Sourcefire VRT Rules Update

Date: 2011-10-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20251 <-> ENABLED <-> SPECIFIC-THREATS PointBase 4.6 database DoS (specific-threats.rules)
 * 1:20240 <-> ENABLED <-> WEB-MISC HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt (web-misc.rules)
 * 1:20241 <-> ENABLED <-> WEB-MISC HP OpenView NNM snmp.exe CGI Host parameter buffer overflow attempt (web-misc.rules)
 * 1:20242 <-> DISABLED <-> DNS Oracle Secure Backup observice.exe dns response overflow attempt (dns.rules)
 * 1:20243 <-> DISABLED <-> POLICY Privoxy disabling of x-filter (policy.rules)
 * 1:20244 <-> DISABLED <-> POLICY possible forced privoxy disabling (policy.rules)
 * 1:20245 <-> DISABLED <-> POLICY remote privoxy config access (policy.rules)
 * 1:20247 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:13675 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call unicode access  (web-activex.rules)
 * 1:13823 <-> ENABLED <-> WEB-CLIENT DirectX SAMI file parsing buffer overflow attempt  (web-client.rules)
 * 1:13674 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call access (web-activex.rules)
 * 1:13672 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid access (web-activex.rules)
 * 1:13673 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid unicode access  (web-activex.rules)
 * 1:13670 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call access (web-activex.rules)
 * 1:13669 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid unicode access  (web-activex.rules)
 * 1:13629 <-> ENABLED <-> WEB-CLIENT Microsoft Access JSDB download attempt  (web-client.rules)
 * 1:13572 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint malformed shapeid arbitrary code execution attempt  (web-client.rules)
 * 1:13466 <-> ENABLED <-> WEB-CLIENT Microsoft Works file converter file section length headers memory corruption attempt  (web-client.rules)
 * 1:13458 <-> ENABLED <-> WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid unicode access  (web-activex.rules)
 * 1:13288 <-> ENABLED <-> BAD-TRAFFIC Windows remote kernel tcp/ip icmp vulnerability exploit attempt (bad-traffic.rules)
 * 1:13448 <-> ENABLED <-> WEB-CLIENT vbscript/jscript scripting engine begin buffer overflow attempt  (web-client.rules)
 * 1:13449 <-> ENABLED <-> WEB-CLIENT vbscript/jscript scripting engine end buffer overflow attempt  (web-client.rules)
 * 1:13451 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid access (web-activex.rules)
 * 1:13452 <-> ENABLED <-> WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid unicode access  (web-activex.rules)
 * 1:15105 <-> ENABLED <-> WEB-CLIENT Microsoft GDI WMF file parsing integer overflow attempt  (web-client.rules)
 * 1:15106 <-> ENABLED <-> WEB-CLIENT Microsoft Word .rtf file integer overflow attempt  (web-client.rules)
 * 1:14737 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP host-integration bind attempt  (netbios.rules)
 * 1:15012 <-> ENABLED <-> WEB-CLIENT Internet Explorer MSXML DLL memory corruption attempt  (web-client.rules)
 * 1:14725 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt  (netbios.rules)
 * 1:14726 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt  (netbios.rules)
 * 1:14723 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX andx attempt   (netbios.rules)
 * 1:14724 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX unicode andx attempt   (netbios.rules)
 * 1:14722 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response unicode andx attempt   (netbios.rules)
 * 1:14720 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX little endian andx attempt   (netbios.rules)
 * 1:14721 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response andx attempt   (netbios.rules)
 * 1:14718 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response unicode little endian andx attempt   (netbios.rules)
 * 1:14719 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response little endian andx attempt   (netbios.rules)
 * 1:14716 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX unicode attempt   (netbios.rules)
 * 1:14717 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian andx attempt   (netbios.rules)
 * 1:14714 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response unicode attempt   (netbios.rules)
