Sourcefire VRT Rules Update

Date: 2011-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18690 <-> ENABLED <-> BACKDOOR c99shell.php command request - processes (backdoor.rules)
 * 1:18688 <-> ENABLED <-> BACKDOOR c99shell.php command request - chmod (backdoor.rules)
 * 1:18689 <-> ENABLED <-> BACKDOOR c99shell.php command request - tools (backdoor.rules)
 * 1:18686 <-> ENABLED <-> BACKDOOR c99shell.php command request - tools (backdoor.rules)
 * 1:18687 <-> ENABLED <-> BACKDOOR c99shell.php command request - update (backdoor.rules)
 * 1:18684 <-> ENABLED <-> POLICY PDF file with embedded PDF object (policy.rules)
 * 1:18685 <-> ENABLED <-> POLICY RTF file with embedded OLE object (policy.rules)
 * 1:18683 <-> ENABLED <-> POLICY Excel file with embedded PDF object (policy.rules)
 * 1:18682 <-> ENABLED <-> POLICY download of a PDF with OpenAction object (policy.rules)
 * 1:18681 <-> ENABLED <-> POLICY download of a PDF with embedded JavaScript - JavaScript string (policy.rules)
 * 1:18680 <-> ENABLED <-> WEB-CLIENT RTF malformed pfragments field (web-client.rules)
 * 3:18691 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows AFD.SYS null write attempt (specific-threats.rules)

Modified Rules:


 * 1:10130 <-> DISABLED <-> POLICY VERITAS NetBackup system - execution function call access (policy.rules)
 * 1:4060 <-> ENABLED <-> POLICY remote desktop protocol attempted administrator connection request (policy.rules)
 * 1:8446 <-> DISABLED <-> POLICY IPv6 packets encapsulated in IPv4 (policy.rules)
 * 1:9324 <-> ENABLED <-> POLICY TOR traffic anonymizer server request (policy.rules)
 * 1:7030 <-> ENABLED <-> POLICY silc server response (policy.rules)
 * 1:7031 <-> ENABLED <-> POLICY silc client outbound connection (policy.rules)
 * 1:12455 <-> ENABLED <-> POLICY Crystal Reports file download (policy.rules)
 * 1:12425 <-> ENABLED <-> POLICY Ruckus P2P client activity (policy.rules)
 * 1:18608 <-> ENABLED <-> POLICY Dropbox desktop software in use (policy.rules)
 * 1:5708 <-> DISABLED <-> POLICY web server file upload attempt (policy.rules)
 * 1:5797 <-> DISABLED <-> POLICY Kontiki runtime detection (policy.rules)
 * 1:18609 <-> ENABLED <-> POLICY Dropbox desktop software in use (policy.rules)
 * 1:12456 <-> ENABLED <-> POLICY Crystal Reports file download (policy.rules)
 * 1:12641 <-> DISABLED <-> POLICY Microsoft Word for Mac 5 file download (policy.rules)
 * 1:12686 <-> ENABLED <-> POLICY AIM Express usage (policy.rules)
 * 1:13697 <-> ENABLED <-> POLICY TOR proxy connection initiation - alternate port (policy.rules)
 * 1:13698 <-> ENABLED <-> POLICY TOR proxy connection initiation - second alternate port (policy.rules)
 * 1:15170 <-> ENABLED <-> POLICY XBOX Netflix client activity (policy.rules)
 * 1:15169 <-> ENABLED <-> POLICY XBOX Live Kerberos authenthication request (policy.rules)
 * 1:15727 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash (policy.rules)
 * 1:16383 <-> DISABLED <-> ORACLE MDSYS drop table trigger injection attempt (oracle.rules)
 * 1:16354 <-> DISABLED <-> POLICY Adobe PDF start-of-file alternate header obfuscation (policy.rules)
 * 1:16434 <-> ENABLED <-> POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download (policy.rules)
 * 1:16435 <-> ENABLED <-> POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download (policy.rules)
 * 1:17668 <-> ENABLED <-> POLICY download of a PDF with embedded JavaScript - JS string (policy.rules)
 * 1:17521 <-> ENABLED <-> SPECIFIC-THREATS GoodTech SSH Server SFTP Processing Buffer Overflow (specific-threats.rules)
 * 1:12427 <-> ENABLED <-> POLICY Ruckus P2P encrypted authentication connection (policy.rules)
 * 1:18545 <-> ENABLED <-> POLICY Microsoft Excel with embedded Flash file transfer (policy.rules)
 * 1:18546 <-> ENABLED <-> POLICY Microsoft Word with embedded Flash file transfer (policy.rules)
 * 1:18547 <-> ENABLED <-> POLICY Microsoft Powerpoint with embedded Flash file transfer (policy.rules)
 * 1:18548 <-> ENABLED <-> POLICY Microsoft Excel with embedded Flash file attachment (policy.rules)
 * 1:18550 <-> ENABLED <-> POLICY Microsoft Powerpoint with embedded Flash file attachment (policy.rules)
 * 1:17577 <-> ENABLED <-> POLICY CA BightStor ARCserver Backup possible insecure method access (policy.rules)
 * 1:16642 <-> DISABLED <-> POLICY file URI scheme (policy.rules)
 * 1:16436 <-> ENABLED <-> POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download (policy.rules)
 * 1:12306 <-> ENABLED <-> POLICY Microsoft Messenger web client connection (policy.rules)
 * 1:18549 <-> ENABLED <-> POLICY Microsoft Word with embedded Flash file attachment (policy.rules)