VRT Rules 2015-02-26
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-webkit, file-flash, file-image, file-other, file-pdf, malware-backdoor, malware-cnc, os-other, protocol-voip, pua-p2p, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-02-26 15:11:31 UTC

Sourcefire VRT Rules Update

Date: 2015-02-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33622 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33635 <-> DISABLED <-> FILE-FLASH Adobe Flash Player decompressing denial of service attempt (file-flash.rules)
 * 1:33636 <-> DISABLED <-> SERVER-OTHER SAP Sybase ESP xmlrpc unsafe pointer dereference attempt (server-other.rules)
 * 1:33633 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Downing - Win.Trojan.Otwycal (blacklist.rules)
 * 1:33634 <-> DISABLED <-> FILE-FLASH Adobe Flash Player decompressing denial of service attempt (file-flash.rules)
 * 1:33631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33632 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:33629 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33630 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33627 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33628 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33621 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.lubot outbound connection (malware-cnc.rules)
 * 1:33626 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33618 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.lubot download (malware-backdoor.rules)
 * 1:33625 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33615 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:33612 <-> DISABLED <-> SERVER-WEBAPP stronghold-status access (server-webapp.rules)
 * 1:33597 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33609 <-> DISABLED <-> SERVER-WEBAPP .wwwpasswd access (server-webapp.rules)
 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:33596 <-> DISABLED <-> SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt (server-other.rules)
 * 1:33607 <-> DISABLED <-> SERVER-WEBAPP cron access (server-webapp.rules)
 * 1:33598 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33601 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:33603 <-> DISABLED <-> FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt (file-other.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33604 <-> DISABLED <-> FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt (file-other.rules)
 * 1:33608 <-> DISABLED <-> SERVER-WEBAPP bin access (server-webapp.rules)
 * 1:33599 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33595 <-> DISABLED <-> SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt (server-other.rules)
 * 1:33602 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:33606 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33610 <-> DISABLED <-> SERVER-WEBAPP .wwwgroup access (server-webapp.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection  (malware-cnc.rules)
 * 1:33614 <-> DISABLED <-> SERVER-WEBAPP caucho-status access (server-webapp.rules)
 * 1:33619 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.lubot download (malware-backdoor.rules)
 * 1:33620 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.lubot outbound connection (malware-cnc.rules)
 * 1:33623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33613 <-> DISABLED <-> SERVER-WEBAPP stronghold-info access (server-webapp.rules)
 * 1:33611 <-> DISABLED <-> SERVER-WEBAPP httpd.conf access (server-webapp.rules)
 * 1:33624 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection (malware-cnc.rules)
 * 1:32604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geodo variant outbound connection (malware-cnc.rules)
 * 1:32599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad outbound connection (malware-cnc.rules)
 * 1:32606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral variant outbound connection (malware-cnc.rules)
 * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules)
 * 1:32677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:32678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection (malware-cnc.rules)
 * 1:32825 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection (malware-cnc.rules)
 * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection (malware-cnc.rules)
 * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection (malware-cnc.rules)
 * 1:32892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorLocker variant outbound connection (malware-cnc.rules)
 * 1:32893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Finforst outbound connection (malware-cnc.rules)
 * 1:32956 <-> ENABLED <-> MALWARE-CNC Android.CoolReaper.Trojan outbound connection (malware-cnc.rules)
 * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection (malware-cnc.rules)
 * 1:33054 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Joanap outbound connection (malware-cnc.rules)
 * 1:21669 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk expires header denial of service attempt (protocol-voip.rules)
 * 1:2180 <-> DISABLED <-> PUA-P2P BitTorrent announce request (pua-p2p.rules)
 * 1:25019 <-> DISABLED <-> OS-OTHER Cisco Nexus OS software command injection attempt (os-other.rules)
 * 1:25020 <-> DISABLED <-> OS-OTHER Cisco Nexus OS software command injection attempt (os-other.rules)
 * 1:25627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound communication (malware-cnc.rules)
 * 1:26310 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:27236 <-> DISABLED <-> SERVER-OTHER Citrix XenApp password buffer overflow attempt (server-other.rules)
 * 1:28534 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28535 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:29865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection (malware-cnc.rules)
 * 1:30073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection (malware-cnc.rules)
 * 1:30288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection (malware-cnc.rules)
 * 1:30336 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Calfbot outbound connection (malware-cnc.rules)
 * 1:30483 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tuhao variant outbound connection (malware-cnc.rules)
 * 1:30914 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpySmall variant outbound connection (malware-cnc.rules)
 * 1:30915 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpySmall variant outbound connection (malware-cnc.rules)
