Sourcefire VRT Rules Update

Date: 2013-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27101 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:27111 <-> DISABLED <-> BROWSER-PLUGINS PcVue SVUIGrd.ocx ActiveX clsid access (browser-plugins.rules)
 * 1:27117 <-> ENABLED <-> OS-MOBILE Android Androrat sms message leakage (os-mobile.rules)
 * 1:27123 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt (server-other.rules)
 * 1:27124 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1092 buffer overflow attempt (server-other.rules)
 * 1:27125 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 211 buffer overflow attempt (server-other.rules)
 * 1:27126 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt (browser-ie.rules)
 * 1:27127 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt (browser-ie.rules)
 * 1:27128 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt (browser-ie.rules)
 * 1:27129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 use after free attempt (browser-ie.rules)
 * 1:27130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 use after free attempt (browser-ie.rules)
 * 1:27131 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt (browser-ie.rules)
 * 1:27132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt (browser-ie.rules)
 * 1:27133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer display node use after free attempt (browser-ie.rules)
 * 1:27134 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer display node use after free attempt (browser-ie.rules)
 * 1:27135 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt (browser-ie.rules)
 * 1:27137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:27136 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt (os-windows.rules)
 * 1:27138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:27139 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET CLR mutlidimensional array handling remote code execution attempt (os-windows.rules)
 * 1:27140 <-> ENABLED <-> EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload (exploit-kit.rules)
 * 1:27141 <-> ENABLED <-> EXPLOIT-KIT Private Exploit Kit landing page (exploit-kit.rules)
 * 1:27143 <-> ENABLED <-> EXPLOIT-KIT Private Exploit Kit landing page (exploit-kit.rules)
 * 1:27142 <-> ENABLED <-> EXPLOIT-KIT Private Exploit Kit landing page (exploit-kit.rules)
 * 1:27144 <-> ENABLED <-> EXPLOIT-KIT Private Exploit Kit outbound traffic (exploit-kit.rules)
 * 1:27145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Seinup variant outbound connection (malware-cnc.rules)
 * 1:27147 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt (browser-ie.rules)
 * 1:27146 <-> DISABLED <-> BLACKLIST DNS request for known malware domain scari-elegante.ro - Yakes Trojan (blacklist.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt (browser-ie.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt (browser-ie.rules)
 * 1:27150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27151 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27152 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27153 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27154 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt (browser-ie.rules)
 * 1:27155 <-> DISABLED <-> BLACKLIST DNS request for known malware domain myharlemshake.info - MSIL Trojan (blacklist.rules)
 * 1:27156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt (browser-ie.rules)
 * 1:27157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt (browser-ie.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:27107 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit malicious jar download (exploit-kit.rules)
 * 1:27121 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:27122 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 buffer overflow attempt (server-other.rules)
 * 1:27120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:27116 <-> ENABLED <-> OS-MOBILE Android Androrat device information leakage (os-mobile.rules)
 * 1:27119 <-> DISABLED <-> EXPLOIT-KIT multiple plugin version detection attempt (exploit-kit.rules)
 * 1:27106 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit malicious jar download (exploit-kit.rules)
 * 1:27114 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.xii variant outbound connection attempt (malware-cnc.rules)
 * 1:27096 <-> DISABLED <-> FILE-OTHER XML exponential entity expansion attack attempt (file-other.rules)
 * 1:27100 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:27092 <-> ENABLED <-> EXPLOIT-KIT Cool/Styx exploit kit landing page (exploit-kit.rules)
 * 1:27095 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.FakeToken APK file download attempt (os-mobile.rules)
 * 1:27085 <-> ENABLED <-> EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class (exploit-kit.rules)
 * 1:27089 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:27086 <-> ENABLED <-> EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect (exploit-kit.rules)
 * 1:27087 <-> DISABLED <-> DELETED EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar (deleted.rules)
 * 1:27097 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.SMSSilence APK file download attempt (os-mobile.rules)
