Talos Rules 2020-03-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-ie, content-replace, exploit-kit, file-flash, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, os-solaris, os-windows, policy-other, policy-social, protocol-ftp, protocol-other, protocol-scada, protocol-telnet, protocol-voip, pua-adware, pua-p2p, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (snort3-malware-tools.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (snort3-malware-tools.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (snort3-indicator-compromise.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (snort3-malware-tools.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (snort3-indicator-compromise.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (snort3-malware-tools.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (snort3-malware-tools.rules)
 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (snort3-malware-tools.rules)

Modified Rules:


 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (snort3-protocol-scada.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (snort3-malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (snort3-malware-cnc.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (snort3-indicator-compromise.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (snort3-file-other.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (snort3-pua-p2p.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (snort3-malware-cnc.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (snort3-file-other.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (snort3-malware-cnc.rules)
 * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (snort3-protocol-other.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (snort3-indicator-compromise.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (snort3-malware-cnc.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (snort3-malware-cnc.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (snort3-protocol-other.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (snort3-file-other.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (snort3-server-other.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (snort3-malware-cnc.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (snort3-malware-cnc.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (snort3-protocol-scada.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (snort3-file-other.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (snort3-malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (snort3-malware-cnc.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (snort3-file-other.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (snort3-file-flash.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (snort3-server-other.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (snort3-malware-cnc.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (snort3-server-other.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (snort3-malware-cnc.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (snort3-malware-backdoor.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (snort3-malware-backdoor.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (snort3-server-oracle.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (snort3-server-other.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (snort3-malware-backdoor.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (snort3-protocol-voip.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (snort3-protocol-telnet.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (snort3-file-other.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (snort3-server-other.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (snort3-server-other.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (snort3-server-other.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (snort3-policy-social.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (snort3-content-replace.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (snort3-server-other.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (snort3-server-other.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (snort3-server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (snort3-os-windows.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (snort3-server-other.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (snort3-malware-cnc.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (snort3-malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (snort3-browser-ie.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (snort3-malware-cnc.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (snort3-server-other.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (snort3-os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (snort3-server-other.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (snort3-os-windows.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (snort3-policy-social.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (snort3-server-mail.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (snort3-server-other.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (snort3-os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (snort3-os-windows.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (snort3-os-windows.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (snort3-malware-backdoor.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (snort3-malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (snort3-malware-cnc.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (snort3-malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (snort3-malware-cnc.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (snort3-malware-cnc.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (snort3-indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (snort3-indicator-compromise.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (snort3-indicator-compromise.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (snort3-malware-cnc.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (snort3-malware-cnc.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (snort3-malware-cnc.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (snort3-malware-cnc.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (snort3-malware-cnc.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (snort3-malware-cnc.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (snort3-malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (snort3-malware-cnc.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (snort3-malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (snort3-malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (snort3-protocol-scada.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (snort3-malware-backdoor.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (snort3-malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (snort3-malware-cnc.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (snort3-malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (snort3-malware-cnc.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (snort3-malware-cnc.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (snort3-server-other.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (snort3-malware-other.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (snort3-malware-cnc.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (snort3-server-other.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (snort3-protocol-voip.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (snort3-malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (snort3-malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (snort3-server-other.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (snort3-malware-backdoor.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (snort3-policy-social.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (snort3-pua-p2p.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (snort3-policy-social.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (snort3-server-other.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (snort3-malware-cnc.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (snort3-malware-cnc.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (snort3-malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (snort3-malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (snort3-malware-backdoor.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (snort3-malware-backdoor.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (snort3-malware-backdoor.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (snort3-malware-backdoor.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (snort3-malware-backdoor.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (snort3-malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (snort3-malware-cnc.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (snort3-malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (snort3-protocol-ftp.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (snort3-malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (snort3-malware-cnc.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (snort3-server-other.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (snort3-exploit-kit.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (snort3-malware-cnc.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (snort3-malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (snort3-malware-cnc.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (snort3-server-other.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (snort3-server-other.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (snort3-app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (snort3-app-detect.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (snort3-malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (snort3-pua-adware.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (snort3-malware-cnc.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (snort3-malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (snort3-malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (snort3-malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (snort3-malware-cnc.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (snort3-malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (snort3-malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (snort3-malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (snort3-malware-backdoor.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (snort3-malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (snort3-malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (snort3-malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (snort3-malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (snort3-malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (snort3-malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (snort3-malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (snort3-malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (snort3-malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (snort3-malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (snort3-malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (snort3-malware-cnc.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (snort3-malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (snort3-malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (snort3-server-other.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (snort3-malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (snort3-malware-other.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (snort3-malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (snort3-malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (snort3-server-other.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (snort3-server-other.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (snort3-malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (snort3-malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (snort3-malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (snort3-server-mail.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (snort3-malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (snort3-malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (snort3-malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (snort3-malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (snort3-malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (snort3-malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (snort3-malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (snort3-malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (snort3-app-detect.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (snort3-malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (snort3-malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (snort3-malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (snort3-malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (snort3-malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (snort3-malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (snort3-malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (snort3-malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (snort3-malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (snort3-malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (snort3-malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (snort3-malware-backdoor.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (snort3-malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (snort3-malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (snort3-malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (snort3-file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (snort3-malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (snort3-malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (snort3-malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (snort3-malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (snort3-malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (snort3-malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (snort3-malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (snort3-malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (snort3-malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (snort3-malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (snort3-malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (snort3-malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (snort3-malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (snort3-malware-cnc.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (snort3-malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (snort3-malware-cnc.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (snort3-malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (snort3-malware-other.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (snort3-malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (snort3-malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (snort3-malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (snort3-server-other.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (snort3-malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (snort3-malware-backdoor.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (snort3-malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (snort3-malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (snort3-malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (snort3-malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (snort3-malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (snort3-malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (snort3-malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (snort3-malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (snort3-malware-cnc.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (snort3-os-solaris.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (snort3-server-other.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (snort3-server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (snort3-server-other.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (snort3-malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (snort3-malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (snort3-malware-cnc.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (snort3-malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (snort3-server-webapp.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (snort3-malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (snort3-malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (snort3-malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (snort3-malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (snort3-server-other.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (snort3-netbios.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (snort3-server-other.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (snort3-file-flash.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (snort3-malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (snort3-malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (snort3-malware-cnc.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (snort3-malware-backdoor.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (snort3-malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (snort3-malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (snort3-malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (snort3-malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (snort3-malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (snort3-malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (snort3-malware-cnc.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (snort3-indicator-compromise.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (snort3-malware-cnc.rules)

