Sourcefire VRT Rules Update

Date: 2011-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19115 <-> ENABLED <-> SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 89 overflow attempt (specific-threats.rules)
 * 1:19111 <-> ENABLED <-> DOS Adobe Flash Media Server memory exhaustion (dos.rules)
 * 1:19100 <-> ENABLED <-> WEB-CLIENT Oracle Java Soundbank resource name overflow attempt (web-client.rules)
 * 1:19101 <-> ENABLED <-> SPECIFIC-THREATS Sun Java Web Server Admin Server denial of service attempt (specific-threats.rules)
 * 1:19122 <-> ENABLED <-> PHISHING-SPAM appledownload.com known spam email attempt (phishing-spam.rules)
 * 1:19118 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader script injection vulnerability (specific-threats.rules)
 * 1:19114 <-> ENABLED <-> SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 45 overflow attempt (specific-threats.rules)
 * 1:19108 <-> ENABLED <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX clsid access (web-activex.rules)
 * 1:19107 <-> DISABLED <-> SPECIFIC-THREATS Apache mod_isapi dangling pointer code execution attempt (specific-threats.rules)
 * 1:19106 <-> ENABLED <-> SPYWARE-PUT Keylogger Ardamax keylogger runtime detection - http (spyware-put.rules)
 * 1:19105 <-> ENABLED <-> EXPLOIT HP Data Protector Manager MMD service buffer overflow attempt (exploit.rules)
 * 1:19104 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector Cell Manager heap overflow attempt (exploit.rules)
 * 1:19103 <-> ENABLED <-> WEB-ACTIVEX Symantec CLIProxy.dll ActiveX function call access (web-activex.rules)
 * 1:19102 <-> ENABLED <-> WEB-ACTIVEX Symantec CLIProxy.dll ActiveX clsid access (web-activex.rules)
 * 1:19099 <-> DISABLED <-> WEB-CLIENT Apple Safari CSS font format corruption attempt (web-client.rules)
 * 1:19097 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit ContentEditable code execution attempt (specific-threats.rules)
 * 1:19096 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt (specific-threats.rules)
 * 1:19085 <-> ENABLED <-> WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX clsid access (web-activex.rules)
 * 1:19086 <-> ENABLED <-> WEB-ACTIVEX LEADTOOLS Raster Twain LtocxTwainu.dll ActiveX function call (web-activex.rules)
 * 1:19087 <-> DISABLED <-> EXPLOIT CA Discovery Service Overflow Attempt (exploit.rules)
 * 1:19088 <-> DISABLED <-> EXPLOIT CA Discovery Service Overflow Attempt (exploit.rules)
 * 1:19089 <-> DISABLED <-> EXPLOIT CA Discovery Service Overflow Attempt (exploit.rules)
 * 1:19090 <-> DISABLED <-> EXPLOIT CA Discovery Serice Overflow Attempt (exploit.rules)
 * 1:19091 <-> DISABLED <-> SPECIFIC-THREATS OpenSSL ssl3_get_key_exchange use-after-free attempt (specific-threats.rules)
 * 1:19092 <-> DISABLED <-> SPECIFIC-THREATS OpenSSL ssl3_get_key_exchange use-after-free attempt (specific-threats.rules)
 * 1:19093 <-> ENABLED <-> SPECIFIC-THREATS Oracle MySQL Database unique set column denial of service attempt (specific-threats.rules)
 * 1:19094 <-> ENABLED <-> SPECIFIC-THREATS Oracle MySQL Database unique set column denial of service attempt (specific-threats.rules)
 * 1:19095 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit CSS Charset Text transformation code execution attempt (specific-threats.rules)
 * 1:19109 <-> ENABLED <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX function call access (web-activex.rules)
 * 1:19110 <-> ENABLED <-> WEB-MISC IBM Rational Quality Manager and Test Lab Manager policy bypass attempt (web-misc.rules)
 * 1:19113 <-> ENABLED <-> SPECIFIC-THREATS Adobe Shockwave 3D structure opcode 81 overflow attempt (specific-threats.rules)
 * 1:19112 <-> ENABLED <-> SPECIFIC-THREATS Adobe Shockwave 3D stucture heap overflow (specific-threats.rules)
 * 1:19116 <-> DISABLED <-> SPECIFIC-THREATS IBM Tivoli Storage Manager FastBack mount service code execution attempt (specific-threats.rules)
 * 1:19120 <-> ENABLED <-> EXPLOIT IBM Informix DBINFO stack buffer overflow (exploit.rules)
 * 1:19117 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed U3D integer overflow (specific-threats.rules)
 * 1:19119 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver remote code execution attempt (specific-threats.rules)
 * 1:19098 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit ContentEditable code exeuction attempt (specific-threats.rules)
 * 1:19121 <-> ENABLED <-> EXPLOIT IBM Informix EXPLAIN stack buffer overflow attempt (exploit.rules)

Modified Rules:


 * 1:10125 <-> DISABLED <-> EXPLOIT bomberclone buffer overflow attempt (exploit.rules)
 * 1:11680 <-> ENABLED <-> WEB-MISC Sun Java web proxy sockd buffer overflow attempt (web-misc.rules)
 * 1:13631 <-> ENABLED <-> EXPLOIT McAfee ePolicy Orchestrator Framework Services log handling format string attempt (exploit.rules)
 * 1:1384 <-> DISABLED <-> DOS UPnP malformed advertisement (dos.rules)
 * 1:1388 <-> DISABLED <-> EXPLOIT UPnP Location overflow attempt (exploit.rules)
 * 1:1504 <-> DISABLED <-> POLICY AFS access (policy.rules)
 * 1:16350 <-> DISABLED <-> DOS ntp mode 7 denial of service attempt (dos.rules)
 * 1:18328 <-> ENABLED <-> WEB-CLIENT Adobe multiple products dwmapi.dll dll-load exploit attempt (web-client.rules)
 * 1:18330 <-> ENABLED <-> NETBIOS Adobe multiple products dwmapi.dll dll-load exploit attempt (netbios.rules)
 * 1:1867 <-> DISABLED <-> X11 xdmcp info query (x11.rules)
 * 1:1889 <-> DISABLED <-> BOTNET-CNC slapper worm admin traffic (botnet-cnc.rules)
 * 1:1939 <-> DISABLED <-> EXPLOIT bootp hardware address length overflow (exploit.rules)
 * 1:1940 <-> DISABLED <-> EXPLOIT bootp invalid hardware type (exploit.rules)
 * 1:1966 <-> DISABLED <-> EXPLOIT GlobalSunTech Access Point Information Disclosure attempt (exploit.rules)
 * 1:2039 <-> DISABLED <-> EXPLOIT bootp hostname format string attempt (exploit.rules)
 * 1:2041 <-> DISABLED <-> SCAN xtacacs failed login response (scan.rules)
 * 1:2043 <-> DISABLED <-> SCAN isakmp login failed (scan.rules)
 * 1:3080 <-> DISABLED <-> EXPLOIT Unreal Tournament secure overflow attempt (exploit.rules)
 * 1:516 <-> DISABLED <-> SNMP NT UserList (snmp.rules)
 * 1:517 <-> DISABLED <-> X11 xdmcp query (x11.rules)
 * 3:16472 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Movie Maker project file heap buffer overflow attempt (web-client.rules)
 * 3:16417 <-> ENABLED <-> NETBIOS SMB Negotiate Protocol Response overflow attempt (netbios.rules)