 * 1:27094 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt (os-mobile.rules)
 * 1:27091 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Weavun variant outbound connection attempt (malware-cnc.rules)
 * 1:27093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Medfos variant outbound connection (malware-cnc.rules)
 * 1:27088 <-> DISABLED <-> DELETED EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar (deleted.rules)
 * 1:27098 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt (os-mobile.rules)
 * 1:27099 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt (os-mobile.rules)
 * 1:27090 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:27115 <-> ENABLED <-> DOS DirtJumper denial of service attack traffic (dos.rules)
 * 1:27108 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared (exploit-kit.rules)
 * 1:27102 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt (file-multimedia.rules)
 * 1:27103 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt (file-multimedia.rules)
 * 1:27105 <-> ENABLED <-> SERVER-WEBAPP HP System Management arbitrary command injection attempt (server-webapp.rules)
 * 1:27104 <-> ENABLED <-> SERVER-WEBAPP HP System Management arbitrary command injection attempt (server-webapp.rules)
 * 1:27109 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download (exploit-kit.rules)
 * 1:27112 <-> DISABLED <-> BROWSER-PLUGINS PcVue SVUIGrd.ocx ActiveX function call access (browser-plugins.rules)
 * 1:27118 <-> ENABLED <-> OS-MOBILE Android Androrat contact list leakage (os-mobile.rules)
 * 1:27113 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)

Modified Rules:


 * 1:9914 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP tapisrv ClientRequest LSetAppPriority overflow attempt (os-windows.rules)
 * 1:9228 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt (os-windows.rules)
 * 1:9769 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt (os-windows.rules)
 * 1:9027 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt (os-windows.rules)
 * 1:9132 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt (os-windows.rules)
 * 1:8925 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (os-windows.rules)
 * 1:8456 <-> DISABLED <-> OS-WINDOWS SMB-DS Rename invalid buffer type unicode attempt (os-windows.rules)
 * 1:8709 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components tcp denial of service attempt (os-windows.rules)
 * 1:8454 <-> DISABLED <-> OS-WINDOWS SMB-DS Rename invalid buffer type attempt (os-windows.rules)
 * 1:8455 <-> DISABLED <-> OS-WINDOWS SMB-DS Rename invalid buffer type unicode andx attempt (os-windows.rules)
 * 1:8452 <-> DISABLED <-> OS-WINDOWS SMB Rename invalid buffer type unicode attempt (os-windows.rules)
 * 1:8453 <-> DISABLED <-> OS-WINDOWS SMB-DS Rename invalid buffer type andx attempt (os-windows.rules)
 * 1:8450 <-> DISABLED <-> OS-WINDOWS SMB Rename invalid buffer type attempt (os-windows.rules)
 * 1:8451 <-> DISABLED <-> OS-WINDOWS SMB Rename invalid buffer type unicode andx attempt (os-windows.rules)
 * 1:8253 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt (os-windows.rules)
 * 1:8449 <-> DISABLED <-> OS-WINDOWS SMB Rename invalid buffer type andx attempt (os-windows.rules)
 * 1:7209 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt (os-windows.rules)
 * 1:8157 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt (os-windows.rules)
 * 1:7040 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode andx mailslot heap overflow attempt (os-windows.rules)
 * 1:7039 <-> DISABLED <-> OS-WINDOWS SMB Trans andx mailslot heap overflow attempt (os-windows.rules)
 * 1:7035 <-> ENABLED <-> OS-WINDOWS SMB Trans mailslot heap overflow attempt (os-windows.rules)
 * 1:7036 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode mailslot heap overflow attempt (os-windows.rules)
 * 1:6810 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt (os-windows.rules)
 * 1:6906 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt (os-windows.rules)
 * 1:6584 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt (os-windows.rules)
 * 1:6714 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt (os-windows.rules)
 * 1:6455 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6443 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6431 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid second uuid size attempt (os-windows.rules)
 * 1:5737 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:6419 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid uuid size attempt (os-windows.rules)
 * 1:14737 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP host-integration bind attempt (os-windows.rules)
 * 1:5736 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:13246 <-> DISABLED <-> MALWARE-BACKDOOR troya 1.4 inbound connection (malware-backdoor.rules)
 * 1:14653 <-> DISABLED <-> OS-WINDOWS SMB Search andx Search filename size integer underflow attempt (os-windows.rules)
 * 1:10603 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (os-windows.rules)
 * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:16238 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (os-windows.rules)
