VRT Rules 2014-08-19
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, netbios, os-linux, os-other, os-windows, policy-social, protocol-dns, protocol-icmp, protocol-nntp, protocol-snmp, protocol-voip, pua-p2p, server-apache, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-08-19 16:43:44 UTC

Sourcefire VRT Rules Update

Date: 2014-08-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules)
 * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules)
 * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules)
 * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules)
 * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules)
 * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules)
 * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules)
 * 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules)
 * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules)
 * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules)
 * 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

Modified Rules:


 * 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules)
 * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
 * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules)
 * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules)
 * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
 * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules)
 * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules)
 * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules)
 * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules)
 * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules)
 * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules)
 * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules)
 * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules)
 * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules)
 * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules)
 * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules)
 * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules)
 * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules)
 * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
 * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules)
 * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules)
 * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules)
 * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules)
 * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules)
 * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules)
 * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules)
 * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules)
 * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules)
 * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules)
 * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules)
 * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules)
 * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules)
 * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules)
 * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules)
 * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules)
 * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules)
 * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules)
 * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
 * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules)
 * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules)
 * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules)
 * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules)
 * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules)
 * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules)
 * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules)
 * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules)
 * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules)
 * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules)
 * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules)
 * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules)
 * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules)
 * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules)
 * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules)
 * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules)
 * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules)
 * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules)
 * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules)
 * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules)
 * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules)
 * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
 * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
 * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules)
 * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)
 * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules)
 * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules)
 * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules)
 * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules)
 * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules)
 * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)
 * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules)
 * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)

2014-08-19 16:43:44 UTC

Sourcefire VRT Rules Update

Date: 2014-08-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules)
 * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules)
 * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules)
 * 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules)
 * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules)
 * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules)
 * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules)
 * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules)
 * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules)
 * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules)
 * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

Modified Rules:


 * 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
 * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules)
 * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules)
 * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules)
 * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules)
 * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules)
 * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules)
 * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules)
 * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules)
 * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules)
 * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules)
 * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules)
 * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules)
 * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules)
 * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
 * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules)
 * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules)
 * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules)
 * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules)
 * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules)
 * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules)
 * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules)
 * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules)
 * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules)
 * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules)
 * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules)
 * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules)
 * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules)
 * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules)
 * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules)
 * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules)
 * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules)
 * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules)
 * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
 * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules)
 * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules)
 * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules)
 * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules)
 * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules)
 * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules)
 * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules)
 * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules)
 * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules)
 * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules)
 * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules)
 * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules)
 * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules)
 * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules)
 * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules)
 * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules)
 * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules)
 * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules)
 * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules)
 * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules)
 * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules)
 * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules)
 * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules)
 * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
 * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
 * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules)
 * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
 * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
 * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules)
 * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)
 * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules)
 * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules)
 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules)
 * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules)
 * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules)
 * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
 * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules)
 * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)
 * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)

