Sourcefire VRT Rules Update

Date: 2012-11-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:11442 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:15448 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:15911 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt (netbios.rules)
 * 1:14988 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:15015 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt (os-windows.rules)
 * 1:14783 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt (os-windows.rules)
 * 1:14900 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:13367 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss GetPrinterData attempt (netbios.rules)
 * 1:14782 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt (os-windows.rules)
 * 1:24791 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:24793 <-> ENABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Java Class download (exploit-kit.rules)
 * 1:24794 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24795 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24796 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24797 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24798 <-> DISABLED <-> EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure (exploit-kit.rules)
 * 1:24799 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.Imuler suspicious download (malware-other.rules)
 * 1:24800 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.Imuler suspicious download (malware-other.rules)
 * 1:24801 <-> DISABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt (server-webapp.rules)
 * 1:24802 <-> DISABLED <-> SERVER-OTHER HP Database Archiving Software GIOP parsing buffer overflow attempt (server-other.rules)
 * 1:24789 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit PDF Exploit download (exploit-kit.rules)
 * 1:24790 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Portable Executable request (exploit-kit.rules)
 * 1:24803 <-> DISABLED <-> SCADA GE Proficy Real-Time Information Portal directory traversal attempt (scada.rules)
 * 1:24787 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java Exploit download (exploit-kit.rules)
 * 1:24788 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit PDF Exploit request structure (exploit-kit.rules)
 * 1:24785 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit possible redirection attempt (exploit-kit.rules)
 * 1:24786 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure (exploit-kit.rules)
 * 1:24804 <-> ENABLED <-> SERVER-WEBAPP Invision IP Board PHP unserialize code execution attempt (server-webapp.rules)
 * 1:24784 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit 64-bit font file download (exploit-kit.rules)
 * 1:24783 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit 32-bit font file download (exploit-kit.rules)
 * 1:24781 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit outbound request (exploit-kit.rules)
 * 1:24782 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit outbound request (exploit-kit.rules)
 * 1:24805 <-> ENABLED <-> SERVER-OTHER lighthttpd connection header denial of service attempt (server-other.rules)
 * 1:24779 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:24780 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:23240 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:24778 <-> ENABLED <-> EXPLOIT-KIT CoolEK Exploit Kit landing page - Title (exploit-kit.rules)
 * 1:24806 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise WebAccess directory traversal attempt - POST request (server-webapp.rules)
 * 1:22011 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22012 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22009 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22010 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:24807 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise WebAccess directory traversal attempt - GET request (server-webapp.rules)
 * 1:22007 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22008 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22006 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:22004 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:24808 <-> DISABLED <-> FILE-FLASH Microsoft Internet Explorer premature unload of Flash plugin use after free attempt (file-flash.rules)
 * 1:22005 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:19890 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP CA Arcserve Backup directory traversal attempt (netbios.rules)
 * 1:21806 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:18316 <-> DISABLED <-> DELETED SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 attempt (deleted.rules)
 * 1:24809 <-> DISABLED <-> FILE-FLASH Microsoft Internet Explorer premature unload of Flash plugin use after free attempt (file-flash.rules)
 * 1:19621 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:17365 <-> DISABLED <-> FILE-OTHER Microsoft Windows Help Workshop CNT Help contents buffer overflow attempt (file-other.rules)
 * 1:18315 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (os-windows.rules)
 * 1:17047 <-> DISABLED <-> DELETED NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt (deleted.rules)
