Sourcefire VRT Rules Update

Date: 2011-06-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19154 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel PtgExtraArray parsing attempt (specific-threats.rules)
 * 1:19152 <-> ENABLED <-> WEB-ACTIVEX Trend Micro HouseCall ActiveX function call access (web-activex.rules)
 * 1:19153 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed index code execution attempt (web-client.rules)
 * 1:19150 <-> DISABLED <-> WEB-CLIENT Internet Explorer malformed table tag memory corruption attempt (web-client.rules)
 * 1:19151 <-> ENABLED <-> WEB-ACTIVEX Trend Micro HouseCall ActiveX clsid access (web-activex.rules)
 * 1:19149 <-> DISABLED <-> WEB-CLIENT Internet Explorer malformed table tag memory corruption attempt (web-client.rules)
 * 1:19148 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player SWF file MP4 data parsing memory corruption attempt (web-client.rules)
 * 1:19147 <-> ENABLED <-> WEB-CLIENT IE innerHTML against incomplete element heap corruption attempt (web-client.rules)
 * 1:19144 <-> ENABLED <-> SPECIFIC-THREATS Microsoft MPEG Layer-3 audio heap corruption attempt (specific-threats.rules)
 * 1:19139 <-> ENABLED <-> WEB-MISC HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt (web-misc.rules)
 * 1:19130 <-> ENABLED <-> WEB-CLIENT MSPaint jpeg with malformed SOFx field exploit attempt (web-client.rules)
 * 1:19133 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt (specific-threats.rules)
 * 1:19132 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt (specific-threats.rules)
 * 1:19131 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office RTD buffer overflow attempt (specific-threats.rules)
 * 1:19134 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt (specific-threats.rules)
 * 1:19136 <-> ENABLED <-> EXPLOIT CA XOsoft Multiple Products xosoapapi.asmx buffer overflow attempt (exploit.rules)
 * 1:19137 <-> ENABLED <-> WEB-MISC HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt (web-misc.rules)
 * 1:19138 <-> ENABLED <-> WEB-MISC HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (web-misc.rules)
 * 1:19140 <-> ENABLED <-> WEB-MISC HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (web-misc.rules)
 * 1:19141 <-> DISABLED <-> WEB-CLIENT Microsoft Access Wizard control memory corruption ActiveX clsid access (web-client.rules)
 * 1:19142 <-> ENABLED <-> WEB-MISC Symantec IM Manager IMAdminScheduleReport.asp SQL injection attempt (web-misc.rules)
 * 1:19143 <-> ENABLED <-> WEB-CLIENT Windows Media Player JPG header record mismatch memory corruption attempt (web-client.rules)
 * 1:19145 <-> ENABLED <-> SPECIFIC-THREATS Adobe flash player newfunction memory corruption attempt (specific-threats.rules)
 * 1:19146 <-> ENABLED <-> SPECIFIC-THREATS Microsoft quartz.dll MJPEG content processing memory corruption attempt (specific-threats.rules)
 * 1:19161 <-> DISABLED <-> SPECIFIC-THREATS NetSupport Manager client buffer overflow attempt (specific-threats.rules)
 * 1:19159 <-> ENABLED <-> DOS HP Data Protector Manager RDS attempt (dos.rules)
 * 1:19160 <-> DISABLED <-> SPECIFIC-THREATS NetSupport Manager client buffer overflow attempt (specific-threats.rules)
 * 1:19135 <-> ENABLED <-> BACKDOOR Backdoor.Win32.Buterat Checkin (backdoor.rules)
 * 1:19158 <-> ENABLED <-> POLICY HP Universal CMDB server axis2 service upload attempt (policy.rules)
 * 1:19157 <-> ENABLED <-> WEB-MISC HP Universal CMDB server axis2 default credentials attempt (web-misc.rules)
 * 1:19156 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office .CGM file cell array heap overflow attempt (specific-threats.rules)
 * 1:19155 <-> ENABLED <-> WEB-MISC HP Data Protector Media Operations SignInName Parameter overflow attempt (web-misc.rules)

Modified Rules:


 * 1:16674 <-> ENABLED <-> WEB-MISC HP OpenView CGI parameter buffer overflow attempt (web-misc.rules)
 * 1:10192 <-> DISABLED <-> WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX clsid access (web-activex.rules)
 * 1:10193 <-> DISABLED <-> WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX function call access (web-activex.rules)
 * 3:16649 <-> ENABLED <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules)
 * 3:18217 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer select element memory corruption attempt (web-client.rules)
 * 3:17758 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt (specific-threats.rules)
 * 3:16545 <-> ENABLED <-> WEB-CLIENT Adobe Reader malformed Richmedia annotation exploit attempt (web-client.rules)
 * 3:16461 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel EntExU2 write access violation attempt (specific-threats.rules)
 * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules)
 * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules)