Sourcefire VRT Rules Update

Date: 2011-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18986 <-> ENABLED <-> WEB-CLIENT Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (web-client.rules)
 * 1:18987 <-> ENABLED <-> WEB-CLIENT Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (web-client.rules)
 * 1:18988 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (specific-threats.rules)
 * 1:18989 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (specific-threats.rules)
 * 1:18990 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (specific-threats.rules)
 * 1:18991 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (specific-threats.rules)
 * 1:18992 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash player content parsing execution attempt (specific-threats.rules)
 * 1:18993 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager server name exploit attempt (web-misc.rules)
 * 1:18994 <-> ENABLED <-> NETBIOS Microsoft Windows 2003 browser election remote heap overflow attempt (netbios.rules)
 * 1:18995 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit removeAllRanges use-after-free attempt (specific-threats.rules)
 * 1:18996 <-> ENABLED <-> ORACLE DBMS_JAVA.SET_OUTPUT_TO_JAVA privilege escalation attempt (oracle.rules)
 * 1:18997 <-> DISABLED <-> DOS Linux Kernal sctp_rcv_ootb invalid chunk length DoS attempt (dos.rules)
 * 1:18999 <-> DISABLED <-> WEB-MISC HP OpenView NNM webappmon.exe buffer overflow attempt (web-misc.rules)
 * 1:18998 <-> DISABLED <-> WEB-MISC HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (web-misc.rules)
 * 1:19000 <-> DISABLED <-> SPECIFIC-THREATS MySQL Database CASE NULL argument denial of service attempt (specific-threats.rules)
 * 1:19001 <-> DISABLED <-> MYSQL MySQL Database IN NULL argument denial of service attempt (mysql.rules)
 * 1:19002 <-> DISABLED <-> SPECIFIC-THREATS RealNetworks RealPlayer FLV parsing two integer overflow vulnerabilities (specific-threats.rules)
 * 1:19003 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt (specific-threats.rules)
 * 1:19004 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari Webkit run-in use-after-free attempt (specific-threats.rules)
 * 1:19005 <-> DISABLED <-> WEB-CLIENT Apple Safari/Google Chrome Webkit memory corruption attempt (web-client.rules)
 * 1:19006 <-> DISABLED <-> EXPLOIT HP Data Protector Express DtbClsLogin buffer overflow attempt (exploit.rules)
 * 1:19007 <-> DISABLED <-> NETBIOS Samba SID parsing overflow attempt (netbios.rules)
 * 1:19009 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari WebKit menu onchange memory corruption attempt (specific-threats.rules)
 * 1:19008 <-> ENABLED <-> WEB-CLIENT Apple Safari Webkit floating point conversion memory corruption attempt (web-client.rules)
 * 1:19010 <-> ENABLED <-> SPECIFIC-THREATS Apple Safari WebKit menu onchange memory corruption attempt (specific-threats.rules)
 * 1:19011 <-> DISABLED <-> WEB-CLIENT Adobe Shockwave Player Lnam chunk processing buffer overflow attempt (web-client.rules)
 * 1:19012 <-> DISABLED <-> WEB-CLIENT Adobe Shockwave Player Lnam chunk processing buffer overflow attempt (web-client.rules)
 * 1:19014 <-> DISABLED <-> TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ (tftp.rules)
 * 1:19013 <-> DISABLED <-> TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ (tftp.rules)
 * 1:19015 <-> DISABLED <-> PHISHING-SPAM visiopharm-3d.eu known spam email attempt (phishing-spam.rules)
 * 1:19016 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19017 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19018 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19019 <-> ENABLED <-> BOTNET-CNC MacBack Trojan outbound connection attempt (botnet-cnc.rules)
 * 1:19020 <-> DISABLED <-> POLICY Suspicious .cc dns query (policy.rules)
 * 1:19021 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.FraudLoad.dzm outbound connection (botnet-cnc.rules)
 * 1:19022 <-> ENABLED <-> BOTNET-CNC Trojan-Downloader.Win32.FraudLoad.dzm outbound connection (botnet-cnc.rules)
 * 1:19023 <-> DISABLED <-> BACKDOOR Backdoor.IRC.Zapchast.zwrc outbound connection (backdoor.rules)
 * 1:19024 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.StartPage outbound connection (botnet-cnc.rules)
