Sourcefire VRT Rules Update

Date: 2012-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21491 <-> DISABLED <-> SCADA Sielco Sistemi Winlog Pro stack buffer overflow attempt (scada.rules)
 * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules)
 * 1:21489 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows chm file malware related exploit (specific-threats.rules)
 * 1:21482 <-> DISABLED <-> SCADA Measuresoft ScadaPro remote command injection attempt (scada.rules)
 * 1:21488 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user agent GetRight (blacklist.rules)
 * 1:21480 <-> DISABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21483 <-> DISABLED <-> SCADA Metasploit Moxa Device Manager buffer overflow attempt (scada.rules)
 * 1:21486 <-> DISABLED <-> BOTNET-CNC Win32.Trojan.Zbot variant outbound connection (botnet-cnc.rules)
 * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules)
 * 1:21487 <-> DISABLED <-> BOTNET-CNC Trojan.Palevo variant outbound connection (botnet-cnc.rules)
 * 1:21484 <-> DISABLED <-> WEB-CLIENT ScadaTec ScadaPhone zip file name buffer overflow attempt (scada.rules)
 * 1:21477 <-> DISABLED <-> BOTNET-CNC Trojan.Noobot outbound connection (botnet-cnc.rules)
 * 1:21485 <-> DISABLED <-> DOS EMC RepliStor denial of service attempt (dos.rules)
 * 1:21492 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - catch qq (specific-threats.rules)
 * 1:21481 <-> ENABLED <-> WEB-CLIENT Java Web Start arbitrary command execution attempt (web-client.rules)
 * 1:21490 <-> DISABLED <-> SCADA General Electric d20me configuration retrieval attempt (scada.rules)

Modified Rules:


 * 1:117 <-> DISABLED <-> BACKDOOR Infector.1.x (backdoor.rules)
 * 1:1010 <-> DISABLED <-> WEB-IIS encoding access (web-iis.rules)
 * 1:1042 <-> DISABLED <-> WEB-IIS view source via translate header (web-iis.rules)
 * 1:1044 <-> DISABLED <-> WEB-IIS webhits access (web-iis.rules)
 * 1:105 <-> DISABLED <-> BACKDOOR - Dagger_1.4.0 (backdoor.rules)
 * 1:1070 <-> DISABLED <-> WEB-MISC WebDAV search access (web-misc.rules)
 * 1:1085 <-> DISABLED <-> WEB-PHP strings overflow (web-php.rules)
 * 1:1086 <-> DISABLED <-> WEB-PHP strings overflow (web-php.rules)
 * 1:1099 <-> DISABLED <-> WEB-MISC cybercop scan (web-misc.rules)
 * 1:110 <-> DISABLED <-> BACKDOOR netbus getinfo (backdoor.rules)
 * 1:1100 <-> DISABLED <-> WEB-MISC L3retriever HTTP Probe (web-misc.rules)
 * 1:1101 <-> DISABLED <-> WEB-MISC Webtrends HTTP probe (web-misc.rules)
 * 1:1102 <-> DISABLED <-> WEB-MISC nessus 1.X 404 probe (web-misc.rules)
 * 1:1132 <-> DISABLED <-> WEB-MISC Netscape Unixware overflow (web-misc.rules)
 * 1:1133 <-> DISABLED <-> SCAN cybercop os probe (scan.rules)
 * 1:1134 <-> DISABLED <-> WEB-PHP Phorum admin access (web-php.rules)
 * 1:1137 <-> DISABLED <-> WEB-PHP Phorum authentication access (web-php.rules)
 * 1:1140 <-> DISABLED <-> WEB-MISC guestbook.pl access (web-misc.rules)
 * 1:1141 <-> DISABLED <-> WEB-MISC handler access (web-misc.rules)
 * 1:1158 <-> DISABLED <-> WEB-MISC windmail.exe access (web-misc.rules)
 * 1:1160 <-> DISABLED <-> WEB-MISC Netscape dir index wp (web-misc.rules)
 * 1:1161 <-> DISABLED <-> WEB-PHP piranha passwd.php3 access (web-php.rules)
 * 1:1178 <-> DISABLED <-> WEB-PHP Phorum read access (web-php.rules)
 * 1:1179 <-> DISABLED <-> WEB-PHP Phorum violation access (web-php.rules)
 * 1:1180 <-> DISABLED <-> WEB-MISC get32.exe access (web-misc.rules)
 * 1:1181 <-> DISABLED <-> WEB-MISC Annex Terminal DOS attempt (web-misc.rules)
 * 1:119 <-> DISABLED <-> BACKDOOR Doly 2.0 access (backdoor.rules)
 * 1:1196 <-> DISABLED <-> WEB-CGI SGI InfoSearch fname attempt (web-cgi.rules)
 * 1:1197 <-> DISABLED <-> WEB-PHP Phorum code access (web-php.rules)
 * 1:1199 <-> DISABLED <-> WEB-MISC Compaq Insight directory traversal (web-misc.rules)
 * 1:12182 <-> ENABLED <-> FILE-IDENTIFY Adobe Flash Player FLV file magic detected (file-identify.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:12283 <-> DISABLED <-> FILE-IDENTIFY Microsoft Office Excel xlw file magic detected (file-identify.rules)