 * 1:14715 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX attempt   (netbios.rules)
 * 1:14712 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX little endian attempt   (netbios.rules)
 * 1:14713 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response attempt   (netbios.rules)
 * 1:14710 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt  (netbios.rules)
 * 1:14711 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response little endian attempt   (netbios.rules)
 * 1:14709 <-> ENABLED <-> NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian attempt   (netbios.rules)
 * 1:14661 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt  (netbios.rules)
 * 1:14656 <-> ENABLED <-> WEB-CLIENT Microsoft IE XSS mouseevent PII disclosure attempt  (web-client.rules)
 * 1:14657 <-> ENABLED <-> WEB-CLIENT Microsoft IE cross domain componentFromPoint memory corruption attempt  (web-client.rules)
 * 1:14644 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer cross domain unfocusable HTML element  (web-client.rules)
 * 1:14645 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer cross domain setExpression exploit attempt  (web-client.rules)
 * 1:14642 <-> ENABLED <-> WEB-CLIENT Microsoft Excel file with embedded ActiveX control  (web-client.rules)
 * 1:14643 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability  (web-client.rules)
 * 1:14641 <-> ENABLED <-> WEB-CLIENT Microsoft Excel invalid FRTWrapper record buffer overflow attempt  (web-client.rules)
 * 1:14262 <-> ENABLED <-> WEB-CLIENT OneNote iframe caller exploit attempt  (web-client.rules)
 * 1:14261 <-> ENABLED <-> WEB-CLIENT GDI VML gradient size heap overflow attempt  (web-client.rules)
 * 1:14257 <-> ENABLED <-> WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call access (web-activex.rules)
 * 1:14258 <-> ENABLED <-> WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call unicode access  (web-activex.rules)
 * 1:14255 <-> ENABLED <-> WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid access (web-activex.rules)
 * 1:14256 <-> ENABLED <-> WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid unicode access  (web-activex.rules)
 * 1:13980 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer http status response memory corruption vulnerability  (web-client.rules)
 * 1:13981 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed chart arbitrary code execution attempt  (web-client.rules)
 * 1:13972 <-> ENABLED <-> WEB-CLIENT Microsoft Excel country record arbitrary code execution attempt  (web-client.rules)
 * 1:13974 <-> ENABLED <-> WEB-CLIENT Internet Explorer XHTML element memory corruption attempt  (web-client.rules)
 * 1:13970 <-> ENABLED <-> WEB-CLIENT Microsoft Office eps filters memory corruption attempt  (web-client.rules)
 * 1:13971 <-> ENABLED <-> WEB-CLIENT Microsoft Powerpoint TxMasterStyle10Atom atom numLevels buffer overflow attempt  (web-client.rules)
 * 1:13967 <-> ENABLED <-> WEB-ACTIVEX Microsoft Message System ActiveX function call access (web-activex.rules)
 * 1:13968 <-> ENABLED <-> WEB-ACTIVEX Microsoft Message System ActiveX function call unicode access  (web-activex.rules)
 * 1:13966 <-> ENABLED <-> WEB-ACTIVEX Microsoft Message System ActiveX clsid unicode access  (web-activex.rules)
 * 1:13965 <-> ENABLED <-> WEB-ACTIVEX Microsoft Message System ActiveX clsid access (web-activex.rules)
 * 1:13963 <-> ENABLED <-> WEB-CLIENT Internet Explorer argument validation in print preview handling vulnerability (web-client.rules)
 * 1:13964 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer span frontier parsing memory corruption  (web-client.rules)
 * 1:13961 <-> ENABLED <-> WEB-CLIENT Internet Explorer table layout access violation vulnerability (web-client.rules)
 * 1:13962 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer MHTML zone control bypass attempt  (web-client.rules)
 * 1:13895 <-> ENABLED <-> SMTP Microsoft Outlook Web Access invalid CSS escape sequence script execution attempt  (smtp.rules)
 * 1:13960 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt  (web-client.rules)
 * 1:13892 <-> ENABLED <-> SQL Convert function style overwrite  (sql.rules)
