Sourcefire VRT Rules Update

Date: 2012-05-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21973 <-> DISABLED <-> BOTNET-CNC Backdoor.ZZSlash runtime detection (botnet-cnc.rules)
 * 1:21972 <-> DISABLED <-> BOTNET-CNC Backdoor.ZZSlash outbound connection (botnet-cnc.rules)
 * 1:21971 <-> DISABLED <-> BOTNET-CNC Backdoor.Zlob.P variant inbound communication (botnet-cnc.rules)
 * 1:21970 <-> DISABLED <-> BOTNET-CNC Backdoor.Zlob.P variant outbound connection (botnet-cnc.rules)
 * 1:21969 <-> DISABLED <-> BOTNET-CNC Backdoor.Rebhip.A outbound connection type B (botnet-cnc.rules)
 * 1:21968 <-> DISABLED <-> BOTNET-CNC Backdoor.Rebhip.A outbound connection type A (botnet-cnc.rules)
 * 1:21967 <-> DISABLED <-> BACKDOOR Rebhip.A runtime detection (backdoor.rules)
 * 1:21966 <-> DISABLED <-> BOTNET-CNC Trojan.Pasmu connect to server attempt (botnet-cnc.rules)
 * 1:21965 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user agent VB WININET (blacklist.rules)
 * 1:21964 <-> DISABLED <-> BOTNET-CNC Murcy protocol connection to server attempt (botnet-cnc.rules)
 * 1:21963 <-> DISABLED <-> BOTNET-CNC X-Shell 601 communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:21962 <-> DISABLED <-> BOTNET-CNC BB communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:21961 <-> DISABLED <-> BOTNET-CNC IP2B communicacion protocol connection to server attempt (botnet-cnc.rules)
 * 1:21960 <-> DISABLED <-> BOTNET-CNC LURK communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:21959 <-> DISABLED <-> BOTNET-CNC UPDATE communicaction protocol connection to server attempt (botnet-cnc.rules)
 * 1:21958 <-> DISABLED <-> BOTNET-CNC QDIGIT protocol connection to server attempt (botnet-cnc.rules)
 * 1:21957 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules)
 * 1:21956 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules)
 * 1:21955 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules)
 * 1:21954 <-> ENABLED <-> POLICY Mozilla Multiple Products HTML href shell attempt (policy.rules)
 * 1:21953 <-> ENABLED <-> POLICY Mozilla Multiple Products HTML href shell attempt (policy.rules)
 * 1:22040 <-> ENABLED <-> SPECIFIC-THREATS Blackhole suspected landing page (specific-threats.rules)
 * 1:22039 <-> ENABLED <-> SPECIFIC-THREATS Blackhole suspected landing page (specific-threats.rules)
 * 1:22038 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer SelectAll dangling pointer use after free attempt (web-client.rules)
 * 1:22037 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 1:22036 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 1:22035 <-> DISABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 1:22034 <-> ENABLED <-> BOTNET-CNC Apple OSX Flashback malware outbound connection (botnet-cnc.rules)
 * 1:22033 <-> ENABLED <-> BOTNET-CNC Apple OSX Flashback malware outbound connection (botnet-cnc.rules)
 * 1:22032 <-> ENABLED <-> FILE-OTHER Visual Studio VAP file handling buffer overflow attempt (file-other.rules)
 * 1:22031 <-> DISABLED <-> FILE-OTHER Visual Studio SLN file handling buffer overflow attempt (file-other.rules)
 * 1:22030 <-> DISABLED <-> FILE-OTHER Visual Studio PKP file handling buffer overflow attempt (file-other.rules)
 * 1:22029 <-> DISABLED <-> FILE-OTHER Visual Studio DBP file handling buffer overflow attempt (file-other.rules)
 * 1:22028 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected (file-identify.rules)
 * 1:22027 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected (file-identify.rules)
 * 1:22026 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected (file-identify.rules)
 * 1:22025 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file download request (file-identify.rules)
 * 1:22024 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file magic detected (file-identify.rules)
 * 1:22023 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected (file-identify.rules)
 * 1:22022 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected (file-identify.rules)
 * 1:22021 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file download request (file-identify.rules)
 * 1:22020 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file magic detected (file-identify.rules)
 * 1:22019 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected (file-identify.rules)
 * 1:22018 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected (file-identify.rules)
 * 1:22017 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file download request (file-identify.rules)
 * 1:22016 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file magic detected (file-identify.rules)