 * 1:16283 <-> DISABLED <-> SERVER-WEBAPP Borland StarTeam Multicast Service buffer overflow attempt (server-webapp.rules)
 * 1:16354 <-> DISABLED <-> FILE-PDF Adobe Reader start-of-file alternate header obfuscation (file-pdf.rules)
 * 1:16390 <-> DISABLED <-> FILE-PDF Adobe Reader alternate file magic obfuscation (file-pdf.rules)
 * 1:16397 <-> DISABLED <-> OS-WINDOWS SMB andx invalid server name share access (os-windows.rules)
 * 1:16398 <-> DISABLED <-> OS-WINDOWS SMB invalid server name share access (os-windows.rules)
 * 1:16399 <-> DISABLED <-> OS-WINDOWS SMB unicode andx invalid server name share access (os-windows.rules)
 * 1:16400 <-> DISABLED <-> OS-WINDOWS SMB unicode invalid server name share access (os-windows.rules)
 * 1:1734 <-> DISABLED <-> PROTOCOL-FTP USER overflow attempt (protocol-ftp.rules)
 * 1:17435 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (os-windows.rules)
 * 1:17436 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (os-windows.rules)
 * 1:17437 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (os-windows.rules)
 * 1:17438 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (os-windows.rules)
 * 1:17549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:17604 <-> DISABLED <-> SERVER-OTHER Oracle Java AWT ConvolveOp memory corruption attempt (server-other.rules)
 * 1:17702 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (os-windows.rules)
 * 1:18203 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book smmscrpt.dll malicious DLL load (os-windows.rules)
 * 1:18267 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (os-windows.rules)
 * 1:18684 <-> ENABLED <-> FILE-PDF PDF file with embedded PDF object (file-pdf.rules)
 * 1:18315 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (os-windows.rules)
 * 1:19013 <-> DISABLED <-> PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ (protocol-tftp.rules)
 * 1:19014 <-> DISABLED <-> PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ (protocol-tftp.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19199 <-> DISABLED <-> OS-WINDOWS Smb2Create_Finalize malformed EndOfFile field exploit attempt (os-windows.rules)
 * 1:19646 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:19647 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:19648 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:19972 <-> DISABLED <-> OS-WINDOWS SMB client TRANS response paramcount overflow attempt (os-windows.rules)
 * 1:20146 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded PICT image (file-pdf.rules)
 * 1:20151 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded PCX image (file-pdf.rules)
 * 1:20272 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Forefront UAG NLSessionS cookie overflow attempt (os-windows.rules)
 * 1:20634 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt (browser-ie.rules)
 * 1:20603 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RSH daemon buffer overflow attempt (os-windows.rules)
 * 1:20569 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Small.kb outbound connection (malware-cnc.rules)
 * 1:20837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mecklow.C runtime traffic detected (malware-cnc.rules)
 * 1:20884 <-> DISABLED <-> OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt (os-windows.rules)
 * 1:20921 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP colors used integer overflow attempt (file-pdf.rules)
 * 1:20922 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP bit count integer overflow attempt (file-pdf.rules)
 * 1:20923 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP bit count integer overflow attempt (file-pdf.rules)
 * 1:2101 <-> DISABLED <-> OS-WINDOWS SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:21048 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot (blacklist.rules)
 * 1:21049 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot (blacklist.rules)
 * 1:21254 <-> ENABLED <-> FILE-PDF Foxit Reader createDataObject file write attempt (file-pdf.rules)
 * 1:21405 <-> DISABLED <-> OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt (os-windows.rules)
 * 1:21518 <-> DISABLED <-> MALWARE-CNC Trojan.Agent-59544 connect to server (malware-cnc.rules)
 * 1:21529 <-> DISABLED <-> OS-WINDOWS SMB Trans2 Find_First2 filename overflow attempt (os-windows.rules)
 * 1:22941 <-> ENABLED <-> FILE-PDF Possible malicious PDF detection - qweqwe= (file-pdf.rules)
 * 1:23156 <-> ENABLED <-> EXPLOIT-KIT URI Nuclear Pack exploit kit landing page (exploit-kit.rules)
 * 1:23314 <-> DISABLED <-> OS-WINDOWS SMB invalid character argument injection attempt (os-windows.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:23513 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23514 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23515 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:2382 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTMLSSP asn1 overflow attempt (os-windows.rules)
 * 1:2383 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTMLSSP asn1 overflow attempt (os-windows.rules)
 * 1:23846 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP freed memory write attempt (os-windows.rules)