 * 1:30919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:30925 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound connection (malware-cnc.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:30985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed outbound connection (malware-cnc.rules)
 * 1:31020 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadnessPro outbound connection (malware-cnc.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules)
 * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection (malware-cnc.rules)
 * 1:31113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:31114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rfusclient outbound connection (malware-cnc.rules)
 * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection (malware-cnc.rules)
 * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection (malware-cnc.rules)
 * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection (malware-cnc.rules)
 * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection (malware-cnc.rules)
 * 1:31295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection (malware-cnc.rules)
 * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules)
 * 1:31314 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Daikou variant outbound connection (malware-cnc.rules)
 * 1:31316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound connection (malware-cnc.rules)
 * 1:31315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL variant outbound connection (malware-cnc.rules)
 * 1:31317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orbot variant outbound connection (malware-cnc.rules)
 * 1:31344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Levyatan variant outbound connection (malware-cnc.rules)
 * 1:31355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bicololo outbound connection (malware-cnc.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection (malware-cnc.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection (malware-cnc.rules)
 * 1:31593 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.SMSSend outbound connection (malware-cnc.rules)
 * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection (malware-cnc.rules)
 * 1:31717 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftPulse variant outbound connection (malware-cnc.rules)
 * 1:31808 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.IptabLex outbound connection (malware-cnc.rules)
 * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection (malware-cnc.rules)
 * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules)
 * 1:32605 <-> ENABLED <-> MALWARE-CNC Win.Worm.Jenxcus variant outbound connection (malware-cnc.rules)
 * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection (malware-cnc.rules)
 * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection (malware-cnc.rules)
 * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection (malware-cnc.rules)
 * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection (malware-cnc.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection (malware-cnc.rules)
 * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection (malware-cnc.rules)
 * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31928 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Becontr variant outbound connection (malware-cnc.rules)
 * 1:31941 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Pedrp variant outbound connection (malware-cnc.rules)
 * 1:31957 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Torct variant outbound connection (malware-cnc.rules)
 * 1:31973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chebri variant outbound connection (malware-cnc.rules)
 * 1:31974 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegorg variant outbound connection (malware-cnc.rules)
 * 1:32002 <-> ENABLED <-> MALWARE-CNC Win.Worm.Zorenium variant outbound connection (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection (malware-cnc.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection (malware-cnc.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection (malware-cnc.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection (malware-cnc.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection (malware-cnc.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection (malware-cnc.rules)
 * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection (malware-cnc.rules)
 * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection (malware-cnc.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection (malware-cnc.rules)
 * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection (malware-cnc.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection (malware-cnc.rules)
 * 1:32070 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection (malware-cnc.rules)
 * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection (malware-cnc.rules)
 * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection (malware-cnc.rules)
 * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection (malware-cnc.rules)
 * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection (malware-cnc.rules)
 * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection (malware-cnc.rules)
 * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection (malware-cnc.rules)
 * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection (malware-cnc.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection (malware-cnc.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:32195 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palebot variant outbound connection (malware-cnc.rules)
 * 1:32222 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection (malware-cnc.rules)
 * 1:32225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection (malware-cnc.rules)
 * 1:32293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acanas variant outbound connection (malware-cnc.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:32338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ropest variant outbound connection (malware-cnc.rules)
 * 1:32334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stantinko variant outbound connection (malware-cnc.rules)
 * 1:32357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Akaza variant outbound connection (malware-cnc.rules)
