Sourcefire VRT Rules Update

Date: 2011-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19277 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19272 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19274 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19275 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19276 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19278 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19279 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19280 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over pop3 (policy.rules)
 * 1:19281 <-> ENABLED <-> SHELLCODE x86 OS agnostic single-byte xor countodwn encoder (shellcode.rules)
 * 1:19282 <-> ENABLED <-> SHELLCODE x86 OS agnostic cpuid-based context keyed encoder (shellcode.rules)
 * 1:19283 <-> ENABLED <-> SHELLCODE x86 OS agnostic stat-based context keyed encoder (shellcode.rules)
 * 1:19284 <-> ENABLED <-> SHELLCODE x86 OS agnostic time-based context keyed encoder (shellcode.rules)
 * 1:19285 <-> ENABLED <-> SHELLCODE x86 OS agnostic non-alpha/non-upper encoder (shellcode.rules)
 * 1:19286 <-> ENABLED <-> SHELLCODE x86 OS agnostic unicode uppercase encoder (shellcode.rules)
 * 1:19287 <-> ENABLED <-> SHELLCODE x86 OS agnostic unicode mixed encoder (shellcode.rules)
 * 1:19288 <-> ENABLED <-> SHELLCODE x86 OS agnostic unicode tolower encoder (shellcode.rules)
 * 1:19289 <-> ENABLED <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules)
 * 1:19273 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19269 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19270 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19268 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smb (policy.rules)
 * 1:19293 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19292 <-> ENABLED <-> SPECIFIC-THREATS Firefox appendChild use-after-free attempt (specific-threats.rules)
 * 1:19271 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over smtp (policy.rules)
 * 1:19291 <-> ENABLED <-> NETBIOS Microsoft LNK shortcut download attempt (netbios.rules)
 * 1:19290 <-> ENABLED <-> NETBIOS Microsoft LNK shortcut download attempt (netbios.rules)

Modified Rules:


 * 1:15727 <-> ENABLED <-> POLICY attempted download of a PDF with embedded Flash over http (policy.rules)
 * 1:17042 <-> ENABLED <-> WEB-CLIENT Microsoft LNK shortcut download attempt (web-client.rules)
 * 1:18335 <-> ENABLED <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules)
 * 1:18764 <-> ENABLED <-> WEB-CGI HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt (web-cgi.rules)
 * 1:19081 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer CSS style memory corruption attempt (specific-threats.rules)
 * 1:19257 <-> ENABLED <-> WEB-CLIENT Adobe Flash ActionScript float index memory corruption (web-client.rules)
 * 1:19262 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19263 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19264 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)