Talos Rules 2016-03-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, protocol-dns, protocol-rpc and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-03-22 14:19:34 UTC

Snort Subscriber Rules Update

Date: 2016-03-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38281 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38280 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38272 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38287 <-> ENABLED <-> SERVER-OTHER Reprise License Server akey command buffer overflow attempt (server-other.rules)
 * 1:38288 <-> ENABLED <-> SERVER-OTHER Reprise License Server licfile command buffer overflow attempt (server-other.rules)
 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection attempt (exploit-kit.rules)
 * 1:38279 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38276 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38273 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38282 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38286 <-> ENABLED <-> SERVER-OTHER Reprise License Server actserver command buffer overflow attempt (server-other.rules)
 * 1:38283 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38278 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38277 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38284 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38274 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 3:38285 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download attempt (exploit-kit.rules)

Modified Rules:


 * 1:27041 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp (exploit-kit.rules)
 * 1:27040 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jorg (exploit-kit.rules)
 * 1:26947 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26948 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26900 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26898 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26899 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26865 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:26807 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri (exploit-kit.rules)
 * 1:26805 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit encrypted binary download (exploit-kit.rules)
 * 1:26806 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit short JNLP request (exploit-kit.rules)
 * 1:26666 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt (browser-ie.rules)
 * 1:26668 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26638 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26617 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26552 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26569 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26551 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26550 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass (exploit-kit.rules)
 * 1:26549 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26539 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit pdf download detection (exploit-kit.rules)
 * 1:26540 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26537 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit jar download detection (exploit-kit.rules)
 * 1:26538 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit landing page received (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit redirection structure (exploit-kit.rules)
 * 1:26526 <-> ENABLED <-> EXPLOIT-KIT Portable Executable downloaded with bad DOS stub (exploit-kit.rules)
 * 1:26500 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26509 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit java payload detection (exploit-kit.rules)
 * 1:26487 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26499 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26485 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26486 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26390 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26484 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26384 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26383 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT TDS redirection - may lead to exploit kit (exploit-kit.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26348 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit delivery (exploit-kit.rules)
 * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules)
 * 1:26345 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26346 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:26297 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit redirection page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26296 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26252 <-> ENABLED <-> EXPLOIT-KIT Impact exploit kit landing page (exploit-kit.rules)
 * 1:26233 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26232 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26185 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26186 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26100 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26125 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26099 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26094 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26095 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26039 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26090 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26033 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt (exploit-kit.rules)
 * 1:26038 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26030 <-> ENABLED <-> FILE-OTHER Known malicious jar archive download attempt (file-other.rules)
 * 1:26031 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26013 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit redirection page received (exploit-kit.rules)
 * 1:26025 <-> ENABLED <-> INDICATOR-COMPROMISE Java user-agent request to svchost.jpg (indicator-compromise.rules)
 * 1:25988 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25989 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25833 <-> ENABLED <-> FILE-JAVA Oracle Java malicious class download attempt (file-java.rules)
 * 1:25834 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25831 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit landing page (exploit-kit.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:25590 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25591 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:25538 <-> ENABLED <-> EXPLOIT-KIT Red Dot landing page (exploit-kit.rules)
 * 1:25473 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25301 <-> ENABLED <-> EXPLOIT-KIT redirect to malicious java archive attempt (exploit-kit.rules)
 * 1:25302 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit malicious jar archive download (exploit-kit.rules)
 * 1:25235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25255 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit redirection attempt (exploit-kit.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:25234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25138 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit pdf outbound connection (exploit-kit.rules)
 * 1:25139 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:25134 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection (exploit-kit.rules)
 * 1:25132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25131 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25128 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25126 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25127 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25042 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:25125 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:24865 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24993 <-> DISABLED <-> FILE-JAVA Oracle Java Applet remote code execution attempt (file-java.rules)
 * 1:24863 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24864 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24861 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24862 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt (exploit-kit.rules)
 * 1:24860 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:24151 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:23365 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v3 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23366 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23363 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23364 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html (exploit-kit.rules)
 * 1:23225 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit (exploit-kit.rules)
 * 1:23222 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt (exploit-kit.rules)
 * 1:23223 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code (exploit-kit.rules)
 * 1:23220 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar (exploit-kit.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT Redkit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:23219 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file (exploit-kit.rules)
 * 1:27067 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
 * 1:17505 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17506 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17507 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:21100 <-> DISABLED <-> PROTOCOL-RPC Novell Netware xdr decode string length buffer overflow attempt (protocol-rpc.rules)
 * 1:38000 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:37997 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:33568 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:33567 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31044 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:31043 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:29505 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:29504 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:29452 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29453 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:29450 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29449 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29448 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29445 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit fonts download page (exploit-kit.rules)
 * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27062 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:28854 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27083 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:27140 <-> DISABLED <-> EXPLOIT-KIT Private exploit kit numerically named exe file dowload (exploit-kit.rules)
 * 1:27142 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27143 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27144 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit outbound traffic (exploit-kit.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:27706 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit possible jar download (exploit-kit.rules)
 * 1:27814 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27815 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit malicious redirection attempt (exploit-kit.rules)
 * 1:28439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bspire variant connection (malware-cnc.rules)
 * 1:27141 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:28475 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection (exploit-kit.rules)
 * 1:27042 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jovf (exploit-kit.rules)
 * 1:28424 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request (exploit-kit.rules)
 * 1:28307 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit landing page (exploit-kit.rules)
 * 1:27061 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)

