VRT Rules 2015-02-10
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-009: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33312 through 33325, 33331 through 33338, 33340 through 33341, 33345 through 33349, 33352 through 33354, 33356 through 33361, 33365 through 33366, and 33412 through 33428.

Microsoft Security Bulletin MS15-010: A coding deficiency exists in the Microsoft Windows Kernel Mode Driver that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33343 through 33344, 33355, 33363 through 33364, and 33436 through 33437.

Microsoft Security Bulletin MS15-012: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33350 through 33351 and 33362.

Microsoft Security Bulletin MS15-014: A coding deficiency exists in Microsoft SMB that lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 33429.

The VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, os-linux, os-other, os-windows, protocol-scada and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-02-10 16:42:09 UTC

Sourcefire VRT Rules Update

Date: 2015-02-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33400 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33397 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33396 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33394 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33395 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33392 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33393 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33390 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33391 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33388 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33389 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33387 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33385 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33386 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33383 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33384 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33381 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33382 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33380 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33375 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33365 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt (browser-ie.rules)
 * 1:33366 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt (browser-ie.rules)
 * 1:33364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt (os-windows.rules)
 * 1:33363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt (os-windows.rules)
 * 1:33362 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote exploit attempt (file-office.rules)
 * 1:33360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer svg use after free attempt (browser-ie.rules)
 * 1:33361 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CCharFormat use-after-free attempt (browser-ie.rules)
 * 1:33358 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SLayoutRun use-after-free attempt (browser-ie.rules)
 * 1:33359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer svg use after free attempt (browser-ie.rules)
 * 1:33356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt (browser-ie.rules)
 * 1:33357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt (browser-ie.rules)
 * 1:33354 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt (browser-ie.rules)
 * 1:33355 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use-after-free attempt (os-windows.rules)
 * 1:33352 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 error handler XSS exploit attempt (browser-ie.rules)
 * 1:33353 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt (browser-ie.rules)
 * 1:33350 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib use after free attempt (file-office.rules)
 * 1:33351 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib use after free attempt (file-office.rules)
 * 1:33348 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt (browser-ie.rules)
 * 1:33349 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt (browser-ie.rules)
 * 1:33347 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use-after-free attempt (browser-ie.rules)
 * 1:33345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt (browser-ie.rules)
 * 1:33346 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt (browser-ie.rules)
 * 1:33343 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt (os-windows.rules)
 * 1:33344 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt (os-windows.rules)
 * 1:33341 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt (browser-ie.rules)
 * 1:33342 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33336 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt (browser-ie.rules)
 * 1:33333 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt (browser-ie.rules)
 * 1:33335 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt (browser-ie.rules)
 * 1:33332 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:33331 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:33330 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33328 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33327 <-> ENABLED <-> BLACKLIST DNS request for known malware domain floracrunch.com (blacklist.rules)
 * 1:33325 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt (browser-ie.rules)
 * 1:33326 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hitechclub.org (blacklist.rules)
 * 1:33323 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer use exploit attempt (browser-ie.rules)
 * 1:33321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33322 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33318 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt (browser-ie.rules)
 * 1:33320 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33317 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt (browser-ie.rules)
 * 1:33315 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:33316 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:33312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt (browser-ie.rules)
 * 1:33313 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt (browser-ie.rules)
 * 1:33311 <-> ENABLED <-> PUA-ADWARE Win.Adware.OptimizerPro variant outbound connection (pua-adware.rules)
 * 1:33314 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedSvgTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33319 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33324 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt (browser-ie.rules)
 * 1:33329 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33334 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt (browser-ie.rules)
 * 1:33337 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:33338 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:33339 <-> DISABLED <-> INDICATOR-SHELLCODE heapspray characters detected - ASCII (indicator-shellcode.rules)
 * 1:33340 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt (browser-ie.rules)
 * 1:33437 <-> ENABLED <-> FILE-OTHER Microsoft Windows True Type Font integer overflow attempt (file-other.rules)
 * 1:33436 <-> ENABLED <-> FILE-OTHER Microsoft Windows True Type Font integer overflow attempt (file-other.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:33429 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB potential group policy fallback exploit attempt (os-windows.rules)
 * 1:33428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt (browser-ie.rules)
 * 1:33427 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt (browser-ie.rules)
 * 1:33426 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt (browser-ie.rules)
 * 1:33423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt (browser-ie.rules)
 * 1:33422 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory leak exploit attempt (browser-ie.rules)
 * 1:33421 <-> ENABLED <-> BROWSER-IE CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules)
 * 1:33420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt (browser-ie.rules)
 * 1:33417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt (browser-ie.rules)
 * 1:33416 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt (browser-ie.rules)
 * 1:33415 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt (browser-ie.rules)
 * 1:33414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt (browser-ie.rules)
 * 1:33413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt (browser-ie.rules)
 * 1:33412 <-> ENABLED <-> BROWSER-IE Internet Explorer style type confusion remote code execution attempt (browser-ie.rules)
 * 1:33411 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)

