Talos Rules 2019-05-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-webkit, content-replace, indicator-scan, malware-cnc, os-windows, protocol-services and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules)
 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)

Modified Rules:


 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)
 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules)
 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (snort3-server-other.rules)
 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (snort3-browser-ie.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (snort3-indicator-scan.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (snort3-malware-cnc.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (snort3-malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (snort3-malware-cnc.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (snort3-malware-cnc.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (snort3-malware-cnc.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (snort3-malware-cnc.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (snort3-malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (snort3-malware-cnc.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (snort3-malware-cnc.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (snort3-content-replace.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (snort3-content-replace.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (snort3-content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (snort3-content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (snort3-content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (snort3-content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (snort3-content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (snort3-malware-cnc.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (snort3-malware-cnc.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (snort3-content-replace.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (snort3-protocol-services.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (snort3-content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (snort3-server-webapp.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (snort3-content-replace.rules)

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)
 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules)
 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)

Modified Rules:


 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)

2019-05-29 18:11:26 UTC

Snort Subscriber Rules Update

Date: 2019-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
 * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules)
 * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules)
 * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules)
 * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules)
 * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
 * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules)
 * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules)
 * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules)
 * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
 * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules)
 * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules)
 * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
 * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)
 * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)