Sourcefire VRT Rules Update

Date: 2011-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18934 <-> DISABLED <-> BOTNET-CNC known command and control channel traffic (Coreflood -- botnet-cnc.rules)
 * 1:18932 <-> ENABLED <-> WEB-MISC Jboss default configuration unauthorized application add attempt (web-misc.rules)
 * 1:18930 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager nnmRptConfig.exe Template format string code execution attempt (web-client.rules)
 * 1:18927 <-> DISABLED <-> WEB-MISC Apple Quicktime SMIL transfer request (web-misc.rules)
 * 1:18929 <-> DISABLED <-> ORACLE Oracle Secure Backup Administration objectname variable command injection attempt (oracle.rules)
 * 1:18925 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18924 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18922 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18919 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18916 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18918 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18914 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18915 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18910 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18911 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18913 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18909 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18917 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18920 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18921 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18923 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18926 <-> DISABLED <-> SNMP Multiple vendors AgentX receive_agentx integer overflow attempt (snmp.rules)
 * 1:18928 <-> DISABLED <-> WEB-CLIENT Apple QuickTime streaming debug error logging buffer overflow attempt (web-client.rules)
 * 1:18931 <-> ENABLED <-> WEB-MISC Apache Struts OGNL parameter interception bypass command execution attempt (web-misc.rules)
 * 1:18933 <-> ENABLED <-> DOS SolarWinds TFTP Server Read request denial of service attempt (dos.rules)
 * 1:18906 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18904 <-> ENABLED <-> WEB-ACTIVEX KingView ActiveX clsid access (web-activex.rules)
 * 1:18905 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18902 <-> DISABLED <-> WEB-MISC Novell Teaming ajaxUploadImageFile remote code execution attempt (web-misc.rules)
 * 1:18903 <-> DISABLED <-> WEB-CLIENT Apple Safari WebKit Rendering Counter Code Execution (web-client.rules)
 * 1:18901 <-> ENABLED <-> SPECIFIC-THREATS MIT Kerberos KDC Ticket validation double free memory corruption attempt (specific-threats.rules)
 * 1:18912 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18907 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18908 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)

Modified Rules:


 * 1:13523 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX clsid access (web-activex.rules)
 * 1:13525 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX function call access (web-activex.rules)
 * 1:16427 <-> ENABLED <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method (web-misc.rules)
 * 1:17140 <-> ENABLED <-> WEB-MISC OpenView Network Node Manager cookie buffer overflow attempt (web-misc.rules)
 * 1:18551 <-> DISABLED <-> SMTP Microsoft Word .doc attachment (smtp.rules)
 * 1:18552 <-> DISABLED <-> SMTP Microsoft Excel .xls attachment (smtp.rules)
 * 1:18553 <-> DISABLED <-> SMTP Microsoft Excel .xlw attachment (smtp.rules)
 * 1:18554 <-> DISABLED <-> SMTP Microsoft Powerpoint .ppt attachment (smtp.rules)
 * 1:18701 <-> DISABLED <-> SMTP Rich text file .rtf attachment (smtp.rules)
 * 1:18768 <-> ENABLED <-> SMTP Novell GroupWise internet agent RRULE parsing buffer overflow attempt (smtp.rules)
 * 1:18802 <-> ENABLED <-> WEB-MISC HP Power Manager formExportDataLogs directory traversal attempt (web-misc.rules)
 * 1:7205 <-> DISABLED <-> WEB-CLIENT excel FngGroupCount record overflow attempt (web-client.rules)
 * 3:18438 <-> ENABLED <-> NETBIOS Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (netbios.rules)
 * 3:18441 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin bibutils.dll dll-load exploit attempt (web-client.rules)
 * 3:18440 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin agm.dll dll-load exploit attempt (web-client.rules)
 * 3:17750 <-> ENABLED <-> DOS Microsoft IIS 7.5 client verify null pointer attempt (dos.rules)
 * 3:18434 <-> ENABLED <-> NETBIOS Acrobat Reader plugin ace.dll dll-load exploit attempt (netbios.rules)
 * 3:18443 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (web-client.rules)
 * 3:18442 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin cooltype.dll dll-load exploit attempt (web-client.rules)
 * 3:18435 <-> ENABLED <-> NETBIOS Acrobat Reader plugin agm.dll dll-load exploit attempt (netbios.rules)
 * 3:18436 <-> ENABLED <-> NETBIOS Acrobat Reader plugin bibutils.dll dll-load exploit attempt (netbios.rules)
 * 3:18426 <-> ENABLED <-> NETBIOS Acrobat Reader plugin sqlite.dll dll-load exploit attempt (netbios.rules)
 * 3:16167 <-> ENABLED <-> DOS Microsoft LSASS integer wrap denial of service attempt (dos.rules)
 * 3:18439 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin ace.dll dll-load exploit attempt (web-client.rules)
 * 3:18431 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin sqlite.dll dll-load exploit attempt (web-client.rules)
 * 3:18437 <-> ENABLED <-> NETBIOS Acrobat Reader plugin cooltype.dll dll-load exploit attempt (netbios.rules)