-> BACKDOOR bladerunner 0.80 runtime detection (backdoor.rules)
 * 1:6181 <-> ENABLED <-> BACKDOOR netraider 0.0 runtime detection (backdoor.rules)
 * 1:6205 <-> ENABLED <-> SPYWARE-PUT Hacker-Tool freak 88 das runtime detection (spyware-put.rules)
 * 1:6286 <-> ENABLED <-> BACKDOOR antilamer 1.1 runtime detection (backdoor.rules)
 * 1:6287 <-> ENABLED <-> BACKDOOR fictional daemon 4.4 runtime detection - telent (backdoor.rules)
 * 1:6288 <-> ENABLED <-> BACKDOOR fictional daemon 4.4 runtime detection - ftp (backdoor.rules)
 * 1:6290 <-> DISABLED <-> BACKDOOR netspy runtime detection - command pattern server-to-client (backdoor.rules)
 * 1:6292 <-> ENABLED <-> BACKDOOR joker ddos v1.0.1 runtime detection - initial connection (backdoor.rules)
 * 1:6294 <-> ENABLED <-> BACKDOOR joker ddos v1.0.1 runtime detection - bomb - second flowbit (backdoor.rules)
 * 1:6303 <-> ENABLED <-> BACKDOOR cia runtime detection - initial connection (backdoor.rules)
 * 1:6304 <-> ENABLED <-> BACKDOOR softwar shadowthief runtime detection - initial connection - set flowbit (backdoor.rules)
 * 1:6305 <-> ENABLED <-> BACKDOOR softwar shadowthief runtime detection - initial connection (backdoor.rules)
 * 1:6306 <-> ENABLED <-> BACKDOOR shit heep runtime detection (backdoor.rules)
 * 1:6307 <-> ENABLED <-> BACKDOOR lamespy runtime detection - initial connection - set flowbit (backdoor.rules)
 * 1:6308 <-> ENABLED <-> BACKDOOR lamespy runtime detection - initial connection (backdoor.rules)
 * 1:6309 <-> ENABLED <-> BACKDOOR net demon runtime detection - initial connection - password request (backdoor.rules)
 * 1:6311 <-> ENABLED <-> BACKDOOR net demon runtime detection - initial connection - password accepted (backdoor.rules)
 * 1:6313 <-> ENABLED <-> BACKDOOR net demon runtime detection - message response (backdoor.rules)
 * 1:6315 <-> ENABLED <-> BACKDOOR net demon runtime detection - open browser response (backdoor.rules)
 * 1:6317 <-> ENABLED <-> BACKDOOR net demon runtime detection - file manager response (backdoor.rules)
 * 1:6318 <-> ENABLED <-> BACKDOOR rtb666 runtime detection (backdoor.rules)
 * 1:6319 <-> ENABLED <-> BACKDOOR evilftp runtime detection - init connection (backdoor.rules)
 * 1:6324 <-> DISABLED <-> BACKDOOR 3xBackdoor runtime detection (backdoor.rules)
 * 1:6325 <-> ENABLED <-> BACKDOOR fucktrojan 1.2 runtime detection - initial connection (backdoor.rules)
 * 1:6327 <-> ENABLED <-> BACKDOOR fucktrojan 1.2 runtime detection - flood (backdoor.rules)
 * 1:6328 <-> ENABLED <-> BACKDOOR commando runtime detection - initial connection (backdoor.rules)
 * 1:6330 <-> ENABLED <-> BACKDOOR commando runtime detection - chat server-to-client (backdoor.rules)
 * 1:6332 <-> ENABLED <-> BACKDOOR globalkiller1.0 runtime detection - initial connection (backdoor.rules)
 * 1:6333 <-> ENABLED <-> BACKDOOR wincrash 2.0 runtime detection (backdoor.rules)
 * 1:6334 <-> ENABLED <-> BACKDOOR backlash runtime detection (backdoor.rules)
 * 1:6336 <-> DISABLED <-> BACKDOOR buttman v0.9p runtime detection - remote control (backdoor.rules)
 * 1:6338 <-> ENABLED <-> BACKDOOR hatredfriend file manage command (backdoor.rules)
 * 1:6395 <-> DISABLED <-> BACKDOOR a-311 death runtime detection - initial connection server-to-client (backdoor.rules)
 * 1:6399 <-> ENABLED <-> BACKDOOR rad 1.2.3 runtime detection (backdoor.rules)
 * 1:6401 <-> ENABLED <-> BACKDOOR snowdoor runtime detection server-to-client (backdoor.rules)
 * 1:6473 <-> ENABLED <-> BACKDOOR bugs runtime detection - file manager server-to-client (backdoor.rules)