 * 1:13834 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer request header overwrite  (web-client.rules)
 * 1:13829 <-> ENABLED <-> WEB-ACTIVEX sapi.dll ActiveX clsid unicode access  (web-activex.rules)
 * 1:13677 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer data stream memory corruption attempt  (exploit.rules)
 * 1:13671 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call unicode access  (web-activex.rules)
 * 1:13633 <-> ENABLED <-> WEB-CLIENT Microsoft Access MSISAM download attempt  (web-client.rules)
 * 1:13580 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid access (web-activex.rules)
 * 1:13459 <-> ENABLED <-> WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call access (web-activex.rules)
 * 1:20246 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:20248 <-> DISABLED <-> RPC IBM AIX and Sun Solaris nfsd v4 nfs_portmon security bypass attempt (rpc.rules)
 * 1:20249 <-> ENABLED <-> SPECIFIC-THREATS Java Web Start BasicService arbitrary command execution attempt (specific-threats.rules)
 * 1:20250 <-> ENABLED <-> EXPLOIT IBM Tivoli Storage Manager Client Remote Heap Buffer Overflow (exploit.rules)
 * 1:13453 <-> ENABLED <-> WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid access  (web-client.rules)
 * 1:13454 <-> ENABLED <-> WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid unicode access  (web-client.rules)
 * 1:13455 <-> ENABLED <-> WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call access  (web-client.rules)
 * 1:13456 <-> ENABLED <-> WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call unicode access  (web-client.rules)
 * 1:13457 <-> ENABLED <-> WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid access (web-activex.rules)
 * 1:13460 <-> ENABLED <-> WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call unicode access  (web-activex.rules)
 * 1:13470 <-> ENABLED <-> EXPLOIT Microsoft Office Publisher memory corruption attempt  (exploit.rules)
 * 1:13474 <-> ENABLED <-> WEB-CLIENT Microsoft WebDAV MiniRedir remote code execution attempt  (web-client.rules)
 * 1:13570 <-> ENABLED <-> WEB-CLIENT Microsoft Excel cf record arbitrary code excecution attempt  (web-client.rules)
 * 1:13571 <-> ENABLED <-> WEB-CLIENT Microsoft Excel dval record arbitrary code excecution attempt  (web-client.rules)
 * 1:13573 <-> ENABLED <-> WEB-CLIENT Microsoft Outlook arbitrary command line attempt  (web-client.rules)
 * 1:13581 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid unicode access  (web-activex.rules)
 * 1:13626 <-> ENABLED <-> WEB-CLIENT Microsoft Access download attempt  (web-client.rules)
 * 1:13665 <-> ENABLED <-> WEB-CLIENT Microsoft Visio DXF file invalid memory allocation exploit attempt  (web-client.rules)
 * 1:13630 <-> ENABLED <-> WEB-CLIENT Microsoft Access TJDB download attempt  (web-client.rules)
 * 1:13668 <-> ENABLED <-> WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid access (web-activex.rules)
 * 1:13824 <-> ENABLED <-> WEB-CLIENT malformed mjpeg arbitrary code execution attempt  (web-client.rules)
 * 1:13827 <-> ENABLED <-> DOS Microsoft PGM denial of service attempt (dos.rules)
 * 1:13828 <-> ENABLED <-> WEB-ACTIVEX sapi.dll ActiveX clsid access (web-activex.rules)
 * 1:13830 <-> ENABLED <-> WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid access (web-activex.rules)
 * 1:13831 <-> ENABLED <-> WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid unicode access  (web-activex.rules)
 * 1:13832 <-> ENABLED <-> WEB-ACTIVEX backweb ActiveX clsid access (web-activex.rules)
 * 1:13833 <-> ENABLED <-> WEB-ACTIVEX backweb ActiveX clsid unicode access  (web-activex.rules)
 * 1:13888 <-> ENABLED <-> SQL Microsoft SQL Server Backup Database File integer overflow attempt (sql.rules)
 * 1:13889 <-> ENABLED <-> SQL Microsoft SQL Server Backup Database File integer overflow attempt (sql.rules)
 * 1:13890 <-> ENABLED <-> SQL Microsoft SQL Server Backup Database File integer overflow attempt (sql.rules)
 * 1:13891 <-> ENABLED <-> SQL Memory page overwrite attempt  (sql.rules)
 * 1:13893 <-> ENABLED <-> WEB-CLIENT Microsoft malformed saved search heap corruption attempt (web-client.rules)
 * 1:13894 <-> ENABLED <-> SMTP Microsoft Outlook Web Access From field cross-site scripting attempt  (smtp.rules)