 * 1:23883 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:23884 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:24131 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24132 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24133 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24134 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24135 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24136 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:24137 <-> ENABLED <-> OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt (os-windows.rules)
 * 1:2417 <-> DISABLED <-> PROTOCOL-FTP format string attempt (protocol-ftp.rules)
 * 1:24336 <-> DISABLED <-> OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules)
 * 1:24506 <-> DISABLED <-> FILE-PDF Adobe Reader null pointer dereference attempt (file-pdf.rules)
 * 1:2508 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:25818 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable exploit attempt (file-pdf.rules)
 * 1:25819 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable exploit attempt (file-pdf.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:26023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection (malware-cnc.rules)
 * 1:26079 <-> ENABLED <-> FILE-PDF PDF file with embedded PDF object (file-pdf.rules)
 * 1:26338 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26524 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26525 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26597 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:26606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sosork variant outbound connection (malware-cnc.rules)
 * 1:26646 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26647 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26817 <-> DISABLED <-> FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt (file-pdf.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:26851 <-> ENABLED <-> BROWSER-IE IE5 compatibility mode user after free attempt (browser-ie.rules)
 * 1:26853 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:26885 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26887 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26886 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26910 <-> DISABLED <-> MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers (malware-cnc.rules)
 * 1:26933 <-> ENABLED <-> MALWARE-OTHER Clickserver ad harvesting redirection attempt (malware-other.rules)
 * 1:26934 <-> ENABLED <-> MALWARE-OTHER Clickserver ad harvesting redirection attempt (malware-other.rules)
 * 1:27005 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared (exploit-kit.rules)
 * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:27033 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Transhell outbound connection user-agent (malware-cnc.rules)
 * 1:2936 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt (os-windows.rules)
 * 1:3000 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTMLSSP unicode asn1 overflow attempt (os-windows.rules)
 * 1:3002 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt (os-windows.rules)
 * 1:5729 <-> DISABLED <-> OS-WINDOWS SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5730 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:3001 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTMLSSP andx asn1 overflow attempt (os-windows.rules)
 * 1:5735 <-> DISABLED <-> OS-WINDOWS SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5731 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5733 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:3003 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt (os-windows.rules)
 * 1:3004 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt (os-windows.rules)
 * 1:3005 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt (os-windows.rules)
 * 1:11843 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt (os-windows.rules)
 * 1:10900 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (os-windows.rules)
 * 1:11073 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt (os-windows.rules)
 * 1:13210 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt (os-windows.rules)
 * 1:12635 <-> DISABLED <-> OS-WINDOWS RPC NTLMSSP malformed credentials attempt (os-windows.rules)
 * 1:12977 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt (os-windows.rules)
 * 1:14650 <-> ENABLED <-> OS-WINDOWS SMB Search unicode Search filename size integer underflow attempt (os-windows.rules)
 * 1:3143 <-> DISABLED <-> OS-WINDOWS SMB Trans2 FIND_FIRST2 command response overflow attempt (os-windows.rules)
 * 1:13970 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:14649 <-> ENABLED <-> OS-WINDOWS SMB Search Search filename size integer underflow attempt (os-windows.rules)
 * 1:14725 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt (os-windows.rules)
 * 1:3114 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt (os-windows.rules)
 * 1:14654 <-> DISABLED <-> OS-WINDOWS SMB Search unicode andx Search filename size integer underflow attempt (os-windows.rules)
 * 1:14710 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt (os-windows.rules)
