VRT Rules 2014-07-29
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the app-detect, blacklist, browser-plugins, exploit, file-flash, file-java, file-office, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-29 15:28:37 UTC

Sourcefire VRT Rules Update

Date: 2014-07-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31538 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31537 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound connection (malware-cnc.rules)
 * 1:31544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:31528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:31535 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31541 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31558 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31551 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31539 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31559 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31540 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31542 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products info.cgi request buffer overflow attempt (server-webapp.rules)
 * 1:31543 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (blacklist.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31536 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31546 <-> DISABLED <-> SERVER-WEBAPP Ultimate PHP Board admin_iplog remote code execution attempt (server-webapp.rules)
 * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:31549 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31550 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31552 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31534 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31553 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xolominer malicious user detected (malware-cnc.rules)
 * 1:31554 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31555 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda (blacklist.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)

Modified Rules:


 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:27822 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:27694 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:23874 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:27693 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:23875 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:20732 <-> DISABLED <-> SERVER-WEBAPP Sabdrimer PHP pluginpath remote file include attempt (server-webapp.rules)
 * 1:20429 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)

2014-07-29 15:28:37 UTC

Sourcefire VRT Rules Update

Date: 2014-07-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound connection (malware-cnc.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:31528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:31535 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31536 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31534 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31538 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xolominer malicious user detected (malware-cnc.rules)
 * 1:31537 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31541 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31542 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products info.cgi request buffer overflow attempt (server-webapp.rules)
 * 1:31543 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (blacklist.rules)
 * 1:31527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31546 <-> DISABLED <-> SERVER-WEBAPP Ultimate PHP Board admin_iplog remote code execution attempt (server-webapp.rules)
 * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:31549 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31550 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31551 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31552 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31553 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31554 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31540 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31539 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31559 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31558 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31555 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda (blacklist.rules)

Modified Rules:


 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:27822 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:27693 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:27694 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:20429 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 1:23875 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:23874 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:20732 <-> DISABLED <-> SERVER-WEBAPP Sabdrimer PHP pluginpath remote file include attempt (server-webapp.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)

2014-07-29 15:28:37 UTC

Sourcefire VRT Rules Update

Date: 2014-07-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31559 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31558 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection (malware-backdoor.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda (blacklist.rules)
 * 1:31556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt (malware-cnc.rules)
 * 1:31555 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 1:31554 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31553 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31552 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31551 <-> DISABLED <-> FILE-FLASH Adobe Flash Player pcast scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31550 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31549 <-> DISABLED <-> FILE-FLASH Adobe Flash Player feed scheme security sandbox bypass attempt (file-flash.rules)
 * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:31547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound connection (malware-cnc.rules)
 * 1:31546 <-> DISABLED <-> SERVER-WEBAPP Ultimate PHP Board admin_iplog remote code execution attempt (server-webapp.rules)
 * 1:31545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koobface variant outbound connection (malware-cnc.rules)
 * 1:31543 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (blacklist.rules)
 * 1:31542 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products info.cgi request buffer overflow attempt (server-webapp.rules)
 * 1:31541 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31540 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:31539 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31538 <-> DISABLED <-> BROWSER-PLUGINS UltraCrypto ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31537 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31536 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31535 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31534 <-> ENABLED <-> FILE-OFFICE Microsoft Access memory corruption attempt (file-office.rules)
 * 1:31533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xolominer malicious user detected (malware-cnc.rules)
 * 1:31532 <-> DISABLED <-> APP-DETECT Xolominer outbound connection attempt (app-detect.rules)
 * 1:31531 <-> ENABLED <-> INDICATOR-COMPROMISE MinerDeploy monitor request attempt (indicator-compromise.rules)
 * 1:31530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:31528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:27822 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:27693 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:27694 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:23874 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:23875 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:20429 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt (file-pdf.rules)
 * 1:20732 <-> DISABLED <-> SERVER-WEBAPP Sabdrimer PHP pluginpath remote file include attempt (server-webapp.rules)
 * 3:30943 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30932 <-> ENABLED <-> EXPLOIT Cisco WebEx WRF heap corruption attempt (exploit.rules)
 * 3:30942 <-> ENABLED <-> EXPLOIT Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (exploit.rules)
 * 3:30921 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30922 <-> ENABLED <-> EXPLOIT Cisco WebEx Player atas32.dll memory overread attempt (exploit.rules)
 * 3:30912 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30913 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30902 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)
 * 3:30903 <-> ENABLED <-> EXPLOIT Cisco Webex WRF heap corruption attempt (exploit.rules)