Sourcefire VRT Rules Update

Date: 2011-08-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19819 <-> DISABLED <-> BACKDOOR Trojan.Win32.Ertfor.A runtime detection (backdoor.rules)
 * 1:19814 <-> DISABLED <-> EXPLOIT Microsoft Internet Explorer empty table tag memory corruption attempt (exploit.rules)
 * 1:19799 <-> DISABLED <-> BACKDOOR PWS.Win32.Zbot.gen.Q Runtime Detection (backdoor.rules)
 * 1:19800 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Pher.ij Runtime Detection (backdoor.rules)
 * 1:19798 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent2.kxu outbound connection (backdoor.rules)
 * 1:19801 <-> ENABLED <-> BOTNET-CNC Trojan.Tracur contact to server attempt (botnet-cnc.rules)
 * 1:19821 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.Bagle.gen.C runtime detection (spyware-put.rules)
 * 1:19806 <-> DISABLED <-> SPECIFIC-THREATS Apple Safari Webkit SVG memory corruption attempt (specific-threats.rules)
 * 1:19805 <-> DISABLED <-> BACKDOOR Trojan.Win32.Smser.cx Runtime Detection (backdoor.rules)
 * 1:19804 <-> DISABLED <-> BACKDOOR Trojan.Win32.VB.ktq contact to server attempt (backdoor.rules)
 * 1:19803 <-> DISABLED <-> BACKDOOR TrojanDownloader.Win32.Renos.FH contact to server attempt (backdoor.rules)
 * 1:19802 <-> DISABLED <-> BACKDOOR TrojanDownloader.Win32.Wixud.B contact to server attempt (backdoor.rules)
 * 1:19793 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.SillyFDC-DS outbound connection (backdoor.rules)
 * 1:19787 <-> DISABLED <-> BACKDOOR Exploit-PDF.t outbound connection (backdoor.rules)
 * 1:19786 <-> DISABLED <-> SPYWARE-PUT FakeAV Personal Antivirus outbound connection (spyware-put.rules)
 * 1:19788 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.VB.pnc Runtime Detection (backdoor.rules)
 * 1:19789 <-> DISABLED <-> BACKDOOR P2P Worm Win32.SpyBot.pgh outbound connection (backdoor.rules)
 * 1:19790 <-> DISABLED <-> BACKDOOR P2P Worm Win32.SpyBot.pgh outbound connection (backdoor.rules)
 * 1:19791 <-> DISABLED <-> BACKDOOR Trojan-Dropper.Win32.Small.awa outbound connection (backdoor.rules)
 * 1:19792 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Caxnet.A outbound connection (backdoor.rules)
 * 1:19808 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer covered object memory corruption attempt (web-client.rules)
 * 1:19807 <-> DISABLED <-> WEB-CLIENT Apple Safari Webkit SVG memory corruption attempt (web-client.rules)
 * 1:19809 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer covered object memory corruption attempt (specific-threats.rules)
 * 1:19810 <-> ENABLED <-> EXPLOIT CA Total Defense Suite UNCWS DeleteReports stored procedure SQL injection (exploit.rules)
 * 1:19811 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Powerpoint malformed record call to freed object attempt (specific-threats.rules)
 * 1:19812 <-> DISABLED <-> EXPLOIT CA Total Defense Suite UNCWS getDBConfigSettings credential information disclosure (exploit.rules)
 * 1:19813 <-> DISABLED <-> WEB-MISC Novell File Reporter Agent XMLK parsing stack bugger overflow attempt (web-misc.rules)
 * 1:19815 <-> ENABLED <-> EXPLOIT HP Operations Manager Server Default Credientials in use attempt (exploit.rules)
 * 1:19817 <-> ENABLED <-> NETBIOS Juniper Odyssey Access Client DSSETUPSERVICE_CMD_UNINSTALL overflow attempt (netbios.rules)
 * 1:19816 <-> ENABLED <-> NETBIOS Juniper NeoterisSetupService named pipe access attempt (netbios.rules)
 * 1:19818 <-> DISABLED <-> WEB-CLIENT Microsoft XML core services cross-domain information disclosure attempt (web-client.rules)
 * 1:19820 <-> DISABLED <-> BACKDOOR Trojan.Win32.Ertfor.A runtime detection (backdoor.rules)
 * 1:19785 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Malushka.T outbound connection (backdoor.rules)
 * 1:19822 <-> DISABLED <-> BACKDOOR Trojan.Win32.Banload.HH runtime detection (backdoor.rules)
 * 1:19825 <-> DISABLED <-> DOS Apache Killer DoS tool (dos.rules)
 * 1:19823 <-> DISABLED <-> SPYWARE-PUT Downloader.Banload.AKBB runtime detection (spyware-put.rules)
 * 1:19824 <-> DISABLED <-> BACKDOOR Gen-Trojan.Heur runtime detection (backdoor.rules)
 * 1:19826 <-> ENABLED <-> WEB-MISC HP Power Manager remote code execution attempt (web-misc.rules)
 * 1:19795 <-> DISABLED <-> BACKDOOR Trojan FakeAV NoAdware outbound connection (backdoor.rules)

Modified Rules:


 * 1:12317 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules)
 * 1:12633 <-> ENABLED <-> EXPLOIT Microsoft Kodak Imaging small offset malformed tiff (exploit.rules)
 * 1:12634 <-> ENABLED <-> EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2 (exploit.rules)
 * 1:13865 <-> ENABLED <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules)
 * 1:15427 <-> ENABLED <-> WEB-MISC SVG file request (web-misc.rules)
 * 1:15994 <-> ENABLED <-> SPECIFIC-THREATS Squid strListGetItem denial of service attempt (specific-threats.rules)
 * 1:16008 <-> ENABLED <-> WEB-MISC excessive HTTP 304 Not Modified responses exploit attempt (web-misc.rules)
 * 1:16555 <-> ENABLED <-> WEB-MISC HP Openview Network Node Manager OvAcceptLang overflow attempt (web-misc.rules)
 * 1:17289 <-> ENABLED <-> SPECIFIC-THREATS GNU gzip LZH decompression make_table overflow attempt (specific-threats.rules)
 * 1:17379 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules)
 * 1:17678 <-> ENABLED <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules)
 * 1:17702 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (netbios.rules)
 * 1:18998 <-> DISABLED <-> WEB-MISC HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (web-misc.rules)
 * 1:1907 <-> ENABLED <-> RPC CMSD UDP CMSD_CREATE buffer overflow attempt (rpc.rules)
 * 1:2094 <-> ENABLED <-> RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (rpc.rules)
 * 1:3590 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt (netbios.rules)