 * 1:22015 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected (file-identify.rules)
 * 1:22014 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected (file-identify.rules)
 * 1:22013 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file download request (file-identify.rules)
 * 1:22012 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22011 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22010 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22009 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22008 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22007 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22006 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22005 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22004 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22003 <-> DISABLED <-> WEB-ACTIVEX Microsoft Internet Explorer WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSIDaccess (web-activex.rules)
 * 1:22002 <-> DISABLED <-> FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected (file-identify.rules)
 * 1:22001 <-> DISABLED <-> BOTNET-CNC Worm.VB.amna outbound connection type B attempt (botnet-cnc.rules)
 * 1:22000 <-> DISABLED <-> BOTNET-CNC Worm.VB.amna outbound connection A attempt (botnet-cnc.rules)
 * 1:21999 <-> ENABLED <-> FILE-IDENTIFY OpenType Font file magic detection (file-identify.rules)
 * 1:21998 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Banload.PQC contact to server attempt (botnet-cnc.rules)
 * 1:21997 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Banker.bgcp contact to server attempt (botnet-cnc.rules)
 * 1:21996 <-> DISABLED <-> BOTNET-CNC Win32.Dorkbot.I Runtime Detection Generic (botnet-cnc.rules)
 * 1:21995 <-> ENABLED <-> BOTNET-CNC Win32.Dorkbot.I Runtime Detection Generic (botnet-cnc.rules)
 * 1:21994 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer 8 DOM memory corruption attempt (exploit.rules)
 * 1:21993 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer data stream header remote code execution attempt (specific-threats.rules)
 * 1:21992 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer data stream header remote code execution attempt (specific-threats.rules)
 * 1:21991 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer data stream header remote code execution attempt (specific-threats.rules)
 * 1:21990 <-> ENABLED <-> WEB-CLIENT libpng png_inflate buffer overflow attempt (web-client.rules)
 * 1:21989 <-> ENABLED <-> WEB-CLIENT libpng png_inflate buffer overflow attempt (web-client.rules)
 * 1:21988 <-> ENABLED <-> WEB-CLIENT libpng png_inflate buffer overflow attempt (web-client.rules)
 * 1:21987 <-> ENABLED <-> MISC libpng png_inflate buffer overflow attempt (misc.rules)
 * 1:21986 <-> ENABLED <-> MISC libpng png_inflate buffer overflow attempt (misc.rules)
 * 1:21985 <-> ENABLED <-> MISC libpng png_inflate buffer overflow attempt (misc.rules)
 * 1:21984 <-> ENABLED <-> BOTNET-CNC Trojan.BamCompiled variant inbound updates (botnet-cnc.rules)
 * 1:21983 <-> ENABLED <-> BOTNET-CNC Trojan.BamCompiled variant outbound connection (botnet-cnc.rules)
 * 1:21982 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Insain.mh runtime detection (botnet-cnc.rules)
 * 1:21981 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Selvice.vq runtime detection (botnet-cnc.rules)
 * 1:21980 <-> DISABLED <-> BOTNET-CNC Trojan.Winac outbound connection (botnet-cnc.rules)
 * 1:21979 <-> DISABLED <-> BOTNET-CNC Backdoor.Nervos variant inbound communication attempt (botnet-cnc.rules)
 * 1:21978 <-> ENABLED <-> BOTNET-CNC Backdoor.Nervos variant outbound connection attempt (botnet-cnc.rules)
 * 1:21977 <-> DISABLED <-> BOTNET-CNC Backdoor.Pinit outbound connection (botnet-cnc.rules)
 * 1:21976 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Lapurd.D runtime detection (botnet-cnc.rules)
 * 1:21975 <-> DISABLED <-> BOTNET-CNC Worm.Expichu runtime detection (botnet-cnc.rules)
 * 1:21974 <-> DISABLED <-> BOTNET-CNC Worm.Expichu runtime detection (botnet-cnc.rules)
 * 1:21952 <-> DISABLED <-> DOS ISC dhcpd discover hostname overflow attempt (dos.rules)
 * 1:21951 <-> DISABLED <-> WEB-ACTIVEX Microsoft MSWebDVD ActiveX function call attempt (web-activex.rules)
 * 1:21950 <-> DISABLED <-> WEB-ACTIVEX Microsoft MSWebDVD ActiveX clsid access attempt (web-activex.rules)
 * 1:21949 <-> ENABLED <-> SPECIFIC-THREATS nikjju script injection (specific-threats.rules)
 * 1:21948 <-> ENABLED <-> FILE-OTHER Adobe Photoshop TIFF malicious SGILOG-compressed data attempt (file-other.rules)
 * 1:21947 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.VicSpy.A runtime detection (botnet-cnc.rules)