2020-03-05 14:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules)
 * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules)
 * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules)
 * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
 * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules)
 * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)

Modified Rules:


 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules)
 * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules)
 * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules)
 * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules)
 * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules)
 * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules)
 * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules)
 * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules)
 * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules)
 * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules)
 * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules)
 * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules)
 * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules)
 * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules)
 * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules)
 * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules)
 * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules)
 * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules)
 * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules)
 * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules)
 * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules)
 * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules)
 * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules)
 * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules)
 * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules)
 * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules)
 * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules)
 * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules)
 * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules)
 * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules)
 * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules)
 * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules)
 * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules)
 * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules)
 * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules)
 * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet  (os-windows.rules)
 * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules)
 * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules)
 * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules)
 * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules)
 * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules)
 * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules)
 * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules)
 * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules)
 * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules)
 * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules)
 * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules)
 * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules)
 * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules)
 * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules)
 * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules)
 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules)
 * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules)
 * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules)
 * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules)
 * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules)
 * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules)
 * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules)
 * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules)
 * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules)
 * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules)
 * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules)
 * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules)
 * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules)
 * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules)
 * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules)
 * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules)
 * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules)
 * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
 * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules)
 * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules)
 * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules)
 * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)