Modified Rules:


 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection attempt (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:30562 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt (protocol-scada.rules)
 * 1:29965 <-> DISABLED <-> PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt (protocol-scada.rules)
 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:29504 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:29604 <-> ENABLED <-> OS-OTHER CoDeSys Gateway Server Denial of Service attempt detected (os-other.rules)
 * 1:27624 <-> DISABLED <-> OS-WINDOWS Microsoft ICMPv6 mismatched prefix length and length field denial of service attempt (os-windows.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:26415 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt (protocol-scada.rules)
 * 1:26488 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt (protocol-scada.rules)
 * 1:26414 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server executable file upload attempt (protocol-scada.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:24155 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:24154 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)

2015-02-10 16:42:09 UTC

Sourcefire VRT Rules Update

Date: 2015-02-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33366 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt (browser-ie.rules)
 * 1:33365 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapElement use-after-free attempt (browser-ie.rules)
 * 1:33364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt (os-windows.rules)
 * 1:33363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WM_SYSTIMER null pWnd attempt (os-windows.rules)
 * 1:33362 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote exploit attempt (file-office.rules)
 * 1:33361 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CCharFormat use-after-free attempt (browser-ie.rules)
 * 1:33360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer svg use after free attempt (browser-ie.rules)
 * 1:33359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer svg use after free attempt (browser-ie.rules)
 * 1:33358 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SLayoutRun use-after-free attempt (browser-ie.rules)
 * 1:33357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt (browser-ie.rules)
 * 1:33356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode object used after free attempt (browser-ie.rules)
 * 1:33355 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use-after-free attempt (os-windows.rules)
 * 1:33437 <-> ENABLED <-> FILE-OTHER Microsoft Windows True Type Font integer overflow attempt (file-other.rules)
 * 1:33436 <-> ENABLED <-> FILE-OTHER Microsoft Windows True Type Font integer overflow attempt (file-other.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection attempt (malware-cnc.rules)
 * 1:33430 <-> DISABLED <-> APP-DETECT I2P traffic transmission attempt (app-detect.rules)
 * 1:33429 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB potential group policy fallback exploit attempt (os-windows.rules)
 * 1:33428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt (browser-ie.rules)
 * 1:33427 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupTransNavContext object use after free attempt (browser-ie.rules)
 * 1:33426 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup object use after free attempt (browser-ie.rules)
 * 1:33424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt (browser-ie.rules)
 * 1:33423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHeaderElement object use after free attempt (browser-ie.rules)
 * 1:33422 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory leak exploit attempt (browser-ie.rules)
 * 1:33421 <-> ENABLED <-> BROWSER-IE CTreeDataPos use-after-free remote code execution attempt (browser-ie.rules)
 * 1:33420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free attempt (browser-ie.rules)
 * 1:33418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt (browser-ie.rules)
 * 1:33417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGenericElement use after free attempt (browser-ie.rules)
 * 1:33416 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt (browser-ie.rules)
 * 1:33415 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLineCore use after free attempt (browser-ie.rules)
 * 1:33414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt (browser-ie.rules)
 * 1:33413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer unitialized memory access attempt (browser-ie.rules)
 * 1:33412 <-> ENABLED <-> BROWSER-IE Internet Explorer style type confusion remote code execution attempt (browser-ie.rules)
 * 1:33411 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33400 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33397 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33396 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33395 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33394 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33393 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33392 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33391 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33390 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33389 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33388 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33387 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33386 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33385 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33384 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33383 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33382 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33381 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33380 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33379 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33378 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33377 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33376 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33375 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:33354 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt (browser-ie.rules)