 * 1:6476 <-> ENABLED <-> BACKDOOR badrat 1.1 runtime detection (backdoor.rules)
 * 1:6498 <-> ENABLED <-> BACKDOOR exploiter 1.0 runtime detection (backdoor.rules)
 * 1:6499 <-> DISABLED <-> BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
 * 1:6509 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer mhtml uri href buffer overflow attempt (web-client.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:7058 <-> ENABLED <-> BACKDOOR charon runtime detection - download file flowbit 1 (backdoor.rules)
 * 1:7060 <-> ENABLED <-> BACKDOOR charon runtime detection - download file/log (backdoor.rules)
 * 1:7061 <-> ENABLED <-> BACKDOOR charon runtime detection - download log flowbit 1 (backdoor.rules)
 * 1:7070 <-> DISABLED <-> WEB-MISC Microsoft Internet Explorer encoded cross site scripting attempt (web-misc.rules)
 * 1:7072 <-> ENABLED <-> BACKDOOR fraggle rock 2.0 lite runtime detection - pc info (backdoor.rules)
 * 1:7078 <-> ENABLED <-> BACKDOOR up and run v1.0 beta runtime detection flowbit 1 (backdoor.rules)
 * 1:7085 <-> ENABLED <-> BACKDOOR erazer v1.1 runtime detection (backdoor.rules)
 * 1:7105 <-> ENABLED <-> BACKDOOR aol admin runtime detection (backdoor.rules)
 * 1:7114 <-> ENABLED <-> BACKDOOR donalddick v1.5b3 runtime detection (backdoor.rules)
 * 1:7160 <-> ENABLED <-> SPYWARE-PUT Keylogger win-spy runtime detection - upload file server-to-client (spyware-put.rules)
 * 1:7176 <-> ENABLED <-> SPYWARE-PUT Keylogger ab system spy runtime detection - log retrieve (spyware-put.rules)
 * 1:719 <-> DISABLED <-> TELNET root login (telnet.rules)
 * 1:7512 <-> ENABLED <-> SPYWARE-PUT Keylogger watchdog runtime detection - init connection - flowbit set (spyware-put.rules)
 * 1:7586 <-> DISABLED <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - image transferred (spyware-put.rules)
 * 1:7609 <-> ENABLED <-> BACKDOOR katux 2.0 runtime detection - chat (backdoor.rules)
 * 1:7621 <-> ENABLED <-> BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 2 (backdoor.rules)
 * 1:7627 <-> ENABLED <-> BACKDOOR skyrat show runtime detection - initial connection - flowbit 3 (backdoor.rules)
 * 1:7632 <-> ENABLED <-> BACKDOOR hornet 1.0 runtime detection - fetch system info (backdoor.rules)
 * 1:7642 <-> DISABLED <-> BACKDOOR am remote client runtime detection - server-to-client (backdoor.rules)
 * 1:7651 <-> DISABLED <-> BACKDOOR small uploader 1.01 runtime detection - initial connection (backdoor.rules)
 * 1:7667 <-> ENABLED <-> BACKDOOR screen control 1.0 runtime detection - capture on port 2208 (backdoor.rules)
 * 1:7673 <-> ENABLED <-> BACKDOOR remote havoc runtime detection - flowbit set 1 (backdoor.rules)
 * 1:7681 <-> ENABLED <-> BACKDOOR cool remote control 1.12 runtime detection - download file (backdoor.rules)
 * 1:7688 <-> ENABLED <-> BACKDOOR illusion runtime detection - file browser server-to-client (backdoor.rules)
 * 1:7703 <-> DISABLED <-> BACKDOOR roach 1.0 runtime detection - remote control actions (backdoor.rules)
 * 1:10449 <-> ENABLED <-> BACKDOOR acid shivers runtime detection - init telnet connection (backdoor.rules)
 * 1:10167 <-> DISABLED <-> SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log (spyware-put.rules)
 * 1:10461 <-> ENABLED <-> BACKDOOR winicabras 1.1 runtime detection - get system info (backdoor.rules)
 * 1:11314 <-> ENABLED <-> BACKDOOR shadownet remote spy 2.0 runtime detection (backdoor.rules)
 * 1:11322 <-> ENABLED <-> BACKDOOR sohoanywhere runtime detection (backdoor.rules)
 * 1:118 <-> DISABLED <-> BACKDOOR SatansBackdoor.2.0.Beta (backdoor.rules)
