Sourcefire VRT Rules Update

Date: 2013-12-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2955.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28856 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yowdab variant connection attempt (malware-cnc.rules)
 * 1:28854 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28855 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:28852 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Zollard (blacklist.rules)
 * 1:28853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dipverdle variant outbound connection attempt (malware-cnc.rules)
 * 1:28850 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager EJBInvokerServlet or JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:28851 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager EJBInvokerServlet or JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:28849 <-> ENABLED <-> SERVER-WEBAPP WordPress XMLRPC potential port-scan attempt (server-webapp.rules)

Modified Rules:


 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:26808 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit short jar request (exploit-kit.rules)
 * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:23350 <-> DISABLED <-> MALWARE-OTHER potential clickjacking via css pointer-events attempt (malware-other.rules)
 * 1:24129 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel catLabel pointer manipulation attempt (file-office.rules)
 * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt  (browser-ie.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:28846 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27525 <-> ENABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:28845 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:19490 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Koceg.B variant outbound connection (malware-cnc.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules)
 * 1:23271 <-> ENABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)