Talos Rules 2018-02-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-webkit, exploit-kit, file-flash, file-java, file-multimedia, file-office, indicator-scan, netbios, os-windows, protocol-dns, protocol-icmp, protocol-nntp, protocol-rpc, protocol-tftp, server-iis, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-02-01 22:34:02 UTC

Snort Subscriber Rules Update

Date: 2018-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)

Modified Rules:


 * 1:12064 <-> DISABLED <-> SERVER-IIS w3svc _vti_bin null pointer dereference attempt (server-iis.rules)
 * 1:10485 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (protocol-rpc.rules)
 * 1:10484 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (protocol-rpc.rules)
 * 1:10483 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp request (protocol-rpc.rules)
 * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules)
 * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules)
 * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules)
 * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:12595 <-> DISABLED <-> SERVER-IIS malicious ASP file upload attempt (server-iis.rules)
 * 1:13251 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp request (protocol-rpc.rules)
 * 1:13250 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp request (protocol-rpc.rules)
 * 1:13257 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 5 attempt (protocol-rpc.rules)
 * 1:13256 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt (protocol-rpc.rules)
 * 1:13253 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 4 attempt (protocol-rpc.rules)
 * 1:13717 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt (protocol-rpc.rules)
 * 1:13716 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt (protocol-rpc.rules)
 * 1:13805 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt (protocol-rpc.rules)
 * 1:18295 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:18294 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:17696 <-> DISABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules)
 * 1:17652 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS source code disclosure attempt (server-iis.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules)
 * 1:17429 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:16086 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16085 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16084 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp request (protocol-rpc.rules)
 * 1:16082 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:16081 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:16058 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:15851 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:13949 <-> DISABLED <-> PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (protocol-dns.rules)
 * 1:13948 <-> DISABLED <-> PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning (protocol-dns.rules)
 * 1:13922 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:1384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP malformed advertisement (os-windows.rules)
 * 1:13806 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt (protocol-rpc.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:33582 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:29623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt (browser-webkit.rules)
 * 1:25251 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:24380 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24276 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24275 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24274 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:23218 <-> ENABLED <-> EXPLOIT-KIT Redkit Repeated Exploit Request Pattern (exploit-kit.rules)
 * 1:21570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt (os-windows.rules)
 * 1:21568 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP RST denial of service attempt (os-windows.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:9621 <-> DISABLED <-> PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt (protocol-tftp.rules)
 * 1:7029 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:7028 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:43189 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43188 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:40360 <-> ENABLED <-> SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt (server-other.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:3626 <-> DISABLED <-> PROTOCOL-ICMP PATH MTU denial of service attempt (protocol-icmp.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:35883 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)

2018-02-01 22:34:02 UTC

Snort Subscriber Rules Update

Date: 2018-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)

Modified Rules:


 * 1:12064 <-> DISABLED <-> SERVER-IIS w3svc _vti_bin null pointer dereference attempt (server-iis.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:10484 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (protocol-rpc.rules)
 * 1:33582 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:10483 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp request (protocol-rpc.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules)
 * 1:13250 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp request (protocol-rpc.rules)
 * 1:13251 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp request (protocol-rpc.rules)
 * 1:13253 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 4 attempt (protocol-rpc.rules)
 * 1:13257 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 5 attempt (protocol-rpc.rules)
 * 1:13716 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt (protocol-rpc.rules)
 * 1:13717 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt (protocol-rpc.rules)
 * 1:13805 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt (protocol-rpc.rules)
 * 1:13806 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt (protocol-rpc.rules)
 * 1:10485 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (protocol-rpc.rules)
 * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:17652 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS source code disclosure attempt (server-iis.rules)
 * 1:17696 <-> DISABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules)
 * 1:18294 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:3626 <-> DISABLED <-> PROTOCOL-ICMP PATH MTU denial of service attempt (protocol-icmp.rules)
 * 1:18295 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:21568 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP RST denial of service attempt (os-windows.rules)
 * 1:21570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt (os-windows.rules)
 * 1:23218 <-> ENABLED <-> EXPLOIT-KIT Redkit Repeated Exploit Request Pattern (exploit-kit.rules)
 * 1:24274 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24275 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24276 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24380 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:25251 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:29623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt (browser-webkit.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:9621 <-> DISABLED <-> PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt (protocol-tftp.rules)
 * 1:7029 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:7028 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:43189 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43188 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:40360 <-> ENABLED <-> SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt (server-other.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules)
 * 1:13256 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt (protocol-rpc.rules)
 * 1:17428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17429 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:16086 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:16084 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp request (protocol-rpc.rules)
 * 1:16085 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16081 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:16082 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:15851 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:16058 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:13948 <-> DISABLED <-> PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning (protocol-dns.rules)
 * 1:13949 <-> DISABLED <-> PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (protocol-dns.rules)
 * 1:1384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP malformed advertisement (os-windows.rules)
 * 1:13922 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules)
 * 1:12595 <-> DISABLED <-> SERVER-IIS malicious ASP file upload attempt (server-iis.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:35883 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)

2018-02-01 22:34:02 UTC

Snort Subscriber Rules Update

Date: 2018-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)

Modified Rules:


