Sourcefire VRT Rules Update

Date: 2011-06-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19180 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel pivot item index boundary corruption attempt (specific-threats.rules)
 * 1:19182 <-> ENABLED <-> SPECIFIC-THREATS strongSwan Certificate and Identification payload overflow attempt (specific-threats.rules)
 * 1:19181 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer irame uninitialized memory corruption attempt (specific-threats.rules)
 * 1:19183 <-> ENABLED <-> SPECIFIC-THREATS Microsoft IIS FastCGI request header buffer overflow attempt (specific-threats.rules)
 * 1:19184 <-> ENABLED <-> EXPLOIT Microsoft OLEAUT32.DLL malicious WMF file remote code execution attempt (exploit.rules)
 * 1:19185 <-> ENABLED <-> SPECIFIC-THREATS Microsoft .NET ArraySegment escape exploit attempt (specific-threats.rules)
 * 1:19186 <-> ENABLED <-> WEB-CLIENT Microsoft Certification service XSS attempt (web-client.rules)
 * 1:19188 <-> ENABLED <-> SPECIFIC-THREATS Microsoft ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:19189 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (netbios.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:19191 <-> ENABLED <-> NETBIOS SMB2 zero length write attempt (netbios.rules)
 * 1:19192 <-> ENABLED <-> SPECIFIC-THREATS Microsoft IIS Repeated Parameter Request denial of service attempt (specific-threats.rules)
 * 1:19193 <-> DISABLED <-> WEB-ACTIVEX Oracle Document Capture ActiveX clsid access (web-activex.rules)
 * 1:19194 <-> DISABLED <-> WEB-ACTIVEX Oracle Document Capture ActiveX function call access (web-activex.rules)
 * 1:19195 <-> DISABLED <-> SPECIFIC-THREATS Oracle Document Capture ActiveX function call access (specific-threats.rules)
 * 1:19196 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD Adobe font driver remote code execution attempt (specific-threats.rules)
 * 1:19197 <-> ENABLED <-> WEB-ACTIVEX CA Internet Security Suite XMLSecDB ActiveX clsid access (web-activex.rules)
 * 1:19198 <-> ENABLED <-> WEB-ACTIVEX CA Internet Security Suite XMLSecDB ActiveX function call access (web-activex.rules)
 * 1:19199 <-> ENABLED <-> NETBIOS Smb2Create_Finalize malformed EndOfFile field exploit attempt (netbios.rules)
 * 1:19200 <-> ENABLED <-> EXPLOIT Microsoft Office Excel ObjBiff exploit attempt (exploit.rules)
 * 1:19201 <-> ENABLED <-> SQL waitfor delay function - possible SQL injection attempt (sql.rules)
 * 1:19202 <-> ENABLED <-> SQL declare varchar - possible SQL injection attempt (sql.rules)
 * 1:19203 <-> DISABLED <-> WEB-CLIENT Internet Explorer MsgBox arbitrary code execution attempt (web-client.rules)
 * 1:19204 <-> DISABLED <-> WEB-CLIENT Internet Explorer MsgBox arbitrary code execution attempt (web-client.rules)
 * 1:19205 <-> ENABLED <-> DOS Novell iManager Tree parameter denial of service attempt (dos.rules)
 * 1:19206 <-> ENABLED <-> EXPLOIT IBM DB2 Universal Database receiveDASMessage buffer overflow attempt (exploit.rules)
 * 1:19207 <-> ENABLED <-> EXPLOIT Symantec Alert Management System AMSSendAlertAck stack buffer overflow attempt (exploit.rules)
 * 1:19208 <-> ENABLED <-> EXPLOIT Citrix Provisioning Services streamprocess.exe buffer overflow attempt (exploit.rules)
 * 1:19209 <-> ENABLED <-> WEB-MISC Symantec Alert Management System modem string buffer overflow attempt (web-misc.rules)
 * 1:19210 <-> DISABLED <-> EXPLOIT IBM Informix Dynamic Server set environment buffer overflow attempt (exploit.rules)
 * 1:19211 <-> DISABLED <-> POLICY Zip archive file download (policy.rules)
 * 1:19212 <-> DISABLED <-> EXPLOIT Microsoft Windows MFC Document title updating buffer overflow attempt (exploit.rules)
 * 1:19213 <-> DISABLED <-> SMTP Ipswitch IMail Server Mailing List Message Subject buffer overflow (smtp.rules)
 * 1:19214 <-> DISABLED <-> WEB-ACTIVEX HP Photo Creative ActiveX clsid access (web-activex.rules)
 * 1:19215 <-> DISABLED <-> POLICY Google Chrome extension download attempt (policy.rules)
 * 1:19216 <-> DISABLED <-> SPECIFIC-THREATS Google Chrome Uninitialized bug_report Pointer Code Execution (specific-threats.rules)
 * 1:19217 <-> DISABLED <-> SPECIFIC-THREATS Google Chrome Uninitialized bug_report Pointer Code Execution (specific-threats.rules)
 * 1:19218 <-> DISABLED <-> WEB-CLIENT Microsoft Window Fax Cover Page download attempt (web-client.rules)
 * 1:19219 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption (specific-threats.rules)
 * 1:19220 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Fax Services Cover Page Editor Dobule Free Memory Corruption (specific-threats.rules)
 * 1:19221 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (netbios.rules)
 * 1:19222 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel ObjBiff validation exploit attempt (specific-threats.rules)
 * 1:19223 <-> DISABLED <-> EXPLOIT SAP Crystal Reports 2008 Directory Transversal attempt (exploit.rules)