 * 1:32367 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection (malware-cnc.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baccamun variant outbound connection (malware-cnc.rules)
 * 1:32394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection (malware-cnc.rules)
 * 1:32486 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog outbound connection (malware-cnc.rules)
 * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection (malware-cnc.rules)
 * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32487 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog variant outbound connection (malware-cnc.rules)
 * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection (malware-cnc.rules)
 * 1:32506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Secdeskinf outbound connection (malware-cnc.rules)
 * 1:33081 <-> ENABLED <-> MALWARE-CNC OnionDuke variant outbound connection (malware-cnc.rules)
 * 1:33084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tosct variant outbound connection (malware-cnc.rules)
 * 1:33152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nurjax.A outbound connection (malware-cnc.rules)
 * 1:33153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur variant outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection (malware-cnc.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gamarue variant outbound connection (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:32513 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Havex outbound connection (malware-cnc.rules)
 * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Kovter variant outbound connection (malware-cnc.rules)
 * 1:33282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection (malware-cnc.rules)
 * 1:32583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:32584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection (malware-cnc.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)
 * 1:18986 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:13818 <-> DISABLED <-> SERVER-WEBAPP PHP alternate xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:18987 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:13817 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:13816 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:18492 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ilo.brenz.pl - Win.Trojan.Ramnit (blacklist.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection (malware-cnc.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP REGISTER flood (protocol-voip.rules)

2015-02-26 15:11:31 UTC

Sourcefire VRT Rules Update

Date: 2015-02-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33630 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33629 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33628 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33627 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33626 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33625 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33624 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33623 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33622 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt (browser-webkit.rules)
 * 1:33621 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.lubot outbound connection (malware-cnc.rules)
 * 1:33620 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.lubot outbound connection (malware-cnc.rules)
 * 1:33619 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.lubot download (malware-backdoor.rules)
 * 1:33618 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.lubot download (malware-backdoor.rules)
 * 1:33615 <-> ENABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:33614 <-> DISABLED <-> SERVER-WEBAPP caucho-status access (server-webapp.rules)
 * 1:33613 <-> DISABLED <-> SERVER-WEBAPP stronghold-info access (server-webapp.rules)
 * 1:33612 <-> DISABLED <-> SERVER-WEBAPP stronghold-status access (server-webapp.rules)
 * 1:33611 <-> DISABLED <-> SERVER-WEBAPP httpd.conf access (server-webapp.rules)
 * 1:33610 <-> DISABLED <-> SERVER-WEBAPP .wwwgroup access (server-webapp.rules)
 * 1:33636 <-> DISABLED <-> SERVER-OTHER SAP Sybase ESP xmlrpc unsafe pointer dereference attempt (server-other.rules)
 * 1:33635 <-> DISABLED <-> FILE-FLASH Adobe Flash Player decompressing denial of service attempt (file-flash.rules)
 * 1:33634 <-> DISABLED <-> FILE-FLASH Adobe Flash Player decompressing denial of service attempt (file-flash.rules)
 * 1:33633 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Downing - Win.Trojan.Otwycal (blacklist.rules)
 * 1:33632 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:33609 <-> DISABLED <-> SERVER-WEBAPP .wwwpasswd access (server-webapp.rules)
 * 1:33608 <-> DISABLED <-> SERVER-WEBAPP bin access (server-webapp.rules)
 * 1:33607 <-> DISABLED <-> SERVER-WEBAPP cron access (server-webapp.rules)
 * 1:33606 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33604 <-> DISABLED <-> FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt (file-other.rules)
 * 1:33603 <-> DISABLED <-> FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption attempt (file-other.rules)
 * 1:33602 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:33601 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:33599 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33598 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33597 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt (server-webapp.rules)
 * 1:33596 <-> DISABLED <-> SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt (server-other.rules)
 * 1:33595 <-> DISABLED <-> SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt (server-other.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection  (malware-cnc.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)

Modified Rules:


 * 1:21669 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk expires header denial of service attempt (protocol-voip.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection (malware-cnc.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP REGISTER flood (protocol-voip.rules)
