Sourcefire VRT Rules Update

Date: 2010-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18077 <-> SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt (specific-threats.rules, High)
18078 <-> SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt (specific-threats.rules, High)
18079 <-> BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com (blacklist.rules, High)
18080 <-> BLACKLIST DNS request for known malware domain netrand.house.sina.com.cn (blacklist.rules, High)
18081 <-> BLACKLIST DNS request for known malware domain wenyixuan.3322.org (blacklist.rules, High)
18082 <-> BLACKLIST DNS request for known malware domain 3q.sbwanwan.com (blacklist.rules, High)
18083 <-> BLACKLIST DNS request for known malware domain 863.dclsba.com (blacklist.rules, High)
18084 <-> BLACKLIST DNS request for known malware domain drs317a.gotoip4.com (blacklist.rules, High)
18085 <-> BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com (blacklist.rules, High)
18086 <-> BLACKLIST DNS request for known malware domain qq.sbwanwan.com (blacklist.rules, High)
18087 <-> BLACKLIST DNS request for known malware domain tiantianzaixian.gotoip1.com (blacklist.rules, High)
18088 <-> BLACKLIST DNS request for known malware domain wenyixuan.3322.org (blacklist.rules, High)
18089 <-> BLACKLIST DNS request for known malware domain www.auto328.com (blacklist.rules, High)
18090 <-> BLACKLIST DNS request for known malware domain www.comstelecom.com (blacklist.rules, High)
18091 <-> BLACKLIST DNS request for known malware domain www.goodfriends.or.kr (blacklist.rules, High)
18092 <-> BLACKLIST DNS request for known malware domain www.hao1345.com (blacklist.rules, High)
18093 <-> BLACKLIST DNS request for known malware domain www.opusgame.com (blacklist.rules, High)
18094 <-> BLACKLIST DNS request for known malware domain www.theoffstage.com (blacklist.rules, High)
18095 <-> BLACKLIST DNS request for known malware domain www.wwmei.com (blacklist.rules, High)
18096 <-> WEB-MISC Apache Tomcat username enumeration attempt (web-misc.rules, Medium)
18097 <-> WEB-ACTIVEX VMWare Remote Console Plug-In ActiveX clsid access (web-activex.rules, High)
18098 <-> BLACKLIST URI request for known malicious URI - /set/first.html (blacklist.rules, High)
18099 <-> BLACKLIST URI request for known malicious URI - /cfg/*.plug (blacklist.rules, High)
18100 <-> BOTNET-CNC Tidserv malware command and control channel traffic (botnet-cnc.rules, High)

Updated rules:
7047 <-> WEB-CLIENT excel object record overflow attempt (web-client.rules, High)
9626 <-> WEB-ACTIVEX AcroPDF.PDF ActiveX clsid access (web-activex.rules, High)
9627 <-> WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access (web-activex.rules, High)
11264 <-> SQL Microsoft SQL Server 2000 Server hello buffer overflow attempt (sql.rules, High)
12285 <-> WEB-CLIENT Excel Workspace file download (web-client.rules, Low)
13627 <-> DELETED WEB-CLIENT Microsoft Access file download request (deleted.rules, Low)
13628 <-> DELETED WEB-CLIENT Microsoft Access file download request (deleted.rules, Low)
13913 <-> WEB-ACTIVEX AcroPDF.PDF ActiveX function call access (web-activex.rules, High)
13914 <-> WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access (web-activex.rules, High)
15581 <-> NETBIOS Samba wildcard filename matching denial of service attempt (netbios.rules, Medium)
16037 <-> WEB-CLIENT Mozilla products graphics and XML features integer overflows attempt (web-client.rules, High)
16425 <-> WEB-CLIENT request for Portable Executable binary file (web-client.rules, Low)
17108 <-> SPECIFIC-THREATS Apache Tomcat JK Web Server Connector long URL stack overflow attempt - 2 (specific-threats.rules, High)
17305 <-> SPECIFIC-THREATS ClamAV libclamav PE file handling integer overflow attempt (specific-threats.rules, High)
17407 <-> WEB-CLIENT Windows help file download request (web-client.rules, High)
17451 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)
17452 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)
17453 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)
17454 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)
17455 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)
17456 <-> DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt (deleted.rules, Medium)