 * 1:1242 <-> DISABLED <-> WEB-IIS ISAPI .ida access (web-iis.rules)
 * 1:1243 <-> DISABLED <-> WEB-IIS ISAPI .ida attempt (web-iis.rules)
 * 1:1244 <-> DISABLED <-> WEB-IIS ISAPI .idq attempt (web-iis.rules)
 * 1:1245 <-> DISABLED <-> WEB-IIS ISAPI .idq access (web-iis.rules)
 * 1:12454 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Media ASF file magic detected (file-identify.rules)
 * 1:12456 <-> DISABLED <-> FILE-IDENTIFY Crystal Reports file magic detected (file-identify.rules)
 * 1:1248 <-> DISABLED <-> WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules)
 * 1:1262 <-> DISABLED <-> RPC portmap admind request TCP (rpc.rules)
 * 1:1264 <-> DISABLED <-> RPC portmap bootparam request TCP (rpc.rules)
 * 1:12641 <-> DISABLED <-> FILE-IDENTIFY Microsoft Word for Mac 5 file magic detected (file-identify.rules)
 * 1:1265 <-> DISABLED <-> RPC portmap cmsd request TCP (rpc.rules)
 * 1:1267 <-> DISABLED <-> RPC portmap nisd request TCP (rpc.rules)
 * 1:1269 <-> DISABLED <-> RPC portmap rexd request TCP (rpc.rules)
 * 1:1270 <-> DISABLED <-> RPC portmap rstatd request TCP (rpc.rules)
 * 1:1271 <-> DISABLED <-> RPC portmap rusers request TCP (rpc.rules)
 * 1:1272 <-> DISABLED <-> RPC portmap sadmind request TCP (rpc.rules)
 * 1:1274 <-> DISABLED <-> RPC portmap ttdbserv request TCP (rpc.rules)
 * 1:1275 <-> DISABLED <-> RPC portmap yppasswd request TCP (rpc.rules)
 * 1:1276 <-> DISABLED <-> RPC portmap ypserv request TCP (rpc.rules)
 * 1:1280 <-> DISABLED <-> RPC portmap listing UDP 111 (rpc.rules)
 * 1:1281 <-> DISABLED <-> RPC portmap listing UDP 32771 (rpc.rules)
 * 1:12972 <-> ENABLED <-> FILE-IDENTIFY Microsoft Media Player .asf file magic detected (file-identify.rules)
 * 1:13585 <-> ENABLED <-> FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected (file-identify.rules)
 * 1:13626 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Access file magic detected (file-identify.rules)
 * 1:13629 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Access JSDB file magic detected (file-identify.rules)
 * 1:13630 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Access TJDB file magic detected (file-identify.rules)
 * 1:13633 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Access MSISAM file magic detected (file-identify.rules)
 * 1:13797 <-> DISABLED <-> FILE-IDENTIFY Portable Executable compact binary file magic detected (file-identify.rules)
 * 1:14265 <-> DISABLED <-> SCADA CitectSCADA ODBC buffer overflow attempt (scada.rules)
 * 1:1435 <-> DISABLED <-> DNS named authors attempt (dns.rules)
 * 1:1437 <-> DISABLED <-> FILE-IDENTIFY Windows Media download detected (file-identify.rules)
 * 1:144 <-> DISABLED <-> FTP ADMw0rm ftp login attempt (ftp.rules)
 * 1:146 <-> DISABLED <-> BACKDOOR NetSphere access (backdoor.rules)
 * 1:15306 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:1538 <-> DISABLED <-> NNTP AUTHINFO USER overflow attempt (nntp.rules)
 * 1:15448 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:15575 <-> DISABLED <-> FILE-IDENTIFY WordPerfect file magic detected (file-identify.rules)
 * 1:1587 <-> DISABLED <-> WEB-MISC cgitest.exe access (web-misc.rules)
 * 1:161 <-> DISABLED <-> BACKDOOR Matrix 2.0 Client connect (backdoor.rules)
 * 1:1610 <-> DISABLED <-> WEB-CGI formmail arbitrary command execution attempt (web-cgi.rules)
 * 1:1613 <-> DISABLED <-> WEB-MISC handler attempt (web-misc.rules)
 * 1:16143 <-> ENABLED <-> FILE-IDENTIFY Microsoft asf file magic detected (file-identify.rules)
 * 1:16144 <-> ENABLED <-> BOTNET-CNC Bredolab bot contact to C&C server attempt (botnet-cnc.rules)
 * 1:1616 <-> DISABLED <-> DNS named version attempt (dns.rules)
 * 1:162 <-> DISABLED <-> BACKDOOR Matrix 2.0 Server access (backdoor.rules)
 * 1:163 <-> DISABLED <-> BACKDOOR WinCrash 1.0 Server Active (backdoor.rules)
 * 1:1637 <-> DISABLED <-> WEB-CGI yabb access (web-cgi.rules)