 * 1:19224 <-> ENABLED <-> POLICY Cisco Webex wrf download attempt (policy.rules)
 * 1:19225 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SerAuxTrend biff record corruption attempt (web-client.rules)
 * 1:19226 <-> DISABLED <-> SPECIFIC-THREATS Cisco Webex Player .wrf stack buffer overflow (specific-threats.rules)
 * 1:19227 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel Scenario heap memory overflow (specific-threats.rules)
 * 1:19228 <-> ENABLED <-> WEB-MISC Oracle Secure Backup Administration preauth variable command injection attempt (web-misc.rules)
 * 1:19229 <-> ENABLED <-> EXPLOIT Microsoft Excel SLK file excessive Picture records exploit attempt (exploit.rules)
 * 1:19230 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel Selection exploit attempt (specific-threats.rules)
 * 1:19231 <-> ENABLED <-> WEB-CLIENT Microsoft Excel Series record exploit attempt (web-client.rules)
 * 1:19232 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel XF record exploit attempt (specific-threats.rules)
 * 1:19233 <-> ENABLED <-> WEB-MISC Microsoft DISCO file request (web-misc.rules)
 * 1:19234 <-> ENABLED <-> WEB-CLIENT Microsoft Visual Studio information disclosure attempt (web-client.rules)
 * 1:19235 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer copy/paste memory corruption attempt (specific-threats.rules)
 * 1:19236 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer drag event memory corruption attempt (specific-threats.rules)
 * 1:19237 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer contenteditable corruption attempt (specific-threats.rules)
 * 1:19256 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - greenherbalteagirlholdingcup (blacklist.rules)
 * 1:19255 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader ICC ProfileDescriptionTag overflow attempt (specific-threats.rules)
 * 1:19254 <-> ENABLED <-> WEB-CLIENT Adobe Reader javascript in PDF go-to actions exploit attempt (web-client.rules)
 * 1:19253 <-> ENABLED <-> WEB-CLIENT Adobe Reader malicious language.engtesselate.ln file download attempt (web-client.rules)
 * 1:19252 <-> ENABLED <-> WEB-CLIENT language.engtesselate.ln download attempt (web-client.rules)
 * 1:19251 <-> ENABLED <-> WEB-CLIENT Adobe PDF CIDFont dictionary glyph width corruption attempt (web-client.rules)
 * 1:19250 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat and Adobe Reader U3D file include overflow attempt (specific-threats.rules)
 * 1:19249 <-> ENABLED <-> SPECIFIC-THREATS Adobe Universal3D meshes.removeItem exploit attempt (specific-threats.rules)
 * 1:19248 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed U3D texture continuation integer overflow attempt (specific-threats.rules)
 * 1:19247 <-> ENABLED <-> SPECIFIC-THREATS Adobe jpeg 2000 image exploit attempt (specific-threats.rules)
 * 1:19246 <-> ENABLED <-> WEB-CLIENT Internet Explorer CSS expression defined to empty selection attempt (web-client.rules)
 * 1:19245 <-> ENABLED <-> WEB-CLIENT Internet Explorer redirect to cdl protocol attempt (web-client.rules)
 * 1:19244 <-> ENABLED <-> WEB-CLIENT Internet Explorer CSS expression defined to empty slection attempt (web-client.rules)
 * 1:19243 <-> ENABLED <-> WEB-CLIENT Internet Explorer layout-grid-char value exploit attempt (web-client.rules)
 * 1:19242 <-> ENABLED <-> SPECIFIC-THREATS VML imagedata page deconstruction attempt (specific-threats.rules)
 * 1:19241 <-> ENABLED <-> SPECIFIC-THREATS VML imagedata page deconstruction attempt (specific-threats.rules)
 * 1:19240 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer IE6/7/8 reload stylesheet attempt (web-client.rules)
 * 1:19238 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer IE8 self remove from markup vulnerability (exploit.rules)
 * 1:19239 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 8 toStaticHTML XSS attempt (web-client.rules)
 * 3:19187 <-> ENABLED <-> BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt (bad-traffic.rules)

Modified Rules:


 * 1:19163 <-> ENABLED <-> ORACLE get_v2_domain_index_tables privilege escalation attempt (oracle.rules)
 * 1:19174 <-> ENABLED <-> WEB-CLIENT Windows Vista feed headlines cross-site scripting attack attempt (web-client.rules)
 * 1:16052 <-> ENABLED <-> DOS Novell iManager Tree parameter denial of service attempt (dos.rules)
 * 1:13583 <-> ENABLED <-> WEB-CLIENT Microsoft SYmbolic LinK file download request (web-client.rules)
 * 1:19162 <-> ENABLED <-> ORACLE get_domain_index_metadata privilege escalation attempt (oracle.rules)
 * 1:18335 <-> ENABLED <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules)
 * 3:18691 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows AFD.SYS null write attempt (specific-threats.rules)
 * 3:17767 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer IE8 tostaticHTML CSS import vulnerability (exploit.rules)