 * 1:33353 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray object used after free attempt (browser-ie.rules)
 * 1:33352 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 error handler XSS exploit attempt (browser-ie.rules)
 * 1:33351 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib use after free attempt (file-office.rules)
 * 1:33350 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib use after free attempt (file-office.rules)
 * 1:33349 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt (browser-ie.rules)
 * 1:33348 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dximagetransform.microsoft.shadow out of bounds array access attempt (browser-ie.rules)
 * 1:33347 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use-after-free attempt (browser-ie.rules)
 * 1:33346 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt (browser-ie.rules)
 * 1:33345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CBatchParentUndoUnit object use after free attempt (browser-ie.rules)
 * 1:33344 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt (os-windows.rules)
 * 1:33343 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 8 x64 linked cursor double free attempt (os-windows.rules)
 * 1:33342 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33341 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt (browser-ie.rules)
 * 1:33340 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use after free attempt (browser-ie.rules)
 * 1:33339 <-> DISABLED <-> INDICATOR-SHELLCODE heapspray characters detected - ASCII (indicator-shellcode.rules)
 * 1:33338 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:33337 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:33336 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt (browser-ie.rules)
 * 1:33335 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ActiveX type confusion attempt (browser-ie.rules)
 * 1:33334 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt (browser-ie.rules)
 * 1:33333 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Hyphenator object use after free attempt (browser-ie.rules)
 * 1:33332 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:33331 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditorProxy use after free attempt (browser-ie.rules)
 * 1:33330 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33329 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33328 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Yinli outbound connection (malware-cnc.rules)
 * 1:33327 <-> ENABLED <-> BLACKLIST DNS request for known malware domain floracrunch.com (blacklist.rules)
 * 1:33326 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hitechclub.org (blacklist.rules)
 * 1:33325 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt (browser-ie.rules)
 * 1:33324 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFormElement use after free attempt (browser-ie.rules)
 * 1:33323 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer use exploit attempt (browser-ie.rules)
 * 1:33322 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33320 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33319 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33318 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt (browser-ie.rules)
 * 1:33317 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free attempt (browser-ie.rules)
 * 1:33316 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:33315 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:33314 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedSvgTreeNode use-after-free attempt (browser-ie.rules)
 * 1:33313 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt (browser-ie.rules)
 * 1:33312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertElementInternal out of bounds indexed array remote code execution attempt (browser-ie.rules)
 * 1:33311 <-> ENABLED <-> PUA-ADWARE Win.Adware.OptimizerPro variant outbound connection (pua-adware.rules)

Modified Rules:


 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:24154 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24155 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26414 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server executable file upload attempt (protocol-scada.rules)
 * 1:26415 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt (protocol-scada.rules)
 * 1:26488 <-> ENABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt (protocol-scada.rules)
 * 1:27624 <-> DISABLED <-> OS-WINDOWS Microsoft ICMPv6 mismatched prefix length and length field denial of service attempt (os-windows.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29504 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:29604 <-> ENABLED <-> OS-OTHER CoDeSys Gateway Server Denial of Service attempt detected (os-other.rules)
 * 1:29965 <-> DISABLED <-> PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt (protocol-scada.rules)
 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:30562 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt (protocol-scada.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection attempt (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)