 * 1:16434 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detected (file-identify.rules)
 * 1:16435 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected (file-identify.rules)
 * 1:16436 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file magic detected (file-identify.rules)
 * 1:1644 <-> DISABLED <-> WEB-CGI test-cgi attempt (web-cgi.rules)
 * 1:16474 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16475 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:1648 <-> DISABLED <-> WEB-CGI perl.exe command attempt (web-cgi.rules)
 * 1:1649 <-> DISABLED <-> WEB-CGI perl command attempt (web-cgi.rules)
 * 1:16585 <-> ENABLED <-> WEB-CLIENT Java Web Start arbitrary command execution attempt (web-client.rules)
 * 1:1700 <-> DISABLED <-> WEB-CGI imagemap.exe access (web-cgi.rules)
 * 1:17229 <-> ENABLED <-> FILE-IDENTIFY Tiff little endian file magic detected (file-identify.rules)
 * 1:17230 <-> DISABLED <-> FILE-IDENTIFY Tiff big endian file magic detected (file-identify.rules)
 * 1:1727 <-> DISABLED <-> WEB-CGI SGI InfoSearch fname access (web-cgi.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (file-identify.rules)
 * 1:1762 <-> DISABLED <-> WEB-CGI phf arbitrary command execution attempt (web-cgi.rules)
 * 1:17801 <-> ENABLED <-> FILE-IDENTIFY Adobe Director Movie file magic detected (file-identify.rules)
 * 1:185 <-> DISABLED <-> BACKDOOR CDK (backdoor.rules)
 * 1:18939 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:18944 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - Suspected Crimepack (botnet-cnc.rules)
 * 1:18983 <-> ENABLED <-> FILE-IDENTIFY Apple Mach-O executable file magic detected (file-identify.rules)
 * 1:19016 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19017 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19018 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19019 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19128 <-> DISABLED <-> FILE-IDENTIFY RealNetworks Realplayer REC file magic detected (file-identify.rules)
 * 1:19129 <-> DISABLED <-> FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected (file-identify.rules)
 * 1:19166 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file magic detected (file-identify.rules)
 * 1:1924 <-> DISABLED <-> RPC mountd UDP export request (rpc.rules)
 * 1:1925 <-> DISABLED <-> RPC mountd TCP exportall request (rpc.rules)
 * 1:1926 <-> DISABLED <-> RPC mountd UDP exportall request (rpc.rules)
 * 1:19422 <-> DISABLED <-> FILE-IDENTIFY matroska file magic detected (file-identify.rules)
 * 1:1948 <-> DISABLED <-> DNS zone transfer UDP (dns.rules)
 * 1:195 <-> DISABLED <-> BACKDOOR DeepThroat 3.1 Server Response (backdoor.rules)
 * 1:19711 <-> ENABLED <-> BOTNET-CNC Trojan.Jorik contact to server attempt (botnet-cnc.rules)
 * 1:1982 <-> DISABLED <-> BACKDOOR DeepThroat 3.1 Server Response [3150] (backdoor.rules)
 * 1:19835 <-> DISABLED <-> SPYWARE-PUT Delphi-Piette Windows (spyware-put.rules)
 * 1:1984 <-> DISABLED <-> BACKDOOR DeepThroat 3.1 Server Response [4120] (backdoor.rules)
 * 1:19907 <-> ENABLED <-> FILE-IDENTIFY PICT file magic detected (file-identify.rules)
 * 1:2016 <-> DISABLED <-> RPC portmap status request TCP (rpc.rules)
 * 1:20172 <-> DISABLED <-> FILE-IDENTIFY Metastock mwl file magic detected (file-identify.rules)
 * 1:20202 <-> ENABLED <-> BOTNET-CNC OSX.Revir-1 outbound connection (botnet-cnc.rules)
 * 1:20450 <-> DISABLED <-> FILE-IDENTIFY MPEG video stream file magic detected (file-identify.rules)
 * 1:20451 <-> DISABLED <-> FILE-IDENTIFY MPEG sys stream file magic detected (file-identify.rules)
 * 1:20452 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules)
 * 1:20453 <-> DISABLED <-> FILE-IDENTIFY Script encoder file magic detected (file-identify.rules)
 * 1:20454 <-> DISABLED <-> FILE-IDENTIFY Postscript file magic detected (file-identify.rules)
 * 1:20455 <-> DISABLED <-> FILE-IDENTIFY BinHex file magic detected (file-identify.rules)
 * 1:20456 <-> DISABLED <-> FILE-IDENTIFY RealNetworks Real Media file magic detected (file-identify.rules)
