To explain one of the snort rule alerts a bit more:
in this example the 'hcp_vbs.php?f=' part of the URL is known to be part of the 'Black Hole Exploit Kit'.
And this was one of the bugs abused on that site: description of exploit ->
https://bugs.php.net/bug.php?id=35360because you see a snort rule alert given for this, e.g.:
BLACKLIST URI possible Blackhole post-compromise download attempt -
.php?f=<random character>this will deliver various malicious PDF files to a user/victim,
polonus