2016-03-22 14:19:34 UTC

Snort Subscriber Rules Update

Date: 2016-03-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38288 <-> ENABLED <-> SERVER-OTHER Reprise License Server licfile command buffer overflow attempt (server-other.rules)
 * 1:38287 <-> ENABLED <-> SERVER-OTHER Reprise License Server akey command buffer overflow attempt (server-other.rules)
 * 1:38286 <-> ENABLED <-> SERVER-OTHER Reprise License Server actserver command buffer overflow attempt (server-other.rules)
 * 1:38284 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38283 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38282 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38281 <-> DISABLED <-> PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt (protocol-dns.rules)
 * 1:38280 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38279 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38278 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38277 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38276 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection attempt (exploit-kit.rules)
 * 1:38274 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38273 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38272 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 3:38285 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download attempt (exploit-kit.rules)

Modified Rules:


 * 1:23366 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23365 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM NFS v3 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23364 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM v2 xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23363 <-> DISABLED <-> SERVER-OTHER Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (server-other.rules)
 * 1:23225 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit (exploit-kit.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html (exploit-kit.rules)
 * 1:23223 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code (exploit-kit.rules)
 * 1:23222 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt (exploit-kit.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT Redkit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:23220 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar (exploit-kit.rules)
 * 1:23219 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file (exploit-kit.rules)
 * 1:21100 <-> DISABLED <-> PROTOCOL-RPC Novell Netware xdr decode string length buffer overflow attempt (protocol-rpc.rules)
 * 1:17507 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17506 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:17505 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word formatted disk pages table memory corruption attempt (file-office.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
 * 1:38000 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:37997 <-> DISABLED <-> BROWSER-PLUGINS IE MsRdpClient ActiveX attempt (browser-plugins.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:33568 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:33567 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word border use-after-free attempt (file-office.rules)
 * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules)
 * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:31044 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:31043 <-> DISABLED <-> BROWSER-PLUGINS Apple Quicktime ActiveX Control use after free (browser-plugins.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:29505 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules)
 * 1:29504 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:29453 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:29452 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29450 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29449 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29448 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:29445 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit fonts download page (exploit-kit.rules)
 * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28854 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:28475 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection (exploit-kit.rules)
 * 1:28439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bspire variant connection (malware-cnc.rules)
 * 1:28424 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request (exploit-kit.rules)
 * 1:28307 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit landing page (exploit-kit.rules)
 * 1:27815 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit malicious redirection attempt (exploit-kit.rules)
 * 1:27814 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27706 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit possible jar download (exploit-kit.rules)
 * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27144 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit outbound traffic (exploit-kit.rules)
 * 1:27143 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27142 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27141 <-> ENABLED <-> EXPLOIT-KIT Private exploit kit landing page (exploit-kit.rules)
 * 1:27140 <-> DISABLED <-> EXPLOIT-KIT Private exploit kit numerically named exe file dowload (exploit-kit.rules)
 * 1:27083 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:27067 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:27062 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:27061 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:27042 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jovf (exploit-kit.rules)
 * 1:27041 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp (exploit-kit.rules)
 * 1:27040 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jorg (exploit-kit.rules)
 * 1:26948 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26947 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download (exploit-kit.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26900 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26899 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26898 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26865 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri (exploit-kit.rules)
 * 1:26807 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26806 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit short JNLP request (exploit-kit.rules)