2014-08-19 16:43:44 UTC

Sourcefire VRT Rules Update

Date: 2014-08-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tioracudi1977.co.vu (blacklist.rules)
 * 1:31662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru (blacklist.rules)
 * 1:31661 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu (blacklist.rules)
 * 1:31660 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ltc.give-me-coins.com (blacklist.rules)
 * 1:31659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu (blacklist.rules)
 * 1:31658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru (blacklist.rules)
 * 1:31657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain forces.moimains.ru (blacklist.rules)
 * 1:31656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facebstats.com (blacklist.rules)
 * 1:31655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain devid.info (blacklist.rules)
 * 1:31654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brasicerer1976.co.vu (blacklist.rules)
 * 1:31653 <-> ENABLED <-> BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru (blacklist.rules)
 * 1:31652 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 1:31651 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt (server-webapp.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31668 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Web and E-Mail Interaction Manager cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:31646 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31645 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 3:13826 <-> ENABLED <-> OS-WINDOWS Microsoft WINS arbitrary memory modification attempt (os-windows.rules)
 * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13802 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13798 <-> ENABLED <-> OS-WINDOWS Microsoft malware protection engine denial of service attempt (os-windows.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules)
 * 3:13718 <-> ENABLED <-> SERVER-MAIL BDAT buffer overflow attempt (server-mail.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:13666 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI integer overflow attempt (os-windows.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules)
 * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules)
 * 3:13476 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13471 <-> ENABLED <-> FILE-OFFICE Microsoft Publisher invalid pathname overwrite (file-office.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13450 <-> ENABLED <-> OS-WINDOWS invalid dhcp offer denial of service attempt (os-windows.rules)
 * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules)
 * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules)
 * 3:8351 <-> ENABLED <-> OS-WINDOWS PGM nak list overflow attempt (os-windows.rules)
 * 3:8092 <-> ENABLED <-> OS-WINDOWS IGMP IP Options validation attempt (os-windows.rules)
 * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules)
 * 3:7019 <-> ENABLED <-> PUA-P2P WinNY connection attempt (pua-p2p.rules)
 * 3:31616 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:31615 <-> ENABLED <-> OS-OTHER Cisco IOS EnergyWise malformed packet denial of service attempt (os-other.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31398 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:30943 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:30942 <-> ENABLED <-> FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt (file-other.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
 * 3:30932 <-> ENABLED <-> FILE-OTHER Cisco WebEx WRF heap corruption attempt (file-other.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
 * 3:30929 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN CSRF attempt (server-other.rules)
 * 3:30922 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
 * 3:30921 <-> ENABLED <-> FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt (file-other.rules)
 * 3:30913 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30912 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30903 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30902 <-> ENABLED <-> FILE-OTHER Cisco Webex WRF heap corruption attempt (file-other.rules)
 * 3:30901 <-> ENABLED <-> FILE-FLASH known malicious flash actionscript decryption routine (file-flash.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)
 * 3:30283 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:30282 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt (protocol-voip.rules)
 * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules)
 * 3:27906 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (server-other.rules)
 * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules)
 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:26215 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dynalias.com (exploit-kit.rules)
 * 3:26214 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com (exploit-kit.rules)
 * 3:26213 <-> ENABLED <-> EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com (exploit-kit.rules)
 * 3:24971 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 3:24671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Explorer briefcase database memory corruption attempt (os-windows.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:24597 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:24596 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (server-oracle.rules)
 * 3:24595 <-> ENABLED <-> SERVER-ORACLE Oracle Reports Server information disclosure attempt (server-oracle.rules)
 * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)
 * 3:23182 <-> ENABLED <-> SERVER-OTHER SFVRT-1009 attack attempt (server-other.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules)
 * 3:20135 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt (server-other.rules)
 * 3:19350 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (file-multimedia.rules)
 * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules)
 * 3:18669 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain object manipulation attempt (browser-ie.rules)
 * 3:18667 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18666 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18665 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18664 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18663 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18662 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18661 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys escalation of privilege attempt (os-windows.rules)
 * 3:18660 <-> ENABLED <-> OS-WINDOWS SMB2 write packet buffer overflow attempt (os-windows.rules)
 * 3:18641 <-> ENABLED <-> FILE-OFFICE Excel OBJ record invalid cmo.ot exploit attempt (file-office.rules)
 * 3:18640 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed SupBook record attempt (file-office.rules)
 * 3:18631 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18630 <-> ENABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:18501 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 3:18449 <-> ENABLED <-> FILE-OTHER Adobe Acrobat font definition memory corruption attempt (file-other.rules)
 * 3:18414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kerberos auth downgrade to DES MITM attempt (os-windows.rules)
 * 3:18412 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18411 <-> ENABLED <-> OS-WINDOWS Microsoft win32k!xxxTrackPopupMenuEx privilege escalation attempt (os-windows.rules)
 * 3:18410 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18409 <-> ENABLED <-> OS-WINDOWS Microsoft win32k.sys write message to dead thread code execution attempt (os-windows.rules)
 * 3:18405 <-> ENABLED <-> OS-WINDOWS Microsoft LSASS domain name buffer overflow attempt (os-windows.rules)
 * 3:18400 <-> ENABLED <-> OS-WINDOWS MS CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 3:18249 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:18220 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt (os-windows.rules)
 * 3:18213 <-> ENABLED <-> FILE-OTHER MS Publisher column and row remote code execution attempt (file-other.rules)
 * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules)
 * 3:18064 <-> ENABLED <-> BROWSER-PLUGINS Microsoft .NET framework EntityObject execution attempt (browser-plugins.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules)
 * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules)
 * 3:17700 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer wav chunk string overflow attempt (file-multimedia.rules)
 * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules)
 * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules)
 * 3:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft DNS Server ANY query cache weakness (protocol-dns.rules)
 * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules)
 * 3:17667 <-> ENABLED <-> OS-WINDOWS Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt (os-windows.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules)
