Sourcefire VRT Rules Update

Date: 2011-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19459 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word sprmCMajority record buffer overflow attempt (specific-threats.rules)
 * 1:19457 <-> DISABLED <-> SPYWARE-PUT Trojan-Clicker.Win32.Vesloruki.ajb runtime detection (spyware-put.rules)
 * 1:19456 <-> DISABLED <-> BACKDOOR Packed.Win32.Klone.bj runtime detection (backdoor.rules)
 * 1:19454 <-> DISABLED <-> SPYWARE-PUT Trojan.PWS.Win32.QQPass.IK runtime detection (spyware-put.rules)
 * 1:19453 <-> DISABLED <-> SPYWARE-PUT Sus.BancDI-B trojan runtime detection (spyware-put.rules)
 * 1:19458 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word sprmCMajority record buffer overflow attempt (specific-threats.rules)
 * 1:19460 <-> ENABLED <-> WEB-CLIENT Microsoft CSRSS multiple consoles on a single process attempt (web-client.rules)
 * 1:19461 <-> ENABLED <-> WEB-CLIENT Microsoft CSRSS NULL Fontface pointer attempt (web-client.rules)
 * 1:19462 <-> ENABLED <-> WEB-CLIENT Microsoft CSRSS negative array index code execution attempt (web-client.rules)
 * 1:19463 <-> ENABLED <-> WEB-CLIENT Microsoft CSRSS double free attempt (web-client.rules)
 * 1:19464 <-> ENABLED <-> SPECIFIC-THREATS Microsoft CSRSS integer overflow attempt (specific-threats.rules)
 * 1:19465 <-> ENABLED <-> NETBIOS Visio mfc71enu.dll dll-load exploit attempt (netbios.rules)
 * 1:19466 <-> ENABLED <-> WEB-CLIENT Visio mfc71enu.dll dll-load exploit attempt (web-client.rules)
 * 1:19467 <-> ENABLED <-> SPECIFIC-THREATS Microsoft CSRSS NULL Fontface pointer attempt (specific-threats.rules)
 * 1:19468 <-> ENABLED <-> SPECIFIC-THREATS Microsoft stale data code execution attempt (specific-threats.rules)
 * 1:19469 <-> ENABLED <-> SPECIFIC-THREATS Microsoft invalid message kernel-mode memory disclosure attempt (specific-threats.rules)
 * 1:19455 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.AutoRun.aw runtime detection (spyware-put.rules)
 * 1:19475 <-> ENABLED <-> POLICY proxycgi proxy connection detected (policy.rules)
 * 1:19472 <-> ENABLED <-> POLICY proxytunnel proxy connection detected (policy.rules)
 * 1:19474 <-> ENABLED <-> POLICY hamachi VPN outbound traffic detected (policy.rules)
 * 1:19473 <-> ENABLED <-> POLICY stunnel proxy connection detected (policy.rules)
 * 1:19471 <-> ENABLED <-> POLICY dnstunnel v0.5 outbound traffic detected (policy.rules)
 * 1:19470 <-> ENABLED <-> BLACKLIST DNS request for known malware domain antispydot.com - Win32/Cybot.B (blacklist.rules)

Modified Rules:


 * 1:19199 <-> ENABLED <-> NETBIOS Smb2Create_Finalize malformed EndOfFile field exploit attempt (netbios.rules)
 * 1:18247 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious User-Agent ErrCode - W32/Fujacks.htm (blacklist.rules)
 * 1:18938 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - ZBot (botnet-cnc.rules)
 * 3:18451 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat ICC color integer overflow attempt (specific-threats.rules)