 * 1:20458 <-> DISABLED <-> FILE-IDENTIFY bzip file magic detected (file-identify.rules)
 * 1:20459 <-> ENABLED <-> FILE-IDENTIFY GIF file magic detected (file-identify.rules)
 * 1:20460 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:20461 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows CAB file magic detected (file-identify.rules)
 * 1:20462 <-> ENABLED <-> FILE-IDENTIFY Ogg Stream file magic detected (file-identify.rules)
 * 1:20463 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20464 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20467 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20469 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detected (file-identify.rules)
 * 1:20470 <-> ENABLED <-> FILE-IDENTIFY RIFF file magic detected (file-identify.rules)
 * 1:20471 <-> ENABLED <-> FILE-IDENTIFY RIFX file magic detected (file-identify.rules)
 * 1:20472 <-> DISABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules)
 * 1:20474 <-> DISABLED <-> FILE-IDENTIFY Symantec file magic detected (file-identify.rules)
 * 1:20475 <-> DISABLED <-> FILE-IDENTIFY ARJ file magic detected (file-identify.rules)
 * 1:20476 <-> DISABLED <-> FILE-IDENTIFY TNEF file magic detected (file-identify.rules)
 * 1:20477 <-> DISABLED <-> FILE-IDENTIFY ELF file magic detected (file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:20479 <-> DISABLED <-> FILE-IDENTIFY CryptFF file magic detected (file-identify.rules)
 * 1:20481 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:20484 <-> DISABLED <-> FILE-IDENTIFY SIS file magic detected (file-identify.rules)
 * 1:20485 <-> DISABLED <-> FILE-IDENTIFY SIP log file magic detected (file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20487 <-> DISABLED <-> FILE-IDENTIFY 7zip file magic detected (file-identify.rules)
 * 1:20488 <-> DISABLED <-> FILE-IDENTIFY MachO Little Endian file magic detected (file-identify.rules)
 * 1:20489 <-> DISABLED <-> FILE-IDENTIFY MachO x64 Little Endian file magic detected (file-identify.rules)
 * 1:20490 <-> DISABLED <-> FILE-IDENTIFY MachO Big Endian file magic detected (file-identify.rules)
 * 1:20491 <-> DISABLED <-> FILE-IDENTIFY MachO x64 Big Endian file magic detected (file-identify.rules)
 * 1:20492 <-> ENABLED <-> FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected (file-identify.rules)
 * 1:20493 <-> DISABLED <-> FILE-IDENTIFY jarpack file magic detected (file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:20495 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20496 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20497 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20498 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file magic detected (file-identify.rules)
 * 1:20499 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file magic detected (file-identify.rules)
 * 1:20500 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20501 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20502 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20503 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20504 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20507 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20511 <-> ENABLED <-> FILE-IDENTIFY bcproj file magic detected (file-identify.rules)
 * 1:20512 <-> ENABLED <-> FILE-IDENTIFY mx4 file magic detected (file-identify.rules)
 * 1:20513 <-> DISABLED <-> FILE-IDENTIFY ffmpeg file magic detected (file-identify.rules)
 * 1:20514 <-> ENABLED <-> FILE-IDENTIFY dmg file magic detected (file-identify.rules)
 * 1:20515 <-> DISABLED <-> FILE-IDENTIFY ivr file magic detected (file-identify.rules)
 * 1:20516 <-> ENABLED <-> FILE-IDENTIFY caff file magic detected (file-identify.rules)
 * 1:20520 <-> DISABLED <-> FILE-IDENTIFY vmd file magic detected (file-identify.rules)
 * 1:20521 <-> DISABLED <-> FILE-IDENTIFY Flac file magic detected (file-identify.rules)
 * 1:20522 <-> DISABLED <-> FILE-IDENTIFY VideoLAN VLC file magic detected (file-identify.rules)