 * 1:11965 <-> DISABLED <-> WEB-MISC SSLv2 Server_Hello request from TLSv1 Client_Hello request (web-misc.rules)
 * 1:12099 <-> DISABLED <-> MISC Microsoft Office Excel rtWindow1 record handling arbitrary code execution attempt (misc.rules)
 * 1:12149 <-> ENABLED <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules)
 * 1:12157 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules)
 * 1:12184 <-> DISABLED <-> MISC Microsoft Office Excel workbook workspace designation handling arbitrary code execution attempt (misc.rules)
 * 1:12237 <-> ENABLED <-> BACKDOOR theef 2.10 runtime detection - ftp (backdoor.rules)
 * 1:12359 <-> DISABLED <-> VOIP-SKINNY-TCP Asterisk data length field overflow attempt (voip.rules)
 * 1:12379 <-> ENABLED <-> SPYWARE-PUT Keylogger PaqKeylogger 5.1 runtime detection - ftp (spyware-put.rules)
 * 1:12448 <-> ENABLED <-> WEB-ACTIVEX Microsoft Agent Control ActiveX clsid access (web-activex.rules)
 * 1:1252 <-> DISABLED <-> TELNET bsd telnet exploit response (telnet.rules)
 * 1:12629 <-> DISABLED <-> WEB-MISC Microsoft Windows sharepoint cross site scripting attempt (web-misc.rules)
 * 1:12664 <-> ENABLED <-> MISC Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt (misc.rules)
 * 1:12676 <-> ENABLED <-> SPYWARE-PUT Conspy Update Checking Detected (spyware-put.rules)
 * 1:12678 <-> ENABLED <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules)
 * 1:12679 <-> ENABLED <-> SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection (spyware-put.rules)
 * 1:12699 <-> ENABLED <-> BACKDOOR poison ivy 2.3.0 runtime detection - init connection (backdoor.rules)
 * 1:12724 <-> ENABLED <-> BACKDOOR dark moon 4.11 runtime detection (backdoor.rules)
 * 1:12727 <-> ENABLED <-> BACKDOOR bandook 1.35 runtime detection (backdoor.rules)
 * 1:12972 <-> DISABLED <-> FILE-IDENTIFY Microsoft Media Player .asf file magic detection (file-identify.rules)
 * 1:13246 <-> ENABLED <-> BACKDOOR troya 1.4 runtime detection - init connection (backdoor.rules)
 * 1:13247 <-> ENABLED <-> BACKDOOR yuri 1.2 runtime detection - init connection (backdoor.rules)
 * 1:13249 <-> DISABLED <-> DNS dns response for rfc1918 10/8 address detected (dns.rules)
 * 1:13347 <-> ENABLED <-> SPYWARE-PUT Snoopware remote desktop inspector runtime detection - init connection (spyware-put.rules)
 * 1:13357 <-> DISABLED <-> POLICY failed mysql login attempt (policy.rules)
 * 1:13358 <-> DISABLED <-> POLICY mysql login attempt from unauthorized location (policy.rules)
 * 1:13359 <-> DISABLED <-> POLICY failed IMAP login attempt - invalid username/password (policy.rules)
 * 1:10454 <-> ENABLED <-> BACKDOOR [x]-ztoo 1.0 runtime detection - init connection (backdoor.rules)
 * 1:10456 <-> ENABLED <-> BACKDOOR [x]-ztoo 1.0 runtime detection - get system info (backdoor.rules)
 * 1:10457 <-> ENABLED <-> BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (backdoor.rules)
 * 1:10459 <-> ENABLED <-> BACKDOOR wineggdrop shell pro runtime detection - init connection (backdoor.rules)
 * 1:10463 <-> ENABLED <-> BACKDOOR winicabras 1.1 runtime detection - explorer (backdoor.rules)
 * 1:10475 <-> ENABLED <-> MISC Microsoft Windows UPnP notification type overflow attempt (misc.rules)
 * 1:105 <-> DISABLED <-> BACKDOOR - Dagger_1.4.0 (backdoor.rules)
 * 1:1079 <-> DISABLED <-> WEB-MISC Microsoft Windows WebDAV propfind access (web-misc.rules)
 * 1:11316 <-> ENABLED <-> BACKDOOR lurker 1.1 runtime detection - init connection (backdoor.rules)
 * 1:11317 <-> DISABLED <-> BACKDOOR abremote pro 3.1 runtime detection - init connection (backdoor.rules)