 * 1:24810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt (file-flash.rules)
 * 1:16743 <-> DISABLED <-> FILE-OTHER Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (file-other.rules)
 * 1:24811 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt (file-flash.rules)
 * 1:24812 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt (file-flash.rules)
 * 1:24813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt (file-flash.rules)
 * 1:3238 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:4072 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt (os-windows.rules)
 * 1:4245 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:12984 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt (netbios.rules)
 * 1:4246 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:4334 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (os-windows.rules)
 * 1:4358 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (os-windows.rules)
 * 1:4413 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt (os-windows.rules)
 * 1:4608 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt (os-windows.rules)
 * 1:529 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt (netbios.rules)
 * 1:6431 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid second uuid size attempt (os-windows.rules)
 * 1:6432 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid second uuid size attempt (os-windows.rules)
 * 1:6443 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6444 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6455 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6456 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6810 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt (os-windows.rules)
 * 1:6906 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt (os-windows.rules)
 * 1:7209 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt (os-windows.rules)
 * 1:7210 <-> ENABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP srvsvc NetrPathCanonicalize overflow attempt (os-windows.rules)
 * 1:8157 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt (os-windows.rules)
 * 1:8253 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt (os-windows.rules)
 * 1:8925 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (os-windows.rules)
 * 1:9027 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt (os-windows.rules)
 * 1:9132 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt (os-windows.rules)
 * 1:9228 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt (os-windows.rules)
 * 1:12335 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
 * 1:12940 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt (netbios.rules)
 * 1:12985 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt (netbios.rules)
 * 1:12489 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrWkstaGetInfo attempt (netbios.rules)
 * 1:11843 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt (os-windows.rules)
 * 1:10900 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (os-windows.rules)
 * 1:10603 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (os-windows.rules)
 * 1:11443 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)

Modified Rules:


 * 1:24054 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure (exploit-kit.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules)
 * 1:24233 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24313 <-> ENABLED <-> SERVER-WEBAPP HP OpenView Operations Agent request (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:3693 <-> DISABLED <-> SERVER-WEBAPP IBM WebSphere j_security_check overflow attempt (server-webapp.rules)
 * 1:24767 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter FSFUI request directory traversal attempt (server-webapp.rules)
 * 1:24766 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter SRS request arbitrary file download attempt (server-webapp.rules)
 * 1:23223 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and code (exploit-kit.rules)
 * 1:23225 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit (exploit-kit.rules)
 * 1:23222 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt (exploit-kit.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT RedKit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html (exploit-kit.rules)
 * 1:23159 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page download attempt (exploit-kit.rules)
 * 1:23218 <-> ENABLED <-> EXPLOIT-KIT RedKit Repeated Exploit Request Pattern (exploit-kit.rules)
 * 1:23219 <-> ENABLED <-> EXPLOIT-KIT Redkit Java Exploit request to .class file (exploit-kit.rules)
 * 1:23220 <-> ENABLED <-> EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar (exploit-kit.rules)
 * 1:22949 <-> ENABLED <-> EXPLOIT-KIT Blackhole redirection attempt (exploit-kit.rules)
 * 1:23158 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:23157 <-> ENABLED <-> EXPLOIT-KIT URI Nuclear Pack exploit kit binary download (exploit-kit.rules)
 * 1:22088 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit javascript service method (exploit-kit.rules)
 * 1:23156 <-> ENABLED <-> EXPLOIT-KIT URI Nuclear Pack exploit kit landing page (exploit-kit.rules)