 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection (malware-cnc.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection (malware-cnc.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection (malware-cnc.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:33435 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33434 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33433 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33432 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33431 <-> ENABLED <-> MALWARE-CNC Cryptowall 3.0 variant outbound connection (malware-cnc.rules)
 * 1:33305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Kovter variant outbound connection (malware-cnc.rules)
 * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules)
 * 1:33219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gamarue variant outbound connection (malware-cnc.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection (malware-cnc.rules)
 * 1:33153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur variant outbound connection (malware-cnc.rules)
 * 1:33152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nurjax.A outbound connection (malware-cnc.rules)
 * 1:33084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tosct variant outbound connection (malware-cnc.rules)
 * 1:33081 <-> ENABLED <-> MALWARE-CNC OnionDuke variant outbound connection (malware-cnc.rules)
 * 1:33054 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Joanap outbound connection (malware-cnc.rules)
 * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection (malware-cnc.rules)
 * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection (malware-cnc.rules)
 * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection (malware-cnc.rules)
 * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection (malware-cnc.rules)
 * 1:32956 <-> ENABLED <-> MALWARE-CNC Android.CoolReaper.Trojan outbound connection (malware-cnc.rules)
 * 1:32893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Finforst outbound connection (malware-cnc.rules)
 * 1:32892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorLocker variant outbound connection (malware-cnc.rules)
 * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection (malware-cnc.rules)
 * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection (malware-cnc.rules)
 * 1:32825 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection (malware-cnc.rules)
 * 1:32823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules)
 * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:32677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules)
 * 1:32624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection (malware-cnc.rules)
 * 1:32606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral variant outbound connection (malware-cnc.rules)
 * 1:32605 <-> ENABLED <-> MALWARE-CNC Win.Worm.Jenxcus variant outbound connection (malware-cnc.rules)
 * 1:32604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geodo variant outbound connection (malware-cnc.rules)
 * 1:32599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Mysayad outbound connection (malware-cnc.rules)
 * 1:32584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:32583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection (malware-cnc.rules)
 * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection (malware-cnc.rules)
 * 1:32513 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Havex outbound connection (malware-cnc.rules)
 * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules)
 * 1:32506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Secdeskinf outbound connection (malware-cnc.rules)
 * 1:32487 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog variant outbound connection (malware-cnc.rules)
 * 1:32486 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Exadog outbound connection (malware-cnc.rules)
 * 1:32469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection (malware-cnc.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules)
 * 1:32397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection (malware-cnc.rules)
 * 1:32379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baccamun variant outbound connection (malware-cnc.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection (malware-cnc.rules)
 * 1:32367 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection (malware-cnc.rules)
 * 1:32357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Akaza variant outbound connection (malware-cnc.rules)
 * 1:32338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ropest variant outbound connection (malware-cnc.rules)
 * 1:32334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stantinko variant outbound connection (malware-cnc.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection (malware-cnc.rules)
 * 1:32293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acanas variant outbound connection (malware-cnc.rules)
 * 1:32225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection (malware-cnc.rules)
 * 1:32222 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection (malware-cnc.rules)
 * 1:32195 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palebot variant outbound connection (malware-cnc.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection (malware-cnc.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection (malware-cnc.rules)
 * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection (malware-cnc.rules)
 * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection (malware-cnc.rules)
 * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection (malware-cnc.rules)
 * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection (malware-cnc.rules)
 * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection (malware-cnc.rules)
 * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection (malware-cnc.rules)
 * 1:32070 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection (malware-cnc.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection (malware-cnc.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection (malware-cnc.rules)
 * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection (malware-cnc.rules)
 * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection (malware-cnc.rules)
 * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection (malware-cnc.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection (malware-cnc.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection (malware-cnc.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection (malware-cnc.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection (malware-cnc.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection (malware-cnc.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32002 <-> ENABLED <-> MALWARE-CNC Win.Worm.Zorenium variant outbound connection (malware-cnc.rules)