 * 1:19025 <-> DISABLED <-> BOTNET-CNC Trojan-Banker.Win32.Bancos.etf outbound connection (botnet-cnc.rules)
 * 1:19026 <-> ENABLED <-> SPYWARE-PUT Smart Protector outbound connection (spyware-put.rules)
 * 1:19027 <-> DISABLED <-> BOTNET-CNC BrowserModifier.Win32.Kerlofost outbound connection (botnet-cnc.rules)
 * 1:19028 <-> DISABLED <-> BOTNET-CNC Trojan-Mailfinder.Win32.Mailbot.dz outbound connection (botnet-cnc.rules)
 * 1:19029 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.PcClient.AI outbound connection (botnet-cnc.rules)
 * 1:19030 <-> DISABLED <-> BOTNET-CNC TrojanDownloader.Win32.Uloadis.A outbound connection (botnet-cnc.rules)
 * 1:19031 <-> DISABLED <-> BOTNET-CNC iPRIVACY outbound connection (botnet-cnc.rules)
 * 1:19032 <-> ENABLED <-> BOTNET-CNC TrojanDownloader.Win32.Cornfemo.A outbound connection (botnet-cnc.rules)
 * 1:19033 <-> ENABLED <-> BOTNET-CNC TrojanDownloader.Win32.Cornfemo.A outbound connection (botnet-cnc.rules)
 * 1:19034 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.Kbot.qd outbound connection (botnet-cnc.rules)
 * 1:19035 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Vilsel.baqb outbound connection (botnet-cnc.rules)
 * 1:19036 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.IRCBrute.I contact to server attempt (spyware-put.rules)
 * 1:19037 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.IRCBrute.I contact to server attempt (spyware-put.rules)
 * 1:19038 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Jzzer.A contact to server attempt (spyware-put.rules)
 * 1:19039 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Linkbot.alr contact to server attempt (spyware-put.rules)
 * 1:19040 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Linkbot.alr contact to server attempt (spyware-put.rules)
 * 1:19041 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Carberp.C contact to server attempt (spyware-put.rules)
 * 1:19042 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Banker.ACQE contact to server attempt (spyware-put.rules)
 * 1:19043 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.BestBoan contact to server attempt (spyware-put.rules)
 * 1:19044 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.ThinkPoint contact to server attempt (spyware-put.rules)
 * 1:19045 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Bancos.XQ contact to server attempt (spyware-put.rules)
 * 1:19046 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.Winwebsec contact to server attempt (spyware-put.rules)
 * 1:19047 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.RClean contact to server attempt (spyware-put.rules)
 * 1:19048 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Darkness contact to server attempt (spyware-put.rules)
 * 1:19049 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Gigade contact to server attempt (spyware-put.rules)
 * 1:19050 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Banbra.fxe contact to server attempt (spyware-put.rules)
 * 1:19051 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Murofet.A contact to server attempt (spyware-put.rules)
 * 1:19052 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Httpbot.qdc contact to server attempt (spyware-put.rules)
 * 1:19053 <-> ENABLED <-> SPYWARE-PUT Worm.Win32.Nusump.A contact to server attempt (spyware-put.rules)
 * 1:19054 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Sisron.nelo contact to server attempt (spyware-put.rules)
 * 1:19055 <-> ENABLED <-> SPYWARE-PUT Backdoor.Win32.Gosik.A registration attempt (spyware-put.rules)
 * 1:19056 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.QQFish contact to server attempt (spyware-put.rules)
 * 1:19057 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.QQFish contact to server attempt (spyware-put.rules)
 * 1:19058 <-> ENABLED <-> SPYWARE-PUT Worm.Win32.Faketube update request attempt (spyware-put.rules)
 * 1:19059 <-> ENABLED <-> SPYWARE-PUT RogueSoftware.Win32.SystemDefragmenter contact to server attempt (spyware-put.rules)
 * 1:19084 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer CSS style memory corruption attempt (specific-threats.rules)