 * 1:21876 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading (exploit-kit.rules)
 * 1:22041 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing redirection page (exploit-kit.rules)
 * 1:22040 <-> ENABLED <-> EXPLOIT-KIT Blackhole suspected landing page (exploit-kit.rules)
 * 1:21860 <-> ENABLED <-> EXPLOIT-KIT Phoenix exploit kit post-compromise behavior (exploit-kit.rules)
 * 1:21661 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - catch (exploit-kit.rules)
 * 1:22039 <-> ENABLED <-> EXPLOIT-KIT Blackhole suspected landing page (exploit-kit.rules)
 * 1:21657 <-> ENABLED <-> EXPLOIT-KIT Blackhole Applet landing page (exploit-kit.rules)
 * 1:21658 <-> ENABLED <-> EXPLOIT-KIT Blackhole possible landing page (exploit-kit.rules)
 * 1:21659 <-> ENABLED <-> EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php (exploit-kit.rules)
 * 1:21660 <-> ENABLED <-> EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php (exploit-kit.rules)
 * 1:21549 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific header (exploit-kit.rules)
 * 1:21646 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:21539 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific header (exploit-kit.rules)
 * 1:21640 <-> DISABLED <-> EXPLOIT-KIT Possible Phoenix exploit kit landing page (exploit-kit.rules)
 * 1:21492 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:21581 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - BBB (exploit-kit.rules)
 * 1:21347 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole URL - .php?page= (exploit-kit.rules)
 * 1:21348 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole URL - search.php?page= (exploit-kit.rules)
 * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules)
 * 1:21438 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet (exploit-kit.rules)
 * 1:21346 <-> DISABLED <-> EXPLOIT-KIT possible Blackhole exploit kit malicious jar download (exploit-kit.rules)
 * 1:21343 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit pdf request (exploit-kit.rules)
 * 1:21259 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit response (exploit-kit.rules)
 * 1:21344 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit pdf download (exploit-kit.rules)
 * 1:21345 <-> DISABLED <-> EXPLOIT-KIT possible Blackhole exploit kit malicious jar request (exploit-kit.rules)
 * 1:21069 <-> ENABLED <-> EXPLOIT-KIT Eleanore exploit kit exploit fetch request (exploit-kit.rules)
 * 1:21141 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit control panel access (exploit-kit.rules)
 * 1:21071 <-> ENABLED <-> EXPLOIT-KIT Eleanore exploit kit post-exploit page request (exploit-kit.rules)
 * 1:21068 <-> ENABLED <-> EXPLOIT-KIT Eleanore exploit kit landing page (exploit-kit.rules)
 * 1:21045 <-> ENABLED <-> EXPLOIT-KIT possible Blackhole landing page (exploit-kit.rules)
 * 1:21070 <-> ENABLED <-> EXPLOIT-KIT Eleanore exploit kit pdf exploit page request (exploit-kit.rules)
 * 1:21041 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole URL - main.php?page= (exploit-kit.rules)
 * 1:21042 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole post-compromise download attempt - .php?f= (exploit-kit.rules)
 * 1:21043 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole post-compromise download attempt - .php?e= (exploit-kit.rules)
 * 1:21044 <-> ENABLED <-> EXPLOIT-KIT possible Blackhole landing page (exploit-kit.rules)
 * 1:20608 <-> DISABLED <-> WEB-CLIENT Novell Groupwise internet agent http uri buffer overflow attempt (web-client.rules)
 * 1:20957 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:20607 <-> DISABLED <-> WEB-CLIENT Novell Groupwise internet agent http uri buffer overflow attempt (web-client.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:2086 <-> DISABLED <-> SERVER-WEBAPP streaming server parse_xml.cgi access (server-webapp.rules)
 * 1:1545 <-> DISABLED <-> DOS Cisco denial of service attempt (dos.rules)
 * 1:19184 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt (os-windows.rules)
 * 1:1889 <-> DISABLED <-> MALWARE-CNC slapper worm admin traffic (malware-cnc.rules)
 * 1:12057 <-> DISABLED <-> SERVER-WEBAPP WhatsUpGold configuration access (server-webapp.rules)
 * 1:12056 <-> DISABLED <-> SERVER-WEBAPP WhatsUpGold instancename overflow attempt (server-webapp.rules)
 * 1:1887 <-> DISABLED <-> SERVER-OTHER OpenSSL Worm traffic (server-other.rules)
 * 1:11665 <-> DISABLED <-> SERVER-WEBAPP sphpblog install03_cgi access attempt (server-webapp.rules)
 * 1:11666 <-> DISABLED <-> SERVER-WEBAPP sphpblog upload_img_cgi access attempt (server-webapp.rules)
 * 1:11667 <-> DISABLED <-> SERVER-WEBAPP sphpblog arbitrary file delete attempt (server-webapp.rules)
 * 1:11668 <-> DISABLED <-> SERVER-WEBAPP vbulletin php code injection (server-webapp.rules)
 * 1:11664 <-> DISABLED <-> SERVER-WEBAPP sphpblog password.txt access attempt (server-webapp.rules)
 * 1:1051 <-> DISABLED <-> FILE-OTHER technote main.cgi file directory traversal attempt (file-other.rules)
 * 1:24548 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page download attempt (exploit-kit.rules)
 * 1:24549 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt (file-multimedia.rules)