 * 1:20239 <-> DISABLED <-> WEB-CLIENT Java GIF LZW minimum code size overflow attempt (web-client.rules)
 * 1:16319 <-> ENABLED <-> WEB-CLIENT Safari-IE SearchPath blended threat attempt  (web-client.rules)
 * 1:15995 <-> ENABLED <-> EXPLOIT malformed avi file mjpeg compression arbitrary code execution attempt  (exploit.rules)
 * 1:17655 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed formula parsing code execution attempt  (web-client.rules)
 * 1:17692 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer ExecWB security zone bypass attempt  (web-client.rules)
 * 1:20236 <-> DISABLED <-> DELETED WEB-CLIENT MultiMedia Jukebox playlist file handling heap overflow attempt (deleted.rules)
 * 1:15529 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer cross-domain navigation cookie stealing attempt  (web-client.rules)
 * 1:17743 <-> ENABLED <-> EXPLOIT Microsoft Word RTF parsing memory corruption  (exploit.rules)
 * 1:20234 <-> ENABLED <-> BACKDOOR Win32.Ceckno.cmz runtime traffic detected (backdoor.rules)
 * 1:16800 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel FRTWrapper record buffer overflow attempt  (specific-threats.rules)
 * 1:17113 <-> ENABLED <-> WEB-CLIENT Microsoft SilverLight ImageSource redefine flowbit  (web-client.rules)
 * 1:20238 <-> DISABLED <-> SPECIFIC-THREATS Java calendar deserialize vulnerability (specific-threats.rules)
 * 1:20235 <-> DISABLED <-> BACKDOOR Win32.AdobeReader.Uz runtime traffic detected (backdoor.rules)
 * 1:17720 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt  (web-client.rules)
 * 1:20237 <-> ENABLED <-> WEB-CLIENT MultiMedia Jukebox playlist file handling heap overflow attempt (web-client.rules)
 * 1:18632 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed Label record exploit attempt  (web-client.rules)
 * 1:15468 <-> ENABLED <-> WEB-CLIENT Safari-IE SearchPath blended threat dll request  (web-client.rules)

Modified Rules:


 * 1:1729 <-> ENABLED <-> CHAT IRC channel join (chat.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:17746 <-> ENABLED <-> NETBIOS SMB client TRANS response Find_First2 filename overflow attempt (netbios.rules)
 * 1:1789 <-> ENABLED <-> CHAT IRC dns request (chat.rules)
 * 1:18280 <-> ENABLED <-> WEB-CLIENT IE oversize recordset object cache size exploit attempt  (web-client.rules)
 * 1:17082 <-> DISABLED <-> WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid access (web-activex.rules)
 * 1:16802 <-> DISABLED <-> WEB-ACTIVEX WinDVD IASystemInfo.dll ActiveX clsid access (web-activex.rules)
 * 1:16769 <-> ENABLED <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call access (web-activex.rules)
 * 1:16767 <-> ENABLED <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid access (web-activex.rules)
 * 1:16659 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer style sheet array memory corruption attempt (exploit.rules)
 * 1:16604 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt (web-misc.rules)
 * 1:16548 <-> ENABLED <-> WEB-ACTIVEX Java Web Start ActiveX launch command by JavaScript CLSID (web-activex.rules)
 * 1:16547 <-> ENABLED <-> WEB-ACTIVEX Java Web Start ActiveX launch command by CLSID (web-activex.rules)
 * 1:1640 <-> ENABLED <-> CHAT IRC DCC chat request (chat.rules)
 * 1:15726 <-> ENABLED <-> EXPLOIT HP OpenView Network Node Manager URI rping stack buffer overflow attempt (exploit.rules)
 * 1:1463 <-> ENABLED <-> CHAT IRC message (chat.rules)
 * 1:1639 <-> ENABLED <-> CHAT IRC DCC file transfer request (chat.rules)
 * 1:9131 <-> ENABLED <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call access (web-activex.rules)
 * 1:6182 <-> ENABLED <-> CHAT IRC channel notice (chat.rules)
 * 1:9129 <-> ENABLED <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid access (web-activex.rules)
 * 1:19406 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:542 <-> ENABLED <-> CHAT IRC nick change (chat.rules)
 * 1:5485 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 1:19184 <-> ENABLED <-> EXPLOIT Microsoft OLEAUT32.DLL malicious WMF file remote code execution attempt (exploit.rules)
 * 1:18994 <-> ENABLED <-> NETBIOS Microsoft Windows 2003 browser election remote heap overflow attempt (netbios.rules)
 * 1:18575 <-> DISABLED <-> FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (ftp.rules)