 * 1:21946 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Litmpuca.A Runtime Detection (backdoor.rules)
 * 1:21945 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Litmpuca.A Runtime Detection (backdoor.rules)
 * 1:21944 <-> ENABLED <-> WEB-CLIENT IBM Tivoli Endpoint Manager Web Reports xss attempt (web-client.rules)
 * 1:21943 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:21942 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:21941 <-> ENABLED <-> SPECIFIC-THREATS Wordpress Request for php file in fgallery directory (specific-threats.rules)

Modified Rules:


 * 1:21771 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:21770 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:21762 <-> DISABLED <-> EXPLOIT Youngzsoft CMailServer CMailCOM Buffer Overflow attempt (exploit.rules)
 * 1:21754 <-> DISABLED <-> WEB-CLIENT Microsoft Windows MSXML2 ActiveX malformed HTTP response (web-client.rules)
 * 1:21753 <-> DISABLED <-> EXPLOIT Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt (exploit.rules)
 * 1:886 <-> DISABLED <-> WEB-CGI phf access (web-cgi.rules)
 * 1:7203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word information string overflow attempt (file-office.rules)
 * 1:7202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document summary information string overflow attempt (file-office.rules)
 * 1:7199 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel label record overflow attempt (file-office.rules)
 * 1:7113 <-> DISABLED <-> BACKDOOR donalddick v1.5b3 runtime detection (backdoor.rules)
 * 1:7111 <-> DISABLED <-> BACKDOOR fearless lite 1.01 runtime detection (backdoor.rules)
 * 1:21906 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:7104 <-> DISABLED <-> BACKDOOR aol admin runtime detection (backdoor.rules)
 * 1:4135 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer JPEG heap overflow attempt (web-client.rules)
 * 1:3442 <-> DISABLED <-> DOS WIN32 TCP print service overflow attempt (dos.rules)
 * 1:3142 <-> DISABLED <-> NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt (netbios.rules)
 * 1:3141 <-> DISABLED <-> NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt (netbios.rules)
 * 1:3140 <-> DISABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 andx attempt (netbios.rules)
 * 1:3139 <-> DISABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 attempt (netbios.rules)
 * 1:3138 <-> DISABLED <-> NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt (netbios.rules)
 * 1:3137 <-> DISABLED <-> NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt (netbios.rules)
 * 1:3136 <-> DISABLED <-> NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt (netbios.rules)
 * 1:3135 <-> DISABLED <-> NETBIOS SMB Trans2 QUERY_FILE_INFO attempt (netbios.rules)
 * 1:3082 <-> DISABLED <-> BACKDOOR Y3KRAT 1.5 Connect Client Response (backdoor.rules)
 * 1:3081 <-> DISABLED <-> BACKDOOR Y3KRAT 1.5 Connect (backdoor.rules)
 * 1:3013 <-> DISABLED <-> BACKDOOR Asylum 0.1 connection request (backdoor.rules)
 * 1:278 <-> DISABLED <-> DOS RealNetworks Server template.html (dos.rules)
 * 1:277 <-> DISABLED <-> DOS RealNetworks Server template.html (dos.rules)
 * 1:276 <-> DISABLED <-> DOS RealNetworks Audio Server denial of service attempt (dos.rules)
 * 1:2582 <-> DISABLED <-> WEB-MISC SAP Crystal Reports crystalImageHandler.aspx directory traversal attempt (web-misc.rules)
 * 1:2581 <-> DISABLED <-> WEB-MISC SAP Crystal Reports crystalimagehandler.aspx access (web-misc.rules)
 * 1:2527 <-> DISABLED <-> SMTP STARTTLS attempt (smtp.rules)
 * 1:2411 <-> DISABLED <-> WEB-MISC RealNetworks RealSystem Server DESCRIBE buffer overflow attempt (web-misc.rules)
 * 1:21937 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:21931 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record (file-office.rules)
 * 1:21927 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style handling overflow attempt (file-office.rules)
 * 1:21905 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:21904 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:21903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:1147 <-> DISABLED <-> WEB-MISC cat%20 access (web-misc.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record (file-office.rules)
 * 1:12455 <-> DISABLED <-> FILE-IDENTIFY SAP Crystal Reports file download request (file-identify.rules)
 * 1:21901 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:12456 <-> DISABLED <-> FILE-IDENTIFY SAP Crystal Reports file magic detected (file-identify.rules)
 * 1:13865 <-> DISABLED <-> FILE-OTHER BMP image handler buffer overflow attempt (file-other.rules)