 * 1:20564 <-> DISABLED <-> FILE-IDENTIFY amf file magic detected (file-identify.rules)
 * 1:20589 <-> DISABLED <-> FILE-IDENTIFY CDR file magic detected (file-identify.rules)
 * 1:20750 <-> DISABLED <-> FILE-IDENTIFY webm file magic detected (file-identify.rules)
 * 1:20897 <-> DISABLED <-> FILE-IDENTIFY MIDI file magic detected (file-identify.rules)
 * 1:209 <-> DISABLED <-> BACKDOOR w00w00 attempt (backdoor.rules)
 * 1:20924 <-> ENABLED <-> FILE-IDENTIFY PLS file magic detected (file-identify.rules)
 * 1:20928 <-> ENABLED <-> FILE-IDENTIFY SMIL file magic detected (file-identify.rules)
 * 1:20950 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20951 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20952 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20953 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20954 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20955 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20956 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20957 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20958 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20959 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:21015 <-> DISABLED <-> FILE-IDENTIFY cy3 Cytel Studio file magic detected (file-identify.rules)
 * 1:21059 <-> ENABLED <-> FILE-IDENTIFY RIFF Video file magic detected (file-identify.rules)
 * 1:21113 <-> DISABLED <-> FILE-IDENTIFY Cisco Webex Player .wrf file magic detected (file-identify.rules)
 * 1:21244 <-> ENABLED <-> FILE-IDENTIFY New Executable binary file magic detected (file-identify.rules)
 * 1:21255 <-> ENABLED <-> BLACKLIST known malicious FTP login banner - 0wns j0 (blacklist.rules)
 * 1:21256 <-> ENABLED <-> BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting (blacklist.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21440 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.Murofet variant outbound connection (botnet-cnc.rules)
 * 1:216 <-> DISABLED <-> BACKDOOR MISC Linux rootkit satori attempt (backdoor.rules)
 * 1:221 <-> DISABLED <-> DDOS TFN Probe (ddos.rules)
 * 1:222 <-> DISABLED <-> DDOS tfn2k icmp possible communication (ddos.rules)
 * 1:223 <-> DISABLED <-> DDOS Trin00 Daemon to Master PONG message detected (ddos.rules)
 * 1:224 <-> DISABLED <-> DDOS Stacheldraht server spoof (ddos.rules)
 * 1:225 <-> DISABLED <-> DDOS Stacheldraht gag server response (ddos.rules)
 * 1:226 <-> DISABLED <-> DDOS Stacheldraht server response (ddos.rules)
 * 1:227 <-> DISABLED <-> DDOS Stacheldraht client spoofworks (ddos.rules)
 * 1:228 <-> DISABLED <-> DDOS TFN client command BE (ddos.rules)
 * 1:229 <-> DISABLED <-> DDOS Stacheldraht client check skillz (ddos.rules)
 * 1:230 <-> DISABLED <-> DDOS shaft client login to handler (ddos.rules)
 * 1:231 <-> DISABLED <-> DDOS Trin00 Daemon to Master message detected (ddos.rules)
 * 1:232 <-> DISABLED <-> DDOS Trin00 Daemon to Master *HELLO* message detected (ddos.rules)
 * 1:233 <-> DISABLED <-> DDOS Trin00 Attacker to Master default startup password (ddos.rules)
 * 1:236 <-> DISABLED <-> DDOS Stacheldraht client check gag (ddos.rules)
 * 1:237 <-> DISABLED <-> DDOS Trin00 Master to Daemon default password attempt (ddos.rules)
 * 1:238 <-> DISABLED <-> DDOS TFN server response (ddos.rules)
 * 1:239 <-> DISABLED <-> DDOS shaft handler to agent (ddos.rules)
 * 1:240 <-> DISABLED <-> DDOS shaft agent to handler (ddos.rules)
 * 1:251 <-> DISABLED <-> DDOS - TFN client command LE (ddos.rules)
 * 1:255 <-> DISABLED <-> DNS zone transfer TCP (dns.rules)
 * 1:256 <-> DISABLED <-> DNS named authors attempt (dns.rules)
 * 1:257 <-> DISABLED <-> DNS named version attempt (dns.rules)
 * 1:274 <-> DISABLED <-> DOS ath (dos.rules)
 * 1:281 <-> DISABLED <-> DOS Ascend Route (dos.rules)
 * 1:283 <-> DISABLED <-> EXPLOIT Netscape 4.7 client overflow (exploit.rules)
 * 1:303 <-> DISABLED <-> DNS EXPLOIT named tsig overflow attempt (dns.rules)