 * 1:10484 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (protocol-rpc.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:33582 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules)
 * 1:13250 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp request (protocol-rpc.rules)
 * 1:3626 <-> DISABLED <-> PROTOCOL-ICMP PATH MTU denial of service attempt (protocol-icmp.rules)
 * 1:13251 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp request (protocol-rpc.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:13253 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 4 attempt (protocol-rpc.rules)
 * 1:10485 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (protocol-rpc.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:9621 <-> DISABLED <-> PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt (protocol-tftp.rules)
 * 1:7029 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:7028 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:43189 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43188 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:40360 <-> ENABLED <-> SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt (server-other.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:13716 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt (protocol-rpc.rules)
 * 1:13717 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt (protocol-rpc.rules)
 * 1:13805 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt (protocol-rpc.rules)
 * 1:13806 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt (protocol-rpc.rules)
 * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules)
 * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules)
 * 1:10483 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp request (protocol-rpc.rules)
 * 1:16084 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp request (protocol-rpc.rules)
 * 1:16085 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16086 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:17428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17429 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules)
 * 1:13257 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 5 attempt (protocol-rpc.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:17652 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS source code disclosure attempt (server-iis.rules)
 * 1:17696 <-> DISABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules)
 * 1:18294 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:18295 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:25251 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:29623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt (browser-webkit.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24380 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24275 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24276 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:23218 <-> ENABLED <-> EXPLOIT-KIT Redkit Repeated Exploit Request Pattern (exploit-kit.rules)
 * 1:24274 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:21568 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP RST denial of service attempt (os-windows.rules)
 * 1:21570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt (os-windows.rules)
 * 1:16082 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:16058 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:16081 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:13949 <-> DISABLED <-> PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (protocol-dns.rules)
 * 1:15851 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:13922 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:13948 <-> DISABLED <-> PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning (protocol-dns.rules)
 * 1:12595 <-> DISABLED <-> SERVER-IIS malicious ASP file upload attempt (server-iis.rules)
 * 1:1384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP malformed advertisement (os-windows.rules)
 * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules)
 * 1:12064 <-> DISABLED <-> SERVER-IIS w3svc _vti_bin null pointer dereference attempt (server-iis.rules)
 * 1:13256 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt (protocol-rpc.rules)
 * 3:35883 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)

2018-02-01 22:34:02 UTC

Snort Subscriber Rules Update

Date: 2018-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)

Modified Rules:


 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:33582 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:13223 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (protocol-rpc.rules)
 * 1:13250 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp request (protocol-rpc.rules)
 * 1:13251 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp request (protocol-rpc.rules)
 * 1:13253 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 4 attempt (protocol-rpc.rules)
 * 1:10484 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (protocol-rpc.rules)
 * 1:13716 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt (protocol-rpc.rules)
 * 1:13717 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt (protocol-rpc.rules)
 * 1:3626 <-> DISABLED <-> PROTOCOL-ICMP PATH MTU denial of service attempt (protocol-icmp.rules)
 * 1:13805 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt (protocol-rpc.rules)
 * 1:13806 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt (protocol-rpc.rules)
 * 1:12064 <-> DISABLED <-> SERVER-IIS w3svc _vti_bin null pointer dereference attempt (server-iis.rules)
 * 1:16086 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:12185 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 tcp request (protocol-rpc.rules)
 * 1:17652 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS source code disclosure attempt (server-iis.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:17696 <-> DISABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules)
 * 1:18294 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:18295 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt (browser-webkit.rules)
 * 1:13257 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 udp procedure 5 attempt (protocol-rpc.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:12186 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp request (protocol-rpc.rules)
 * 1:12188 <-> DISABLED <-> PROTOCOL-RPC portmap 2112 udp rename_principal attempt (protocol-rpc.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:12595 <-> DISABLED <-> SERVER-IIS malicious ASP file upload attempt (server-iis.rules)
 * 1:10483 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp request (protocol-rpc.rules)
 * 1:13948 <-> DISABLED <-> PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning (protocol-dns.rules)
 * 1:16085 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt (protocol-rpc.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:17428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17429 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules)
 * 1:24380 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24275 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24276 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24274 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:21568 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP RST denial of service attempt (os-windows.rules)
 * 1:21570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop new session flood attempt (os-windows.rules)
 * 1:23218 <-> ENABLED <-> EXPLOIT-KIT Redkit Repeated Exploit Request Pattern (exploit-kit.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:10485 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (protocol-rpc.rules)
 * 1:16082 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:16084 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 udp request (protocol-rpc.rules)
 * 1:16058 <-> DISABLED <-> SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt (server-samba.rules)
 * 1:16081 <-> DISABLED <-> PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt (protocol-rpc.rules)
 * 1:13949 <-> DISABLED <-> PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (protocol-dns.rules)
 * 1:15851 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt  (server-iis.rules)
 * 1:13256 <-> DISABLED <-> PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt (protocol-rpc.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)
 * 1:40360 <-> ENABLED <-> SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt (server-other.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:43188 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43189 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:7028 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:7029 <-> DISABLED <-> SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (server-iis.rules)
 * 1:9621 <-> DISABLED <-> PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt (protocol-tftp.rules)
 * 1:13922 <-> DISABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow  (server-iis.rules)
 * 1:1384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP malformed advertisement (os-windows.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:25251 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:29623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt (browser-webkit.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:35883 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)