 * 1:13949 <-> DISABLED <-> DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (dns.rules)
 * 1:14661 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt  (netbios.rules)
 * 1:21900 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:15150 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server login Authentication bypass attempt (chat.rules)
 * 1:15151 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server logout Authentication bypass attempt (chat.rules)
 * 1:15152 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (chat.rules)
 * 1:15153 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server setup Authentication bypass attempt (chat.rules)
 * 1:21899 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:15154 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server gif Authentication bypass attempt (chat.rules)
 * 1:15155 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server png Authentication bypass attempt (chat.rules)
 * 1:15156 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server serverdown Authentication bypass attempt (chat.rules)
 * 1:15445 <-> ENABLED <-> ORACLE Application Server BPEL module cross site scripting attempt (oracle.rules)
 * 1:21898 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:15540 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer DOM memory corruption attempt (web-client.rules)
 * 1:15554 <-> DISABLED <-> ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (oracle.rules)
 * 1:15727 <-> ENABLED <-> FILE-PDF attempted download of a PDF with embedded Flash over http or pop (file-pdf.rules)
 * 1:21897 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:15865 <-> ENABLED <-> FILE-IDENTIFY MP4 file download request (file-identify.rules)
 * 1:15885 <-> DISABLED <-> EXPLOIT SAPLPD 0x03 command buffer overflow attempt (exploit.rules)
 * 1:16149 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer data stream header remote code execution attempt (specific-threats.rules)
 * 1:16189 <-> ENABLED <-> ORACLE Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt (oracle.rules)
 * 1:21896 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:16192 <-> ENABLED <-> ORACLE Secure Backup Administration server authentication bypass attempt - via POST (oracle.rules)
 * 1:16412 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:16469 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt (file-office.rules)
 * 1:16470 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt (file-office.rules)
 * 1:21852 <-> ENABLED <-> BOTNET-CNC Trojan.Orsam variant outbound connection (botnet-cnc.rules)
 * 1:16471 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt (file-office.rules)
 * 1:16656 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 ExternSheet record stack overflow attempt (file-office.rules)
 * 1:17087 <-> DISABLED <-> WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid access (web-activex.rules)
 * 1:17133 <-> DISABLED <-> WEB-CLIENT Microsoft Windows MSXML2 ActiveX malformed HTTP response (web-client.rules)
 * 1:21817 <-> DISABLED <-> DNS excessive queries of type ANY - potential DoS (dns.rules)
 * 1:17250 <-> ENABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:17283 <-> DISABLED <-> SERVER-MAIL Mercury Mail Transport System buffer overflow attempt (server-mail.rules)
 * 1:17315 <-> ENABLED <-> FILE-OFFICE OpenOffice OLE File Stream Buffer Overflow (file-office.rules)
 * 1:17332 <-> DISABLED <-> SMTP Content-Disposition attachment (smtp.rules)
 * 1:17377 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules)
 * 1:21805 <-> DISABLED <-> EXPLOIT HT-MP3Player file parsing boundary buffer overflow attempt (exploit.rules)
 * 1:17396 <-> DISABLED <-> EXPLOIT VNC client authentication response (exploit.rules)
 * 1:17407 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows help file download request (file-identify.rules)
 * 1:21775 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:17418 <-> DISABLED <-> ORACLE Oracle connection established (oracle.rules)
 * 1:17532 <-> DISABLED <-> FILE-OFFICE Micrsoft Office Excel TXO and OBJ Records Parsing Stack Memory Corruption (file-office.rules)
 * 1:17533 <-> ENABLED <-> WEB-MISC Apache Struts Information Disclosure Attempt (web-misc.rules)
 * 1:17534 <-> DISABLED <-> MISC IPP Application Content (misc.rules)
 * 1:1762 <-> DISABLED <-> WEB-CGI phf arbitrary command execution attempt (web-cgi.rules)
 * 1:21774 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:17625 <-> DISABLED <-> ORACLE Database Core RDBMS component denial of service attempt (oracle.rules)
