Sourcefire VRT Rules Update

Date: 2011-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18731 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0453 integer overflow attempt (scada.rules)
 * 1:18729 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC heap overflow attempt (scada.rules)
 * 1:18730 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x089A integer overflow attempt (scada.rules)
 * 1:18727 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 heap overflow attempt (scada.rules)
 * 1:18728 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE heap overflow attempt (scada.rules)
 * 1:18725 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 heap overflow attempt (scada.rules)
 * 1:18726 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 heap overflow attempt (scada.rules)
 * 1:18724 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.ZeroClean contact to server attempt (spyware-put.rules)
 * 1:18723 <-> DISABLED <-> SPYWARE-PUT RogueSoftware.Win32.CleanV contact to server attempt (spyware-put.rules)
 * 1:18721 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt (scada.rules)
 * 1:18722 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt (scada.rules)
 * 1:18720 <-> DISABLED <-> SPYWARE-PUT Trojan.Win32.Terzib.A contact to server attempt (spyware-put.rules)
 * 1:18704 <-> ENABLED <-> SMTP RTF malformed second pfragments field (smtp.rules)
 * 1:18703 <-> ENABLED <-> SMTP RTF malformed pfragments field (smtp.rules)
 * 1:18701 <-> ENABLED <-> SMTP Rich text file .rtf attachment (smtp.rules)
 * 1:18702 <-> ENABLED <-> SMTP RTF malformed pfragments field (smtp.rules)
 * 1:18705 <-> ENABLED <-> SMTP RTF malformed second pfragments field (smtp.rules)
 * 1:18706 <-> ENABLED <-> WEB-CLIENT RTF malformed second pfragments field (web-client.rules)
 * 1:18707 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.ControlCenter contact to server attempt (spyware-put.rules)
 * 1:18708 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.AntivirusSoft contact to server attempt (spyware-put.rules)
 * 1:18709 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Banker.aufm contact to server attempt (spyware-put.rules)
 * 1:18710 <-> ENABLED <-> SPECIFIC-THREATS McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (specific-threats.rules)
 * 1:18711 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.SecurityCentral contact to server attempt (spyware-put.rules)
 * 1:18712 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.XJRAntivirus contact to server attempt (spyware-put.rules)
 * 1:18713 <-> ENABLED <-> DOS OpenSSL TLS connection record handling denial of service attempt (dos.rules)
 * 1:18714 <-> ENABLED <-> DOS OpenSSL TLS connection record handling denial of service attempt (dos.rules)
 * 1:18715 <-> ENABLED <-> SPYWARE-PUT Ozdok botnet communication with C&C server attempt (spyware-put.rules)
 * 1:18716 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Banker.H contact to server attempt (spyware-put.rules)
 * 1:18717 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Banker.QO contact to server attempt (spyware-put.rules)
 * 1:18718 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.AdvancedDefender contact to server attempt (spyware-put.rules)
 * 1:18719 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.IRCBot.CBY contact to server attempt (spyware-put.rules)
 * 1:18739 <-> ENABLED <-> SPYWARE-PUT Worm.Win32.Koobface.D contact to server attempt (spyware-put.rules)
 * 1:18738 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 integer overflow attempt (scada.rules)
 * 1:18737 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18735 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18736 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18734 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18733 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18732 <-> ENABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18700 <-> ENABLED <-> BLACKLIST Win32.BHO.argt checkin (blacklist.rules)
 * 3:18740 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel sheet object type confusion exploit attempt (specific-threats.rules)

Modified Rules:


 * 1:16008 <-> ENABLED <-> WEB-MISC excessive HTTP 304 Not Modified responses exploit attempt (web-misc.rules)
 * 1:18551 <-> ENABLED <-> SMTP Microsoft Word .doc attachment (smtp.rules)
 * 1:18680 <-> ENABLED <-> WEB-CLIENT RTF malformed pfragments field (web-client.rules)
 * 1:3819 <-> ENABLED <-> WEB-CLIENT CHM file transfer (web-client.rules)
 * 1:3820 <-> DISABLED <-> WEB-CLIENT CHM file transfer attempt (web-client.rules)
 * 1:13989 <-> DISABLED <-> SQL large number of calls to char function - possible sql injection obfuscation (sql.rules)
 * 1:11687 <-> DISABLED <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)
 * 1:15587 <-> ENABLED <-> WEB-CLIENT Word file download request (web-client.rules)
 * 3:16465 <-> ENABLED <-> WEB-CLIENT Microsoft Excel ContinueFRT12 and MDXSet heap overflow attempt (web-client.rules)
 * 3:16412 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt (web-client.rules)
 * 3:16464 <-> ENABLED <-> WEB-CLIENT Microsoft Excel ContinueFRT12 heap overflow attempt (web-client.rules)