 * 1:19083 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19082 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19081 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer CSS style memory corruption attempt (specific-threats.rules)
 * 1:19080 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19079 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer getElementById object corruption (specific-threats.rules)
 * 1:19078 <-> ENABLED <-> SPECIFIC-THREATS Mozilla Firefox html tag attributes memory corruption (specific-threats.rules)
 * 1:19077 <-> ENABLED <-> SPECIFIC-THREATS Firefox appendChild use-after-free attempt (specific-threats.rules)
 * 1:19076 <-> ENABLED <-> SPECIFIC-THREATS Firefox appendChild use-after-free attempt (specific-threats.rules)
 * 1:19075 <-> ENABLED <-> WEB-CLIENT javascript uuencoded eval statement (web-client.rules)
 * 1:19074 <-> ENABLED <-> WEB-CLIENT javascript uuencoded noop sled attempt (web-client.rules)
 * 1:19073 <-> ENABLED <-> DOS Squid Proxy Expect header null pointer denial of service attempt (dos.rules)
 * 1:19072 <-> ENABLED <-> EXPLOIT RealNetworks Helix Server NTLM authentication heap overflow attempt (exploit.rules)
 * 1:19071 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19070 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19069 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19068 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19067 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19066 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19065 <-> DISABLED <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules)
 * 1:19064 <-> DISABLED <-> SPECIFIC-THREATS Microsoft OpenType font index remote code execution attempt (specific-threats.rules)
 * 1:19062 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.FakePlus Runtime Detection (botnet-cnc.rules)
 * 1:19063 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows Movie Maker string size overflow attempt (specific-threats.rules)
 * 1:19061 <-> ENABLED <-> SPYWARE-PUT Adware.Win32.Cashtitan contact to server attempt (spyware-put.rules)
 * 1:19060 <-> ENABLED <-> SPYWARE-PUT Trojan.Win32.Ponmocup.A contact to server attempt (spyware-put.rules)

Modified Rules:


 * 1:18554 <-> DISABLED <-> SMTP Microsoft Powerpoint .ppt attachment (smtp.rules)
 * 1:18461 <-> DISABLED <-> SMTP IBM Lotus Domino nrouter.exe iCalendar MAILTO stack buffer overflow attempt (smtp.rules)
 * 1:16552 <-> DISABLED <-> WEB-CLIENT Adobe .pfb download attempt (web-client.rules)
 * 1:15727 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash (policy.rules)
 * 1:16022 <-> DISABLED <-> SPECIFIC-THREATS Windows Vista Windows mail file execution attempt (specific-threats.rules)
 * 1:16023 <-> DISABLED <-> SPECIFIC-THREATS Windows Vista Windows mail file execution attempt (specific-threats.rules)
 * 1:16059 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Excel malformed file format parsing code execution attempt (specific-threats.rules)
 * 1:17239 <-> ENABLED <-> IMAP Multiple IMAP server CREATE command buffer overflow attempt (imap.rules)
 * 1:17240 <-> ENABLED <-> IMAP Multiple IMAP server literal CREATE command buffer overflow attempt (imap.rules)
 * 1:18099 <-> ENABLED <-> BOTNET-CNC URI request for known malicious URI - Carberp (botnet-cnc.rules)
 * 1:18098 <-> ENABLED <-> BOTNET-CNC URI request for known malicious URI - Carberp (botnet-cnc.rules)
 * 1:18535 <-> ENABLED <-> WEB-CLIENT Multiple Vendors Microsoft Word file sprmTSetBrc processing buffer overflow attempt (web-client.rules)
 * 1:18551 <-> DISABLED <-> SMTP Microsoft Word .doc attachment (smtp.rules)
 * 1:18552 <-> DISABLED <-> SMTP Microsoft Excel .xls attachment (smtp.rules)
 * 1:18553 <-> DISABLED <-> SMTP Microsoft Excel .xlw attachment (smtp.rules)
 * 1:18701 <-> DISABLED <-> SMTP Rich text file .rtf attachment (smtp.rules)
 * 1:18764 <-> ENABLED <-> WEB-CGI HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt (web-cgi.rules)
 * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules)
 * 3:15498 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt (web-client.rules)
 * 3:17252 <-> ENABLED <-> NETBIOS Microsoft Windows Print Spooler arbitrary file write attempt (netbios.rules)
 * 3:18062 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt (web-client.rules)