 * 1:31974 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegorg variant outbound connection (malware-cnc.rules)
 * 1:31973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chebri variant outbound connection (malware-cnc.rules)
 * 1:31957 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Torct variant outbound connection (malware-cnc.rules)
 * 1:31941 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Pedrp variant outbound connection (malware-cnc.rules)
 * 1:31928 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Becontr variant outbound connection (malware-cnc.rules)
 * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection (malware-cnc.rules)
 * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection (malware-cnc.rules)
 * 1:31896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:31895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toupi variant outbound connection (malware-cnc.rules)
 * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection (malware-cnc.rules)
 * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection (malware-cnc.rules)
 * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection (malware-cnc.rules)
 * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection (malware-cnc.rules)
 * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules)
 * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection (malware-cnc.rules)
 * 1:31808 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.IptabLex outbound connection (malware-cnc.rules)
 * 1:31717 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftPulse variant outbound connection (malware-cnc.rules)
 * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection (malware-cnc.rules)
 * 1:31593 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.SMSSend outbound connection (malware-cnc.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection (malware-cnc.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection (malware-cnc.rules)
 * 1:31355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bicololo outbound connection (malware-cnc.rules)
 * 1:31344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Levyatan variant outbound connection (malware-cnc.rules)
 * 1:31317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orbot variant outbound connection (malware-cnc.rules)
 * 1:31316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound connection (malware-cnc.rules)
 * 1:31315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL variant outbound connection (malware-cnc.rules)
 * 1:31314 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Daikou variant outbound connection (malware-cnc.rules)
 * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection (malware-cnc.rules)
 * 1:31295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection (malware-cnc.rules)
 * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection (malware-cnc.rules)
 * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection (malware-cnc.rules)
 * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection (malware-cnc.rules)
 * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:31114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rfusclient outbound connection (malware-cnc.rules)
 * 1:31113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection (malware-cnc.rules)
 * 1:31070 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs outbound connection (malware-cnc.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 1:31053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadnessPro outbound connection (malware-cnc.rules)
 * 1:31020 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:30985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed outbound connection (malware-cnc.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:30925 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound connection (malware-cnc.rules)
 * 1:30919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:30915 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpySmall variant outbound connection (malware-cnc.rules)
 * 1:30914 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpySmall variant outbound connection (malware-cnc.rules)
 * 1:30900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tuhao variant outbound connection (malware-cnc.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules)
 * 1:30548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30483 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules)
 * 1:30336 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Calfbot outbound connection (malware-cnc.rules)
 * 1:30288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection (malware-cnc.rules)
 * 1:30073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection (malware-cnc.rules)
 * 1:29865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection (malware-cnc.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28535 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28534 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:27236 <-> DISABLED <-> SERVER-OTHER Citrix XenApp password buffer overflow attempt (server-other.rules)
 * 1:26310 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:25627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound communication (malware-cnc.rules)
 * 1:25020 <-> DISABLED <-> OS-OTHER Cisco Nexus OS software command injection attempt (os-other.rules)
 * 1:25019 <-> DISABLED <-> OS-OTHER Cisco Nexus OS software command injection attempt (os-other.rules)
 * 1:2180 <-> DISABLED <-> PUA-P2P BitTorrent announce request (pua-p2p.rules)
 * 1:18987 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:18986 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:18492 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ilo.brenz.pl - Win.Trojan.Ramnit (blacklist.rules)
 * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules)
 * 1:13818 <-> DISABLED <-> SERVER-WEBAPP PHP alternate xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:13817 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:13816 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php command injection attempt (server-webapp.rules)
 * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules)