Sourcefire VRT Rules Update

Date: 2011-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20542 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (web-client.rules)
 * 1:20541 <-> ENABLED <-> NETBIOS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (netbios.rules)

Modified Rules:


 * 1:16434 <-> ENABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detection (file-identify.rules)
 * 1:16435 <-> ENABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detection (file-identify.rules)
 * 1:18413 <-> ENABLED <-> EXPLOIT Microsoft WMI tracing api integer truncation attempt  (exploit.rules)
 * 1:19678 <-> ENABLED <-> ICMP Microsoft remote unauthenticated DoS/bugcheck vulnerability (icmp.rules)
 * 1:20482 <-> DISABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:18081 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wenyixuan.3322.org (blacklist.rules)
 * 1:19679 <-> ENABLED <-> WEB-CLIENT Windows NDISTAPI Driver code execution attempt (web-client.rules)
 * 1:17548 <-> ENABLED <-> WEB-CLIENT Apple Quicktime SMIL File Handling Integer Overflow attempt (web-client.rules)
 * 1:17547 <-> ENABLED <-> FILE-IDENTIFY SMIL file download request (file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:20528 <-> DISABLED <-> WEB-MISC Apache mod_proxy reverse proxy information disclosure (web-misc.rules)
 * 1:16436 <-> ENABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file magic detection (file-identify.rules)
 * 1:14035 <-> DISABLED <-> WEB-ACTIVEX Orbit Downloader ActiveX function call access (web-activex.rules)
 * 1:20483 <-> DISABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:15306 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detection (file-identify.rules)
 * 1:15427 <-> ENABLED <-> FILE-IDENTIFY SVG file download request (file-identify.rules)
 * 1:19680 <-> ENABLED <-> WEB-CLIENT Microsoft Windows CSRSS SrvDeviceEvent exploit attempt (web-client.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:16183 <-> ENABLED <-> WEB-CLIENT Microsoft .NET MSIL CombineImpl suspicious usage  (web-client.rules)
 * 1:16351 <-> ENABLED <-> VOIP-SIP-TCP CSeq buffer overflow attempt (voip.rules)
 * 1:20261 <-> ENABLED <-> WEB-CLIENT Microsoft Windows win32k.sys kernel mode null pointer dereference attempt (web-client.rules)
 * 1:20270 <-> ENABLED <-> WEB-CLIENT Microsoft Windows afd.sys kernel-mode memory corruption attempt (web-client.rules)
 * 1:20480 <-> DISABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules)
 * 3:18410 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:18409 <-> ENABLED <-> SPECIFIC-THREATS Microsoft win32k.sys write message to dead thread code execution attempt (specific-threats.rules)
 * 3:16182 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL stack corruption attempt (exploit.rules)
 * 3:18663 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:16179 <-> ENABLED <-> EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt (exploit.rules)
 * 3:18667 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft LSASS domain name buffer overflow attempt (specific-threats.rules)
 * 3:18662 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:16154 <-> ENABLED <-> WEB-CLIENT GDI+ .NET image property parsing memory corruption (web-client.rules)
 * 3:18664 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18665 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18666 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18661 <-> ENABLED <-> EXPLOIT Microsoft win32k.sys escalation of privilege attempt (exploit.rules)
 * 3:18501 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Malware Protection Engine elevation of privilege attempt (specific-threats.rules)