 * 1:17638 <-> ENABLED <-> ORACLE Secure Backup Administration Server login.php Cookies Command Injection attempt (oracle.rules)
 * 1:17722 <-> DISABLED <-> ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (oracle.rules)
 * 1:17745 <-> DISABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:17746 <-> DISABLED <-> NETBIOS SMB client TRANS response Find_First2 filename overflow attempt (netbios.rules)
 * 1:21773 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:17757 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt (file-office.rules)
 * 1:18335 <-> DISABLED <-> WEB-CLIENT Microsoft Windows MHTML XSS attempt (web-client.rules)
 * 1:18513 <-> ENABLED <-> MYSQL yaSSL SSL Hello Message Buffer Overflow attempt (mysql.rules)
 * 1:18961 <-> DISABLED <-> WEB-CLIENT Microsoft Windows MSXML2 ActiveX malformed HTTP response (web-client.rules)
 * 1:21772 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX directshow wav file overflow attempt (exploit.rules)
 * 1:18962 <-> DISABLED <-> WEB-CLIENT Microsoft Windows MSXML2 ActiveX malformed HTTP response (web-client.rules)
 * 1:19190 <-> DISABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:19200 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules)
 * 1:21655 <-> ENABLED <-> EXPLOIT Adobe Flash Video invalid tag type attempt (exploit.rules)
 * 1:19227 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Scenario heap memory overflow (file-office.rules)
 * 1:19231 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:19268 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded Flash over smb (file-pdf.rules)
 * 1:21606 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:19269 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded Flash over smtp (file-pdf.rules)
 * 1:19816 <-> DISABLED <-> NETBIOS Juniper NeoterisSetupService named pipe access attempt (netbios.rules)
 * 1:19825 <-> DISABLED <-> DOS Apache Killer denial of service tool exploit attempt (dos.rules)
 * 1:19894 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint unbound memcpy and remote code execution attempt (file-office.rules)
 * 1:21605 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:20591 <-> DISABLED <-> WEB-ACTIVEX Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (web-activex.rules)
 * 1:21604 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21603 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21602 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21601 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21600 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21599 <-> DISABLED <-> WEB-IIS Microsoft IIS multiple executable extension access attempt (web-iis.rules)
 * 1:21566 <-> DISABLED <-> NETBIOS Microsoft Expression Design wintab32.dll dll-load exploit attempt (netbios.rules)
 * 1:21535 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (specific-threats.rules)
 * 1:21534 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (specific-threats.rules)
 * 1:21533 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Stage3D null dereference attempt (specific-threats.rules)
 * 1:21484 <-> ENABLED <-> WEB-CLIENT zip file name buffer overflow attempt (web-client.rules)
 * 1:21447 <-> ENABLED <-> POLICY ActiveX FileSystemObject function call (policy.rules)
 * 1:21443 <-> ENABLED <-> BOTNET-CNC TDSS outbound connection (botnet-cnc.rules)
 * 1:21370 <-> DISABLED <-> NETBIOS Samba name mangling buffer overflow attempt (netbios.rules)
 * 1:21342 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'cprt' field attempt (exploit.rules)
 * 1:21341 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'dscp' field attempt (exploit.rules)
 * 1:21340 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'titl' field attempt (exploit.rules)
 * 1:21339 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'auth' field attempt (exploit.rules)
 * 1:21327 <-> ENABLED <-> BLACKLIST USER-AGENT ASafaWeb Scan (blacklist.rules)
 * 1:21170 <-> DISABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:21041 <-> ENABLED <-> BLACKLIST URI possible Blackhole URL - main.php?page= (blacklist.rules)
 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:20882 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object identifier (file-office.rules)
 * 1:20717 <-> DISABLED <-> FILE-OFFICE Microsoft Windows OLE versioned stream missing data stream (file-office.rules)
 * 1:20592 <-> DISABLED <-> WEB-ACTIVEX Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX function call access (web-activex.rules)
 * 3:15298 <-> ENABLED <-> WEB-CLIENT Microsoft Visio could allow remote code execution (web-client.rules)
 * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules)