VRT Rules 2014-10-14
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS14-056: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32137 through 32138, 32153 through 32164, 32166 through 32169 and 32182 through 32185.

Microsoft Security Bulletin MS14-057: A coding deficiency exists in Microsoft .NET Framework that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32139 through 32140 and 32149 through 32152.

Microsoft Security Bulletin MS14-058: A coding deficiency exists in a Microsoft Kernel-Mode driver that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32141 through 32146 and 32190 through 32191.

Microsoft Security Bulletin MS14-059: A programing error in Microsoft ASP.NET MVC may lead to a security feature bypass.

A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 7070.

Microsoft Security Bulletin MS14-061: A coding deficiency exists in Microsoft Word and may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32147 through 32148.

The VRT has added and modified multiple rules in the blacklist, browser-ie, file-identify, file-office, file-other, file-pdf, malware-backdoor, malware-cnc and policy-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-14 19:52:49 UTC

Sourcefire VRT Rules Update

Date: 2014-10-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32192 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zxshell variant outbound connection (malware-cnc.rules)
 * 1:32191 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32179 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Plugx variant outbound connection (malware-cnc.rules)
 * 1:32177 <-> ENABLED <-> BLACKLIST DNS request for known malware domain java.ns1.name - Win.Trojan.Plugx (blacklist.rules)
 * 1:32178 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wm1.ns01.us - Win.Trojan.Plugx (blacklist.rules)
 * 1:32175 <-> ENABLED <-> MALWARE-CNC Osx.Backdoor.iWorm variant outbound connection (malware-cnc.rules)
 * 1:32176 <-> ENABLED <-> BLACKLIST DNS request for known malware domain av4.microsoftsp3.com - Win.Trojan.Plugx (blacklist.rules)
 * 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32172 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackPOS stolen data transfer to internal staging area (malware-cnc.rules)
 * 1:32171 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32169 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32167 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32168 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32165 <-> ENABLED <-> FILE-IDENTIFY SVG file magic detected (file-identify.rules)
 * 1:32166 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32164 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32163 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32159 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32154 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32153 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound communication (malware-cnc.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound communication (malware-cnc.rules)
 * 1:32190 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32182 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32183 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:32184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32151 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32152 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32149 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32150 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32145 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32144 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32142 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32143 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32140 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:32139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)

Modified Rules:


 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:20080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection (malware-cnc.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:28493 <-> ENABLED <-> MALWARE-CNC DeputyDog diskless method outbound connection (malware-cnc.rules)
 * 1:29459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fexel variant outbound connection (malware-cnc.rules)
 * 1:30948 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response (malware-backdoor.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)

2014-10-14 19:52:49 UTC

Sourcefire VRT Rules Update

Date: 2014-10-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32178 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wm1.ns01.us - Win.Trojan.Plugx (blacklist.rules)
 * 1:32179 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Plugx variant outbound connection (malware-cnc.rules)
 * 1:32177 <-> ENABLED <-> BLACKLIST DNS request for known malware domain java.ns1.name - Win.Trojan.Plugx (blacklist.rules)
 * 1:32176 <-> ENABLED <-> BLACKLIST DNS request for known malware domain av4.microsoftsp3.com - Win.Trojan.Plugx (blacklist.rules)
 * 1:32175 <-> ENABLED <-> MALWARE-CNC Osx.Backdoor.iWorm variant outbound connection (malware-cnc.rules)
 * 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32171 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32172 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackPOS stolen data transfer to internal staging area (malware-cnc.rules)
 * 1:32169 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32167 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32168 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32165 <-> ENABLED <-> FILE-IDENTIFY SVG file magic detected (file-identify.rules)
 * 1:32166 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32163 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32164 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32159 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32154 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32153 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:32139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32140 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32143 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32142 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32144 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32145 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32149 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32150 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32151 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32152 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32192 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zxshell variant outbound connection (malware-cnc.rules)
 * 1:32191 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32190 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound communication (malware-cnc.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound communication (malware-cnc.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:32184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32183 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32182 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)

Modified Rules:


 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:20080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection (malware-cnc.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:28493 <-> ENABLED <-> MALWARE-CNC DeputyDog diskless method outbound connection (malware-cnc.rules)
 * 1:29459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fexel variant outbound connection (malware-cnc.rules)
 * 1:30948 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response (malware-backdoor.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)

2014-10-14 19:52:49 UTC

Sourcefire VRT Rules Update

Date: 2014-10-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32192 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zxshell variant outbound connection (malware-cnc.rules)
 * 1:32191 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32190 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font parsing remote code execution attempt (os-windows.rules)
 * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound communication (malware-cnc.rules)
 * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound communication (malware-cnc.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFunctionPointer use after free exploit attempt (browser-ie.rules)
 * 1:32183 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32182 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout AddRow out of bounds array access heap corruption attempt (browser-ie.rules)
 * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules)
 * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules)
 * 1:32179 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Plugx variant outbound connection (malware-cnc.rules)
 * 1:32178 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wm1.ns01.us - Win.Trojan.Plugx (blacklist.rules)
 * 1:32177 <-> ENABLED <-> BLACKLIST DNS request for known malware domain java.ns1.name - Win.Trojan.Plugx (blacklist.rules)
 * 1:32176 <-> ENABLED <-> BLACKLIST DNS request for known malware domain av4.microsoftsp3.com - Win.Trojan.Plugx (blacklist.rules)
 * 1:32175 <-> ENABLED <-> MALWARE-CNC Osx.Backdoor.iWorm variant outbound connection (malware-cnc.rules)
 * 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
 * 1:32172 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackPOS stolen data transfer to internal staging area (malware-cnc.rules)
 * 1:32171 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Reader string replacement heap overflow attempt (file-pdf.rules)
 * 1:32169 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32168 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTransientLookaside object use after free attempt (browser-ie.rules)
 * 1:32167 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32166 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer SVG heap corruption attempt (file-other.rules)
 * 1:32165 <-> ENABLED <-> FILE-IDENTIFY SVG file magic detected (file-identify.rules)
 * 1:32164 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32163 <-> DISABLED <-> BROWSER-IE GetUpdatedLayout partial table declaration use-after-free attempt (browser-ie.rules)
 * 1:32162 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32161 <-> ENABLED <-> BROWSER-IE Internet Explorer superscript invalid parameter denial of service attempt (browser-ie.rules)
 * 1:32160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32159 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup Object use after free attempt (browser-ie.rules)
 * 1:32158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (browser-ie.rules)
 * 1:32156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer FormatContext Use after free attempt (browser-ie.rules)
 * 1:32154 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32153 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML use after free attempt (browser-ie.rules)
 * 1:32152 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32151 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32150 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32149 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:32146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32145 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32144 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32143 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32142 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 TrackPopupMenu code execution attempt (os-windows.rules)
 * 1:32140 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOM sandbox escape attempt (browser-ie.rules)
 * 1:32138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:32137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:20080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection (malware-cnc.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection (malware-cnc.rules)
 * 1:28493 <-> ENABLED <-> MALWARE-CNC DeputyDog diskless method outbound connection (malware-cnc.rules)
 * 1:29459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fexel variant outbound connection (malware-cnc.rules)
 * 1:30948 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response (malware-backdoor.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)