 * 1:26805 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit encrypted binary download (exploit-kit.rules)
 * 1:26668 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26666 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt (browser-ie.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26638 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26617 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26569 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26552 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26551 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26550 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26549 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass (exploit-kit.rules)
 * 1:26540 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26539 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit pdf download detection (exploit-kit.rules)
 * 1:26538 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit landing page received (exploit-kit.rules)
 * 1:26537 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit jar download detection (exploit-kit.rules)
 * 1:26526 <-> ENABLED <-> EXPLOIT-KIT Portable Executable downloaded with bad DOS stub (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit redirection structure (exploit-kit.rules)
 * 1:26509 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit java payload detection (exploit-kit.rules)
 * 1:26500 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26499 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26487 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26486 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26485 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26484 <-> DISABLED <-> FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt (file-java.rules)
 * 1:26390 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules)
 * 1:26384 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26383 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT TDS redirection - may lead to exploit kit (exploit-kit.rules)
 * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules)
 * 1:26348 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit delivery (exploit-kit.rules)
 * 1:26346 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:26345 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page redirection (exploit-kit.rules)
 * 1:26297 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit redirection page (exploit-kit.rules)
 * 1:26296 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26252 <-> ENABLED <-> EXPLOIT-KIT Impact exploit kit landing page (exploit-kit.rules)
 * 1:26233 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26232 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26186 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26185 <-> ENABLED <-> FILE-JAVA Oracle Java Gmbal package sandbox breach attempt (file-java.rules)
 * 1:26125 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer text transform use after free attempt (browser-ie.rules)
 * 1:26100 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26099 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26095 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26094 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26090 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26039 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26038 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26033 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt (exploit-kit.rules)
 * 1:26031 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26030 <-> ENABLED <-> FILE-OTHER Known malicious jar archive download attempt (file-other.rules)
 * 1:26025 <-> ENABLED <-> INDICATOR-COMPROMISE Java user-agent request to svchost.jpg (indicator-compromise.rules)
 * 1:26013 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit redirection page received (exploit-kit.rules)
 * 1:25989 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25988 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25834 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25833 <-> ENABLED <-> FILE-JAVA Oracle Java malicious class download attempt (file-java.rules)
 * 1:25831 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit landing page (exploit-kit.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:25591 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25590 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:25538 <-> ENABLED <-> EXPLOIT-KIT Red Dot landing page (exploit-kit.rules)
 * 1:25473 <-> ENABLED <-> FILE-JAVA Oracle Java JMX class arbitrary code execution attempt (file-java.rules)
 * 1:25302 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit malicious jar archive download (exploit-kit.rules)
 * 1:25301 <-> ENABLED <-> EXPLOIT-KIT redirect to malicious java archive attempt (exploit-kit.rules)
 * 1:25255 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit redirection attempt (exploit-kit.rules)
 * 1:25235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:25139 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit eot outbound connection (exploit-kit.rules)
 * 1:25138 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit pdf outbound connection (exploit-kit.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection (exploit-kit.rules)
 * 1:25134 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25131 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25128 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25127 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25126 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25125 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25042 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules)
 * 1:24993 <-> DISABLED <-> FILE-JAVA Oracle Java Applet remote code execution attempt (file-java.rules)
 * 1:24865 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24864 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24863 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24862 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24861 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page in an email (exploit-kit.rules)
 * 1:24860 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt (exploit-kit.rules)
 * 1:24151 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:24150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)