Talos Rules 2019-08-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, file-identify, file-image, file-multimedia, file-office, file-other, indicator-scan, malware-backdoor, malware-cnc, malware-tools, netbios, os-linux, os-windows, policy-other, protocol-dns, protocol-rpc, protocol-services, protocol-snmp, protocol-tftp, protocol-voip, server-apache, server-iis, server-mssql, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

Modified Rules:


 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

Modified Rules:


 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

Modified Rules:


 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)

Modified Rules:


 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (snort3-os-windows.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (snort3-file-multimedia.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (snort3-file-identify.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (snort3-file-other.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (snort3-server-apache.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (snort3-os-windows.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (snort3-file-other.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (snort3-server-other.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (snort3-app-detect.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (snort3-file-identify.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (snort3-file-other.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (snort3-file-other.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (snort3-file-office.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (snort3-file-multimedia.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (snort3-server-other.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (snort3-server-other.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (snort3-file-office.rules)

Modified Rules:


 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (snort3-server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (snort3-policy-other.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (snort3-server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (snort3-protocol-dns.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (snort3-server-webapp.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (snort3-protocol-snmp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (snort3-protocol-tftp.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (snort3-server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (snort3-server-other.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (snort3-server-other.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (snort3-protocol-snmp.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (snort3-os-windows.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (snort3-indicator-scan.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (snort3-server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (snort3-server-other.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (snort3-server-other.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (snort3-indicator-scan.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (snort3-server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (snort3-server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (snort3-server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (snort3-netbios.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (snort3-protocol-voip.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (snort3-server-other.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (snort3-protocol-voip.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (snort3-server-other.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (snort3-server-other.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (snort3-server-other.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (snort3-server-webapp.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (snort3-server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (snort3-server-other.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (snort3-server-other.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (snort3-server-webapp.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (snort3-server-other.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (snort3-netbios.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (snort3-server-other.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (snort3-server-webapp.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (snort3-malware-tools.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (snort3-netbios.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (snort3-server-webapp.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (snort3-malware-backdoor.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (snort3-server-other.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (snort3-server-webapp.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (snort3-malware-backdoor.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (snort3-server-other.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (snort3-protocol-voip.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (snort3-server-webapp.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (snort3-server-webapp.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (snort3-protocol-rpc.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (snort3-server-other.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (snort3-server-other.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (snort3-protocol-rpc.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (snort3-protocol-rpc.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (snort3-protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (snort3-protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (snort3-protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (snort3-policy-other.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (snort3-protocol-rpc.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (snort3-protocol-rpc.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (snort3-protocol-snmp.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (snort3-server-webapp.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (snort3-protocol-rpc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (snort3-protocol-snmp.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (snort3-protocol-rpc.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (snort3-server-webapp.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (snort3-server-iis.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (snort3-protocol-rpc.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (snort3-server-webapp.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (snort3-protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (snort3-protocol-rpc.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (snort3-protocol-dns.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (snort3-protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (snort3-protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (snort3-server-other.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (snort3-protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (snort3-protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (snort3-protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (snort3-protocol-rpc.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (snort3-malware-backdoor.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (snort3-protocol-rpc.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (snort3-protocol-rpc.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (snort3-malware-backdoor.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (snort3-protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (snort3-protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (snort3-protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (snort3-protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (snort3-protocol-rpc.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (snort3-protocol-rpc.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (snort3-policy-other.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (snort3-protocol-rpc.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (snort3-policy-other.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (snort3-indicator-scan.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (snort3-indicator-scan.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (snort3-os-windows.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (snort3-protocol-rpc.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (snort3-server-other.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (snort3-protocol-rpc.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (snort3-protocol-rpc.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (snort3-sql.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (snort3-protocol-rpc.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (snort3-server-other.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (snort3-protocol-rpc.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (snort3-server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (snort3-server-other.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (snort3-server-other.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (snort3-protocol-rpc.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (snort3-protocol-tftp.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (snort3-protocol-tftp.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (snort3-protocol-dns.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (snort3-server-mssql.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (snort3-os-windows.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (snort3-server-other.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (snort3-netbios.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (snort3-protocol-dns.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (snort3-netbios.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (snort3-server-other.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (snort3-malware-cnc.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (snort3-server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (snort3-server-other.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (snort3-protocol-dns.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (snort3-os-windows.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (snort3-os-windows.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (snort3-malware-cnc.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (snort3-server-other.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (snort3-os-windows.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (snort3-server-webapp.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (snort3-server-other.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (snort3-os-linux.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (snort3-server-other.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (snort3-protocol-dns.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (snort3-server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (snort3-server-other.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (snort3-server-other.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (snort3-server-other.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (snort3-malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (snort3-server-other.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (snort3-netbios.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (snort3-protocol-tftp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (snort3-malware-cnc.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (snort3-server-other.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (snort3-netbios.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (snort3-malware-cnc.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (snort3-netbios.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (snort3-os-windows.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (snort3-server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (snort3-netbios.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (snort3-netbios.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (snort3-netbios.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (snort3-os-windows.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (snort3-malware-cnc.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (snort3-file-image.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (snort3-netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (snort3-netbios.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (snort3-netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (snort3-netbios.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (snort3-protocol-tftp.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (snort3-os-windows.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (snort3-protocol-snmp.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (snort3-os-windows.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (snort3-netbios.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (snort3-server-other.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (snort3-netbios.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (snort3-netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (snort3-netbios.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (snort3-protocol-tftp.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (snort3-protocol-rpc.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (snort3-protocol-rpc.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (snort3-malware-backdoor.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (snort3-protocol-services.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (snort3-protocol-rpc.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (snort3-malware-tools.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (snort3-protocol-rpc.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (snort3-protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (snort3-protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (snort3-protocol-rpc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (snort3-protocol-rpc.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (snort3-protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (snort3-protocol-rpc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (snort3-protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (snort3-protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (snort3-protocol-rpc.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (snort3-protocol-rpc.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (snort3-protocol-rpc.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (snort3-protocol-rpc.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (snort3-protocol-rpc.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (snort3-netbios.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (snort3-protocol-tftp.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (snort3-netbios.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (snort3-server-webapp.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (snort3-server-webapp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (snort3-server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (snort3-server-other.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (snort3-protocol-rpc.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (snort3-protocol-rpc.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (snort3-server-other.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (snort3-protocol-tftp.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (snort3-server-webapp.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (snort3-server-other.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (snort3-os-windows.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (snort3-server-other.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (snort3-server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (snort3-server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (snort3-server-other.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (snort3-server-webapp.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (snort3-server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (snort3-server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (snort3-server-other.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (snort3-server-webapp.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (snort3-server-other.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (snort3-server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (snort3-server-other.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (snort3-server-other.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (snort3-protocol-tftp.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (snort3-os-windows.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (snort3-protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (snort3-protocol-tftp.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (snort3-indicator-scan.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (snort3-os-windows.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (snort3-indicator-scan.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)