 * 1:14782 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt (os-windows.rules)
 * 1:3144 <-> DISABLED <-> OS-WINDOWS SMB Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules)
 * 1:3145 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans2 FIND_FIRST2 response overflow attempt (os-windows.rules)
 * 1:3146 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt (os-windows.rules)
 * 1:3218 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt (os-windows.rules)
 * 1:3158 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:3238 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3397 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3409 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3967 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt (os-windows.rules)
 * 1:3590 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt (os-windows.rules)
 * 1:4072 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt (os-windows.rules)
 * 1:4245 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:4334 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (os-windows.rules)
 * 1:4413 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt (os-windows.rules)
 * 1:4358 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (os-windows.rules)
 * 1:4608 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt (os-windows.rules)
 * 1:4754 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:4826 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt (os-windows.rules)
 * 1:4918 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList dos attempt (os-windows.rules)
 * 1:5095 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:5485 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (os-windows.rules)
 * 1:5716 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5717 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5718 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5721 <-> DISABLED <-> OS-WINDOWS SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5722 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5724 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5723 <-> DISABLED <-> OS-WINDOWS SMB-DS Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5727 <-> DISABLED <-> OS-WINDOWS SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:15860 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrGetJoinInformation attempt (os-windows.rules)
 * 1:15199 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE param_count underflow attempt (os-windows.rules)
 * 1:15213 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 unicode max_param_count underflow attempt (os-windows.rules)
 * 1:15205 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE unicode max_param_count underflow attempt (os-windows.rules)
 * 1:15134 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function unicode attempt (os-windows.rules)
 * 1:15214 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 max_param_count underflow attempt (os-windows.rules)
 * 1:15132 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function attempt (os-windows.rules)
 * 1:15203 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE andx param_count underflow attempt (os-windows.rules)
 * 1:15217 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt (os-windows.rules)
 * 1:15210 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE andx max_param_count underflow attempt (os-windows.rules)
 * 1:15196 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE unicode param_count underflow attempt (os-windows.rules)
 * 1:15129 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt (os-windows.rules)
 * 1:15220 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 unicode param_count underflow attempt (os-windows.rules)
 * 1:15206 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE max_param_count underflow attempt (os-windows.rules)
 * 1:15218 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 andx max_param_count underflow attempt (os-windows.rules)
 * 1:15131 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function andx attempt (os-windows.rules)
 * 1:15133 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function unicode andx attempt (os-windows.rules)
 * 1:15209 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt (os-windows.rules)
 * 1:15200 <-> DISABLED <-> OS-WINDOWS SMB NT Trans NT CREATE unicode andx param_count underflow attempt (os-windows.rules)
 * 1:15130 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt (os-windows.rules)
 * 1:15128 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function WriteAndX attempt (os-windows.rules)
 * 1:15225 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 andx param_count underflow attempt (os-windows.rules)
 * 1:15127 <-> DISABLED <-> OS-WINDOWS SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt (os-windows.rules)
 * 1:15221 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 param_count underflow attempt (os-windows.rules)
 * 1:15015 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt (os-windows.rules)
 * 1:15512 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (os-windows.rules)
 * 1:15224 <-> DISABLED <-> OS-WINDOWS SMB Trans2 OPEN2 unicode andx param_count underflow attempt (os-windows.rules)