 * 3:17647 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (file-flash.rules)
 * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules)
 * 3:17608 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime color table atom movie file handling heap corruption attempt (file-multimedia.rules)
 * 3:17300 <-> ENABLED <-> FILE-MULTIMEDIA MPlayer demux_open_vqf TwinVQ file handling buffer overflow attempt (file-multimedia.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:17242 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF file arbitrary code execution attempt (file-multimedia.rules)
 * 3:17201 <-> ENABLED <-> FILE-OTHER Adobe Director file file LsCM overflow attempt (file-other.rules)
 * 3:17199 <-> ENABLED <-> FILE-OTHER Adobe Director file file lRTX overflow attempt (file-other.rules)
 * 3:17126 <-> ENABLED <-> OS-WINDOWS SMB large session length with small packet (os-windows.rules)
 * 3:17118 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt (file-executable.rules)
 * 3:17041 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:16577 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv2 compound request DoS attempt (os-windows.rules)
 * 3:16564 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 (file-image.rules)
 * 3:16563 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 (file-image.rules)
 * 3:16562 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 (file-image.rules)
 * 3:16561 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules)
 * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
 * 3:16530 <-> ENABLED <-> OS-WINDOWS CAB SIP authenticode alteration attempt (os-windows.rules)
 * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules)
 * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:16405 <-> ENABLED <-> PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt (protocol-icmp.rules)
 * 3:16395 <-> ENABLED <-> OS-WINDOWS SMB COPY command oversized pathname attempt (os-windows.rules)
 * 3:16394 <-> ENABLED <-> OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt (os-windows.rules)
 * 3:16375 <-> ENABLED <-> SERVER-OTHER LDAP object parameter name buffer overflow attempt (server-other.rules)
 * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:16329 <-> ENABLED <-> SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (server-other.rules)
 * 3:16320 <-> ENABLED <-> FILE-IMAGE Adobe PNG empty sPLT exploit attempt (file-image.rules)
 * 3:16237 <-> ENABLED <-> SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt (server-other.rules)
 * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16228 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed StartObject record arbitrary code execution attempt (file-office.rules)
 * 3:16227 <-> ENABLED <-> SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt (server-other.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:16182 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt (file-executable.rules)
 * 3:16179 <-> ENABLED <-> FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt (file-executable.rules)
 * 3:16158 <-> ENABLED <-> OS-WINDOWS malformed ASF codec memory corruption attempt (os-windows.rules)
 * 3:16156 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt (file-multimedia.rules)
 * 3:16154 <-> ENABLED <-> FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption (file-executable.rules)
 * 3:15976 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in big endian format parsing integer overflow attempt (file-image.rules)
 * 3:15975 <-> ENABLED <-> FILE-IMAGE OpenOffice TIFF file in little endian format parsing integer overflow attempt (file-image.rules)
 * 3:15974 <-> ENABLED <-> SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt (server-iis.rules)
 * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules)
 * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules)
 * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)
 * 3:15857 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows AVIFile media file invalid header length (file-multimedia.rules)
 * 3:15851 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 3:15848 <-> ENABLED <-> OS-WINDOWS WINS replication request memory corruption attempt (os-windows.rules)
 * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules)
 * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules)
 * 3:15700 <-> ENABLED <-> SERVER-OTHER dhclient subnet mask option buffer overflow attempt (server-other.rules)
 * 3:15683 <-> ENABLED <-> SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt (server-other.rules)
 * 3:15528 <-> ENABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt (os-windows.rules)
 * 3:15522 <-> ENABLED <-> SERVER-OTHER Active Directory invalid OID denial of service attempt (server-other.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15503 <-> ENABLED <-> FILE-OFFICE Download of PowerPoint 95 file (file-office.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules)
 * 3:15470 <-> ENABLED <-> FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt (file-executable.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15456 <-> ENABLED <-> SERVER-OTHER WinHTTP SSL/TLS impersonation attempt (server-other.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules)
 * 3:15452 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 2 (malware-cnc.rules)
 * 3:15451 <-> ENABLED <-> MALWARE-CNC possible Conficker.C HTTP traffic 1 (malware-cnc.rules)
 * 3:15450 <-> ENABLED <-> MALWARE-OTHER Conficker C/D DNS traffic detected (malware-other.rules)
 * 3:15449 <-> ENABLED <-> MALWARE-OTHER Conficker A/B DNS traffic detected (malware-other.rules)
 * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15329 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt (server-mail.rules)
 * 3:15328 <-> ENABLED <-> FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt (file-java.rules)
 * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules)
 * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules)
 * 3:15300 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt (browser-ie.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules)
 * 3:15121 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call unicode access (browser-plugins.rules)
 * 3:15120 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX function call access (browser-plugins.rules)
 * 3:15119 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid unicode access (browser-plugins.rules)
 * 3:15118 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Visual Basic Winsock ActiveX clsid access (browser-plugins.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules)
 * 3:14772 <-> ENABLED <-> FILE-IMAGE libpng malformed chunk denial of service attempt (file-image.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:14646 <-> ENABLED <-> OS-WINDOWS Active Directory malformed baseObject denial of service attempt (os-windows.rules)
 * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules)
 * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules)
 * 3:13979 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 3:13978 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call unicode access (browser-plugins.rules)
 * 3:13977 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX function call access (browser-plugins.rules)
 * 3:13975 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid access (browser-plugins.rules)
 * 3:13976 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Event System ActiveX clsid unicode access (browser-plugins.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13954 <-> ENABLED <-> OS-WINDOWS Microsoft Color Management System EMF file processing overflow attempt (os-windows.rules)
 * 3:13947 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (file-image.rules)
 * 3:13946 <-> ENABLED <-> FILE-IMAGE Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (file-image.rules)
 * 3:13922 <-> ENABLED <-> SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (server-iis.rules)
 * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules)
 * 3:13897 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime crgn atom parsing stack buffer overflow attempt (file-multimedia.rules)
 * 3:13887 <-> ENABLED <-> PROTOCOL-DNS dns root nameserver poisoning attempt (protocol-dns.rules)
 * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules)
 * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules)
 * 3:13287 <-> ENABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 3:12636 <-> ENABLED <-> PROTOCOL-NNTP XHDR buffer overflow attempt (protocol-nntp.rules)
 * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules)
 * 3:11672 <-> ENABLED <-> BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt (browser-other.rules)
 * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
 * 3:10127 <-> ENABLED <-> OS-WINDOWS Microsoft IP Options denial of service (os-windows.rules)