 * 1:305 <-> DISABLED <-> EXPLOIT delegate proxy overflow (exploit.rules)
 * 1:309 <-> DISABLED <-> EXPLOIT sniffit overflow (exploit.rules)
 * 1:311 <-> DISABLED <-> EXPLOIT Netscape 4.7 unsucessful overflow (exploit.rules)
 * 1:322 <-> DISABLED <-> FINGER search query (finger.rules)
 * 1:323 <-> DISABLED <-> FINGER root query (finger.rules)
 * 1:324 <-> DISABLED <-> FINGER null request (finger.rules)
 * 1:326 <-> DISABLED <-> FINGER remote command execution attempt (finger.rules)
 * 1:327 <-> DISABLED <-> FINGER remote command pipe execution attempt (finger.rules)
 * 1:328 <-> DISABLED <-> FINGER bomb attempt (finger.rules)
 * 1:330 <-> DISABLED <-> FINGER redirection attempt (finger.rules)
 * 1:331 <-> DISABLED <-> FINGER cybercop query (finger.rules)
 * 1:332 <-> DISABLED <-> FINGER 0 query (finger.rules)
 * 1:333 <-> DISABLED <-> FINGER . query (finger.rules)
 * 1:334 <-> DISABLED <-> FTP .forward (ftp.rules)
 * 1:335 <-> DISABLED <-> FTP .rhosts (ftp.rules)
 * 1:336 <-> DISABLED <-> FTP CWD ~root attempt (ftp.rules)
 * 1:337 <-> DISABLED <-> FTP CEL overflow attempt (ftp.rules)
 * 1:353 <-> DISABLED <-> FTP adm scan (ftp.rules)
 * 1:354 <-> DISABLED <-> FTP iss scan (ftp.rules)
 * 1:355 <-> DISABLED <-> FTP pass wh00t (ftp.rules)
 * 1:356 <-> DISABLED <-> FTP passwd retrieval attempt (ftp.rules)
 * 1:358 <-> DISABLED <-> FTP saint scan (ftp.rules)
 * 1:359 <-> DISABLED <-> FTP satan scan (ftp.rules)
 * 1:361 <-> DISABLED <-> FTP SITE EXEC attempt (ftp.rules)
 * 1:362 <-> DISABLED <-> FTP tar parameters (ftp.rules)
 * 1:363 <-> DISABLED <-> ICMP-INFO IRDP router advertisement (icmp-info.rules)
 * 1:364 <-> DISABLED <-> ICMP-INFO IRDP router selection (icmp-info.rules)
 * 1:368 <-> DISABLED <-> ICMP-INFO PING BSDtype (icmp-info.rules)
 * 1:369 <-> DISABLED <-> ICMP-INFO PING BayRS Router (icmp-info.rules)
 * 1:370 <-> DISABLED <-> ICMP-INFO PING BeOS4.x (icmp-info.rules)
 * 1:371 <-> DISABLED <-> ICMP-INFO PING Cisco Type.x (icmp-info.rules)
 * 1:372 <-> DISABLED <-> ICMP-INFO PING Delphi-Piette Windows (icmp-info.rules)
 * 1:373 <-> DISABLED <-> ICMP-INFO PING Flowpoint2200 or Network Management Software (icmp-info.rules)
 * 1:374 <-> DISABLED <-> ICMP-INFO PING IP NetMonitor Macintosh (icmp-info.rules)
 * 1:375 <-> DISABLED <-> ICMP-INFO PING LINUX/*BSD (icmp-info.rules)
 * 1:376 <-> DISABLED <-> ICMP-INFO PING Microsoft Windows (icmp-info.rules)
 * 1:377 <-> DISABLED <-> ICMP-INFO PING Network Toolbox 3 Windows (icmp-info.rules)
 * 1:378 <-> DISABLED <-> ICMP-INFO PING Ping-O-MeterWindows (icmp-info.rules)
 * 1:379 <-> DISABLED <-> ICMP-INFO PING Pinger Windows (icmp-info.rules)
 * 1:380 <-> DISABLED <-> ICMP-INFO PING Seer Windows (icmp-info.rules)
 * 1:381 <-> DISABLED <-> ICMP-INFO PING Oracle Solaris (icmp-info.rules)
 * 1:382 <-> DISABLED <-> ICMP-INFO PING Windows (icmp-info.rules)
 * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:385 <-> DISABLED <-> ICMP-INFO traceroute (icmp-info.rules)
 * 1:441 <-> DISABLED <-> ICMP-INFO Router Advertisement (icmp-info.rules)
 * 1:443 <-> DISABLED <-> ICMP-INFO Router Selection (icmp-info.rules)
 * 1:465 <-> DISABLED <-> ICMP ISS Pinger (icmp.rules)
 * 1:466 <-> DISABLED <-> ICMP L3retriever Ping (icmp.rules)
 * 1:467 <-> DISABLED <-> ICMP Nemesis v1.1 Echo (icmp.rules)
 * 1:476 <-> DISABLED <-> ICMP webtrends scanner (icmp.rules)
 * 1:481 <-> DISABLED <-> ICMP TJPingPro1.1Build 2 Windows (icmp.rules)
 * 1:482 <-> DISABLED <-> ICMP PING WhatsupGold Windows (icmp.rules)
 * 1:483 <-> DISABLED <-> ICMP PING CyberKit 2.2 Windows (icmp.rules)
 * 1:489 <-> DISABLED <-> FTP no password (ftp.rules)
 * 1:505 <-> DISABLED <-> MISC Insecure TIMBUKTU Password (misc.rules)
 * 1:508 <-> DISABLED <-> MISC gopher proxy (misc.rules)
 * 1:509 <-> DISABLED <-> WEB-MISC PCCS mysql database admin tool access (web-misc.rules)
 * 1:510 <-> DISABLED <-> POLICY HP JetDirect LCD modification attempt (policy.rules)
 * 1:512 <-> DISABLED <-> MISC PCAnywhere Failed Login (misc.rules)
 * 1:514 <-> DISABLED <-> MISC ramen worm (misc.rules)