 * 1:11318 <-> ENABLED <-> BACKDOOR boer runtime detection - init connection (backdoor.rules)
 * 1:11319 <-> ENABLED <-> BACKDOOR netwindow runtime detection - init connection request (backdoor.rules)
 * 1:115 <-> DISABLED <-> BACKDOOR NetBus Pro 2.0 connection established (backdoor.rules)
 * 1:1156 <-> ENABLED <-> WEB-MISC apache directory disclosure attempt (web-misc.rules)
 * 1:11671 <-> DISABLED <-> WEB-MISC SSLv2 Server_Hello request from SSLv3 Client_Hello request (web-misc.rules)
 * 1:117 <-> DISABLED <-> BACKDOOR Infector.1.x (backdoor.rules)
 * 1:11836 <-> ENABLED <-> MISC Mircrosoft Office Visio version number anomaly (misc.rules)
 * 1:11838 <-> DISABLED <-> WEB-MISC Microsoft Windows API res buffer overflow attempt (web-misc.rules)
 * 1:119 <-> DISABLED <-> BACKDOOR Doly 2.0 access (backdoor.rules)
 * 1:11950 <-> ENABLED <-> BACKDOOR killav_gj (backdoor.rules)
 * 1:12051 <-> ENABLED <-> BACKDOOR ultimate rat 2.1 runtime detection (backdoor.rules)
 * 1:12052 <-> ENABLED <-> BACKDOOR the[x] 1.2 runtime detection - execute command (backdoor.rules)
 * 1:12055 <-> ENABLED <-> BACKDOOR tron runtime detection - init connection (backdoor.rules)
 * 1:12069 <-> ENABLED <-> EXPLOIT Microsoft Windows Active Directory Crafted LDAP ModifyRequest (exploit.rules)
 * 1:12138 <-> ENABLED <-> SPYWARE-PUT Adware zamingo runtime detection (spyware-put.rules)
 * 1:12143 <-> ENABLED <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules)
 * 1:12145 <-> ENABLED <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules)
 * 1:12147 <-> ENABLED <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules)
 * 1:12152 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - init connection (backdoor.rules)
 * 1:12153 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
 * 1:12154 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
 * 1:12155 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
 * 1:12158 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules)
 * 1:12159 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - keylogging (backdoor.rules)
 * 1:12161 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules)
 * 1:12162 <-> ENABLED <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules)
 * 1:12225 <-> ENABLED <-> SPYWARE-PUT Adware zango2007 toolbar runtime detection (spyware-put.rules)
 * 1:12233 <-> ENABLED <-> BACKDOOR theef 2.10 runtime detection - connect with no password (backdoor.rules)
 * 1:12234 <-> ENABLED <-> BACKDOOR theef 2.10 runtime detection - connect with no password (backdoor.rules)
 * 1:12235 <-> ENABLED <-> BACKDOOR theef 2.10 runtime detection - connect with password (backdoor.rules)
 * 1:12239 <-> ENABLED <-> BACKDOOR webcenter v1.0 Backdoor - init connection (backdoor.rules)
 * 1:12245 <-> ENABLED <-> BACKDOOR furax 1.0 b3 runtime detection (backdoor.rules)
 * 1:12297 <-> ENABLED <-> BACKDOOR bifrost v1.2.1 runtime detection (backdoor.rules)
 * 1:1233 <-> ENABLED <-> FILE-IDENTIFY Outlook EML file download request (file-identify.rules)
 * 1:12362 <-> ENABLED <-> WEB-MISC Squid HTTP Proxy-Authorization overflow (web-misc.rules)
 * 1:12374 <-> ENABLED <-> BACKDOOR radmin 3.0 runtime detection - initial connection (backdoor.rules)
 * 1:12376 <-> ENABLED <-> BACKDOOR radmin 3.0 runtime detection - login & remote control (backdoor.rules)
 * 1:12378 <-> ENABLED <-> BACKDOOR shark 2.3.2 runtime detection (backdoor.rules)
 * 3:13287 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt (bad-traffic.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)