Modified Rules:


 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)

2019-08-06 17:09:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules)
 * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules)
 * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules)
 * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules)
 * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules)
 * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules)
 * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules)
 * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules)
 * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

Modified Rules:


 * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules)
 * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules)
 * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules)
 * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules)
 * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules)
 * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules)
 * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules)
 * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules)
 * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules)
 * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules)
 * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules)
 * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules)
 * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules)
 * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules)
 * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules)
 * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules)
 * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules)
 * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules)
 * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules)
 * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules)
 * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules)
 * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules)
 * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules)
 * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules)
 * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules)
 * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules)
 * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules)
 * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules)
 * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules)
 * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules)
 * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules)
 * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules)
 * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules)
 * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules)
 * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules)
 * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules)
 * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules)
 * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)
 * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules)
 * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules)
 * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules)
 * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules)
 * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules)
 * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules)
 * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules)
 * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules)
 * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules)
 * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules)
 * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules)
 * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules)
 * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules)
 * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules)
 * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules)
 * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules)
 * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules)
 * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules)
 * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules)
 * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules)
 * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules)
 * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules)
 * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules)
 * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules)
 * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules)
 * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules)
 * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules)
 * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules)
 * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules)
 * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules)
 * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules)
 * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules)
 * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules)
 * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules)
 * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules)
 * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules)
 * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules)
 * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules)
 * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules)
 * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules)
 * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules)
 * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules)
 * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules)
 * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules)
 * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules)
 * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules)
 * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules)
 * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules)
 * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules)
 * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules)
 * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules)
 * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules)
 * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules)
 * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules)
 * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules)
 * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules)
 * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules)
 * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules)
 * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules)
 * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules)
 * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules)
 * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules)
 * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules)
 * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules)
 * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules)
 * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules)
 * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules)
 * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules)
 * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules)
 * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules)
 * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules)
 * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
 * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules)
 * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules)
 * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules)
 * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules)
 * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules)
 * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules)
 * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules)
 * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules)
 * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules)
 * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules)
 * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules)
 * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules)
 * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules)
 * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules)
 * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)