 * 1:517 <-> DISABLED <-> X11 xdmcp query (x11.rules)
 * 1:518 <-> DISABLED <-> TFTP Put (tftp.rules)
 * 1:519 <-> DISABLED <-> TFTP parent directory (tftp.rules)
 * 1:520 <-> DISABLED <-> TFTP root directory (tftp.rules)
 * 1:529 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:530 <-> DISABLED <-> NETBIOS NT NULL session (netbios.rules)
 * 1:534 <-> DISABLED <-> NETBIOS SMB CD.. (netbios.rules)
 * 1:535 <-> DISABLED <-> NETBIOS SMB CD... (netbios.rules)
 * 1:555 <-> DISABLED <-> POLICY WinGate telnet server response (policy.rules)
 * 1:566 <-> DISABLED <-> POLICY PCAnywhere server response (policy.rules)
 * 1:567 <-> DISABLED <-> POLICY SMTP relaying denied (policy.rules)
 * 1:568 <-> DISABLED <-> POLICY HP JetDirect LCD modification attempt (policy.rules)
 * 1:572 <-> DISABLED <-> RPC DOS ttdbserv Solaris (rpc.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:971 <-> DISABLED <-> WEB-IIS ISAPI .printer access (web-iis.rules)
 * 1:967 <-> DISABLED <-> WEB-FRONTPAGE dvwssr.dll access (web-frontpage.rules)
 * 1:966 <-> DISABLED <-> WEB-FRONTPAGE .... request (web-frontpage.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:940 <-> DISABLED <-> WEB-FRONTPAGE shtml.dll access (web-frontpage.rules)
 * 1:933 <-> DISABLED <-> WEB-COLDFUSION onrequestend.cfm access (web-coldfusion.rules)
 * 1:932 <-> DISABLED <-> WEB-COLDFUSION application.cfm access (web-coldfusion.rules)
 * 1:886 <-> DISABLED <-> WEB-CGI phf access (web-cgi.rules)
 * 1:875 <-> DISABLED <-> WEB-CGI win-c-sample.exe access (web-cgi.rules)
 * 1:861 <-> DISABLED <-> WEB-CGI w3-msql access (web-cgi.rules)
 * 1:860 <-> DISABLED <-> WEB-CGI snork.bat access (web-cgi.rules)
 * 1:853 <-> DISABLED <-> WEB-CGI wrap access (web-cgi.rules)
 * 1:8478 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file magic detected (file-identify.rules)
 * 1:843 <-> DISABLED <-> WEB-CGI anform2 access (web-cgi.rules)
 * 1:839 <-> DISABLED <-> WEB-CGI finger access (web-cgi.rules)
 * 1:838 <-> DISABLED <-> WEB-CGI webgais access (web-cgi.rules)
 * 1:835 <-> DISABLED <-> WEB-CGI test-cgi access (web-cgi.rules)
 * 1:832 <-> DISABLED <-> WEB-CGI perl.exe access (web-cgi.rules)
 * 1:829 <-> DISABLED <-> WEB-CGI nph-test-cgi access (web-cgi.rules)
 * 1:824 <-> DISABLED <-> WEB-CGI php.cgi access (web-cgi.rules)
 * 1:821 <-> DISABLED <-> WEB-CGI imagemap.exe overflow attempt (web-cgi.rules)
 * 1:815 <-> DISABLED <-> WEB-CGI websendmail access (web-cgi.rules)
 * 1:813 <-> DISABLED <-> WEB-CGI webplus directory traversal (web-cgi.rules)
 * 1:812 <-> DISABLED <-> WEB-CGI webplus version access (web-cgi.rules)
 * 1:811 <-> DISABLED <-> WEB-CGI websitepro path access (web-cgi.rules)
 * 1:810 <-> DISABLED <-> WEB-CGI whois_raw.cgi access (web-cgi.rules)
 * 1:809 <-> DISABLED <-> WEB-CGI whois_raw.cgi arbitrary command execution attempt (web-cgi.rules)
 * 1:808 <-> DISABLED <-> WEB-CGI webdriver access (web-cgi.rules)
 * 1:807 <-> DISABLED <-> WEB-CGI /wwwboard/passwd.txt access (web-cgi.rules)
 * 1:806 <-> DISABLED <-> WEB-CGI yabb directory traversal attempt (web-cgi.rules)
 * 1:805 <-> DISABLED <-> WEB-CGI webspeed access (web-cgi.rules)
 * 1:718 <-> DISABLED <-> TELNET login incorrect (telnet.rules)
 * 1:717 <-> DISABLED <-> TELNET not on console (telnet.rules)
 * 1:714 <-> DISABLED <-> TELNET resolv_host_conf (telnet.rules)
 * 1:713 <-> DISABLED <-> TELNET livingston DOS (telnet.rules)
 * 1:712 <-> DISABLED <-> TELNET ld_library_path (telnet.rules)
 * 1:711 <-> DISABLED <-> TELNET SGI telnetd format bug (telnet.rules)
 * 1:672 <-> DISABLED <-> SMTP vrfy decode (smtp.rules)
 * 1:671 <-> DISABLED <-> SMTP sendmail 8.6.9c exploit (smtp.rules)
 * 1:670 <-> DISABLED <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 * 1:669 <-> DISABLED <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 * 1:668 <-> DISABLED <-> SMTP sendmail 8.6.10 exploit (smtp.rules)
 * 1:667 <-> DISABLED <-> SMTP sendmail 8.6.10 exploit (smtp.rules)
 * 1:665 <-> DISABLED <-> SMTP sendmail 5.6.5 exploit (smtp.rules)
