Sourcefire VRT Rules Update

Date: 2011-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18956 <-> ENABLED <-> WEB-CGI Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (web-cgi.rules)
 * 1:18935 <-> DISABLED <-> DOS ISC DHCP server zero length client ID denial of service attempt (dos.rules)
 * 1:18939 <-> DISABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:18950 <-> DISABLED <-> BAD-TRAFFIC Microsoft WINS service oversize payload exploit attempt (bad-traffic.rules)
 * 1:18951 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer onPropertyChange deleteTable memory corruption attempt (specific-threats.rules)
 * 1:18945 <-> DISABLED <-> BOTNET-CNC Virus.Win32.Feberr contact to server attempt (botnet-cnc.rules)
 * 1:18947 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.IRCBot.FC runtime detection (botnet-cnc.rules)
 * 1:18943 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - MacDefender (blacklist.rules)
 * 1:18952 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows uniscribe fonts parsing memory corruption attempt (specific-threats.rules)
 * 1:18946 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.IRCBot.FC runtime detection (botnet-cnc.rules)
 * 1:16188 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint bad text header txttype attempt (web-client.rules)
 * 1:18944 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - Suspected Crimepack (botnet-cnc.rules)
 * 1:18938 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - ZBot (botnet-cnc.rules)
 * 1:18942 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - MacProtector (blacklist.rules)
 * 1:18940 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - Sality (botnet-cnc.rules)
 * 1:18948 <-> ENABLED <-> SPECIFIC-THREATS Microsoft PowerPoint converter bad indirection remote code execution attempt (specific-threats.rules)
 * 1:18955 <-> ENABLED <-> WEB-CGI Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (web-cgi.rules)
 * 1:18953 <-> ENABLED <-> SPECIFIC-THREATS rich text format unexpected field type memory corruption attempt (specific-threats.rules)
 * 1:18954 <-> ENABLED <-> SPECIFIC-THREATS rich text format unexpected field type memory corruption attempt (specific-threats.rules)
 * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules)

Modified Rules:


 * 1:18739 <-> ENABLED <-> BOTNET-CNC Worm.Win32.Koobface.D contact to server attempt (botnet-cnc.rules)
 * 1:13523 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX clsid access (web-activex.rules)
 * 1:18717 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Banker.QO contact to server attempt (botnet-cnc.rules)
 * 1:18577 <-> ENABLED <-> BOTNET-CNC Trojan-Banker.Win32.Banker.agum contact to server attempt (botnet-cnc.rules)
 * 1:18709 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Banker.aufm contact to server attempt (botnet-cnc.rules)
 * 1:18707 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.ControlCenter contact to server attempt (botnet-cnc.rules)
 * 1:18711 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.SecurityCentral contact to server attempt (botnet-cnc.rules)
 * 1:18716 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Banker.H contact to server attempt (botnet-cnc.rules)
 * 1:13525 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX function call access (web-activex.rules)
 * 1:18715 <-> ENABLED <-> BOTNET-CNC Ozdok botnet communication with C&C server attempt (botnet-cnc.rules)
 * 1:18723 <-> DISABLED <-> BOTNET-CNC RogueSoftware.Win32.CleanV contact to server attempt (botnet-cnc.rules)
 * 1:17748 <-> ENABLED <-> WEB-MISC TLSv1 Client_Certificate handshake (web-misc.rules)
 * 1:18712 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.XJRAntivirus contact to server attempt (botnet-cnc.rules)
 * 1:18708 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.AntivirusSoft contact to server attempt (botnet-cnc.rules)
 * 1:18718 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.AdvancedDefender contact to server attempt (botnet-cnc.rules)
 * 1:18719 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.IRCBot.CBY contact to server attempt (botnet-cnc.rules)
 * 1:18724 <-> ENABLED <-> BOTNET-CNC RogueSoftware.Win32.ZeroClean contact to server attempt (botnet-cnc.rules)
 * 1:18720 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Terzib.A contact to server attempt (botnet-cnc.rules)