 * 1:24550 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt (file-multimedia.rules)
 * 1:24547 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page download attempt (exploit-kit.rules)
 * 1:24593 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page received - specific structure (exploit-kit.rules)
 * 1:24546 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page download attempt (exploit-kit.rules)
 * 1:24544 <-> ENABLED <-> EXPLOIT-KIT Blackhole admin page outbound access attempt (exploit-kit.rules)
 * 1:24543 <-> ENABLED <-> EXPLOIT-KIT Blackhole admin page inbound access attempt (exploit-kit.rules)
 * 1:24501 <-> ENABLED <-> EXPLOIT-KIT Blackhole v2 fallback executable download (exploit-kit.rules)
 * 1:24475 <-> ENABLED <-> EXPLOIT-KIT Blackhole - Cookie Set (exploit-kit.rules)
 * 1:24608 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page download attempt (exploit-kit.rules)
 * 1:24432 <-> ENABLED <-> BROWSER-OTHER HTML5 canvas element heap spray attempt (browser-other.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP Apple Quicktime User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:24636 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 redirection page - specific structure (exploit-kit.rules)
 * 1:24637 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 redirection page - specific structure (exploit-kit.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:24638 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 redirection successful (exploit-kit.rules)
 * 1:24702 <-> ENABLED <-> FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt (file-other.rules)
 * 1:24703 <-> ENABLED <-> FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt (file-other.rules)
 * 1:24761 <-> DISABLED <-> FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt (file-other.rules)
 * 1:24762 <-> DISABLED <-> FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt (file-other.rules)
 * 1:24765 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter SRS request heap overflow attempt (server-webapp.rules)
 * 1:2411 <-> DISABLED <-> SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer overflow attempt (server-webapp.rules)
 * 1:24234 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24226 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page received (exploit-kit.rules)
 * 1:24091 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver SOAP interface command injection attempt (server-webapp.rules)
 * 1:23878 <-> ENABLED <-> BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt (browser-plugins.rules)
 * 1:2388 <-> DISABLED <-> SERVER-WEBAPP streaming server view_broadcast.cgi access (server-webapp.rules)
 * 1:23797 <-> ENABLED <-> EXPLOIT-KIT Blackhole redirection page (exploit-kit.rules)
 * 1:23849 <-> ENABLED <-> EXPLOIT-KIT Blackhole redirection attempt (exploit-kit.rules)
 * 1:23848 <-> ENABLED <-> EXPLOIT-KIT Blackhole redirection attempt (exploit-kit.rules)
 * 1:23786 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch (exploit-kit.rules)
 * 1:23622 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page request - tkr (exploit-kit.rules)
 * 1:23619 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch broken (exploit-kit.rules)
 * 1:23785 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch (exploit-kit.rules)
 * 1:23745 <-> ENABLED <-> FILE-IDENTIFY MOV file magic detected (file-identify.rules)
 * 1:23781 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page (exploit-kit.rules)
 * 1:24053 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure (exploit-kit.rules)
 * 1:23850 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - hwehes (exploit-kit.rules)
 * 1:23962 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - fewbgazr catch (exploit-kit.rules)
 * 1:23238 <-> DISABLED <-> NETBIOS Wireshark console.lua file load exploit attempt (netbios.rules)
 * 1:24228 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - Landing Page Received (exploit-kit.rules)
 * 1:24171 <-> DISABLED <-> EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder (exploit-kit.rules)
 * 1:24232 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24231 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit redirection attempt (exploit-kit.rules)
 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 3:18640 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed SupBook record attempt (web-client.rules)
 * 3:18669 <-> ENABLED <-> WEB-CLIENT cross-domain object mainpulation attempt (web-client.rules)
 * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18220 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (web-client.rules)
 * 3:18414 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Kerberos auth downgrade to DES MITM attempt (web-client.rules)
 * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules)
 * 3:17115 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer cross domain information disclosure attempt (web-client.rules)
 * 3:13978 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access (web-client.rules)
 * 3:13979 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System Subscription VBScript access (web-client.rules)
 * 3:13976 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access (web-client.rules)