 * 1:664 <-> DISABLED <-> SMTP RCPT TO decode attempt (smtp.rules)
 * 1:663 <-> DISABLED <-> SMTP rcpt to command attempt (smtp.rules)
 * 1:662 <-> DISABLED <-> SMTP sendmail 5.5.5 exploit (smtp.rules)
 * 1:661 <-> DISABLED <-> SMTP majordomo ifs (smtp.rules)
 * 1:660 <-> DISABLED <-> SMTP expn root (smtp.rules)
 * 1:659 <-> DISABLED <-> SMTP expn decode (smtp.rules)
 * 1:657 <-> DISABLED <-> SMTP chameleon overflow (smtp.rules)
 * 1:655 <-> DISABLED <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 * 1:652 <-> DISABLED <-> SHELLCODE Linux shellcode (shellcode.rules)
 * 1:650 <-> DISABLED <-> SHELLCODE x86 setuid 0 (shellcode.rules)
 * 1:649 <-> DISABLED <-> SHELLCODE x86 setgid 0 (shellcode.rules)
 * 1:648 <-> DISABLED <-> SHELLCODE x86 NOOP (shellcode.rules)
 * 1:647 <-> DISABLED <-> SHELLCODE Sun sparc setuid 0 (shellcode.rules)
 * 1:646 <-> DISABLED <-> SHELLCODE sparc NOOP (shellcode.rules)
 * 1:645 <-> DISABLED <-> SHELLCODE sparc NOOP (shellcode.rules)
 * 1:644 <-> DISABLED <-> SHELLCODE sparc NOOP (shellcode.rules)
 * 1:643 <-> DISABLED <-> SHELLCODE HP-UX NOOP (shellcode.rules)
 * 1:642 <-> DISABLED <-> SHELLCODE HP-UX NOOP (shellcode.rules)
 * 1:641 <-> DISABLED <-> SHELLCODE Digital UNIX NOOP (shellcode.rules)
 * 1:638 <-> DISABLED <-> SHELLCODE SGI NOOP (shellcode.rules)
 * 1:639 <-> DISABLED <-> SHELLCODE SGI NOOP (shellcode.rules)
 * 1:637 <-> DISABLED <-> SCAN Webtrends Scanner UDP Probe (scan.rules)
 * 1:636 <-> DISABLED <-> SCAN cybercop udp bomb (scan.rules)
 * 1:635 <-> DISABLED <-> SCAN XTACACS logout (scan.rules)
 * 1:632 <-> DISABLED <-> SMTP expn cybercop attempt (smtp.rules)
 * 1:631 <-> DISABLED <-> SMTP ehlo cybercop attempt (smtp.rules)
 * 1:630 <-> DISABLED <-> SCAN synscan portscan (scan.rules)
 * 1:627 <-> DISABLED <-> SCAN cybercop os SFU12 probe (scan.rules)
 * 1:626 <-> DISABLED <-> SCAN cybercop os PA12 attempt (scan.rules)
 * 1:622 <-> DISABLED <-> SCAN ipEye SYN scan (scan.rules)
 * 1:619 <-> DISABLED <-> SCAN cybercop os probe (scan.rules)
 * 1:616 <-> DISABLED <-> SCAN ident version request (scan.rules)
 * 1:614 <-> DISABLED <-> BACKDOOR hack-a-tack attempt (backdoor.rules)
 * 1:613 <-> DISABLED <-> SCAN myscan (scan.rules)
 * 1:611 <-> DISABLED <-> RSERVICES rlogin login failure (rservices.rules)
 * 1:610 <-> DISABLED <-> RSERVICES rsh root (rservices.rules)
 * 1:575 <-> DISABLED <-> RPC portmap admind request UDP (rpc.rules)
 * 1:574 <-> DISABLED <-> RPC mountd TCP export request (rpc.rules)
 * 1:577 <-> DISABLED <-> RPC portmap bootparam request UDP (rpc.rules)
 * 1:609 <-> DISABLED <-> RSERVICES rsh froot (rservices.rules)
 * 1:578 <-> DISABLED <-> RPC portmap cmsd request UDP (rpc.rules)
 * 1:580 <-> DISABLED <-> RPC portmap nisd request UDP (rpc.rules)
 * 1:579 <-> DISABLED <-> RPC portmap mountd request UDP (rpc.rules)
 * 1:582 <-> DISABLED <-> RPC portmap rexd request UDP (rpc.rules)
 * 1:608 <-> DISABLED <-> RSERVICES rsh echo + + (rservices.rules)
 * 1:583 <-> DISABLED <-> RPC portmap rstatd request UDP (rpc.rules)
 * 1:584 <-> DISABLED <-> RPC portmap rusers request UDP (rpc.rules)
 * 1:585 <-> DISABLED <-> RPC portmap sadmind request UDP (rpc.rules)
 * 1:587 <-> DISABLED <-> RPC portmap status request UDP (rpc.rules)
 * 1:588 <-> DISABLED <-> RPC portmap ttdbserv request UDP (rpc.rules)
 * 1:589 <-> DISABLED <-> RPC portmap yppasswd request UDP (rpc.rules)
 * 1:607 <-> DISABLED <-> RSERVICES rsh bin (rservices.rules)
 * 1:590 <-> DISABLED <-> RPC portmap ypserv request UDP (rpc.rules)
 * 1:598 <-> DISABLED <-> RPC portmap listing TCP 111 (rpc.rules)
 * 1:599 <-> DISABLED <-> RPC portmap listing TCP 32771 (rpc.rules)
 * 1:606 <-> DISABLED <-> RSERVICES rlogin root (rservices.rules)
 * 1:605 <-> DISABLED <-> RSERVICES rlogin login failure (rservices.rules)
 * 1:604 <-> DISABLED <-> RSERVICES rsh froot (rservices.rules)
 * 1:602 <-> DISABLED <-> RSERVICES rlogin bin (rservices.rules)
 * 1:603 <-> DISABLED <-> RSERVICES rlogin echo++ (rservices.rules)