Sourcefire VRT Rules Update

Date: 2011-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19663 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tinaivanovic.sexy-serbian-girls.info (blacklist.rules)
 * 1:19664 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smellypussy.info (blacklist.rules)
 * 1:19665 <-> ENABLED <-> EXPLOIT Remote Desktop web access cross-site scripting attempt (exploit.rules)
 * 1:19666 <-> ENABLED <-> WEB-CLIENT Internet Explorer multi-window access memory corruption attempt (web-client.rules)
 * 1:19667 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer cross-domain scripting attack (specific-threats.rules)
 * 1:19668 <-> ENABLED <-> NETBIOS Internet Explorer telnet.exe file load exploit attempt (netbios.rules)
 * 1:19669 <-> ENABLED <-> WEB-CLIENT Telnet protocol specifier in web page attempt (web-client.rules)
 * 1:19670 <-> ENABLED <-> WEB-CLIENT Internet Explorer telnet.exe file load exploit attempt (web-client.rules)
 * 1:19671 <-> ENABLED <-> WEB-CLIENT Internet Explorer XSL refreshing memory corruption attempt (web-client.rules)
 * 1:19672 <-> ENABLED <-> WEB-CLIENT Internet Explorer stylesheet dynamic access memory corruption attempt (web-client.rules)
 * 1:19674 <-> ENABLED <-> WEB-CLIENT Microsoft Data Access Components bidlab.dll dll-load exploit attempt (web-client.rules)
 * 1:19673 <-> ENABLED <-> NETBIOS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (netbios.rules)
 * 1:19675 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Visio invalid UMLString data length exploit attempt (specific-threats.rules)
 * 1:19676 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Visio invalid UMLDTOptions object exploit attempt (specific-threats.rules)
 * 1:19677 <-> ENABLED <-> DNS Microsoft DNS NAPTR remote unauthenticated code execution vulnerability (dns.rules)
 * 1:19678 <-> ENABLED <-> ICMP Microsoft remote unauthenticated DoS/bugcheck vulnerability (icmp.rules)
 * 1:19679 <-> ENABLED <-> WEB-CLIENT Windows NDISTAPI Driver code execution attempt (web-client.rules)
 * 1:19680 <-> ENABLED <-> WEB-CLIENT Microsoft Windows CSRSS SrvDeviceEvent exploit attempt (web-client.rules)
 * 1:19681 <-> ENABLED <-> WEB-CLIENT Microsoft Report Viewer reflect XSS attempt (web-client.rules)
 * 1:19682 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player ActionScript3 integer overflow attempt (web-client.rules)
 * 1:19683 <-> ENABLED <-> WEB-CLIENT Adobe Flash Playter ActionScript 3 buffer overflow attempt (web-client.rules)
 * 1:19684 <-> ENABLED <-> SPECIFIC-THREATS Adobe CFF font storage memory corruption attempt (specific-threats.rules)
 * 1:19685 <-> ENABLED <-> WEB-CLIENT Adobe Flash regular expression grouping depth buffer overflow attempt (web-client.rules)
 * 1:19686 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash uninitialized bitmap structure memory corruption attempt (specific-threats.rules)
 * 1:19662 <-> ENABLED <-> BLACKLIST DNS request for known malware domain keshmoney.biz (blacklist.rules)
 * 1:19694 <-> ENABLED <-> WEB-CGI Microsoft .NET Chart Control directory traversal attempt (web-cgi.rules)
 * 1:19693 <-> ENABLED <-> WEB-CLIENT Adobe Flash MP4 ref_frame allocated buffer overflow attempt (web-client.rules)
 * 1:19691 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Actionscript Filereference buffer overflow attempt (specific-threats.rules)
 * 1:19692 <-> ENABLED <-> WEB-CLIENT Adobe Flash cross-site request forgery attempt (web-client.rules)
 * 1:19689 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Actionscript dynamic calculation double-free attempt (specific-threats.rules)
 * 1:19690 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Actionscript duplicateDoorInputArguments stack overwrite (specific-threats.rules)
 * 1:19688 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Actionscript BitmapData buffer overflow attempt (specific-threats.rules)
 * 1:19687 <-> ENABLED <-> WEB-CLIENT Adobe Flash ActionStoreRegister instruction length invalidation attempt (web-client.rules)

Modified Rules:


 * 1:17410 <-> ENABLED <-> WEB-MISC Generic HyperLink buffer overflow attempt (web-misc.rules)
 * 1:15483 <-> ENABLED <-> WEB-MISC Adobe Shockwave Flash file request (web-misc.rules)
 * 1:15436 <-> ENABLED <-> EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt (exploit.rules)
 * 1:18339 <-> DISABLED <-> DELETED BLACKLIST USER-AGENT known malicious user-agent string NSIS_Inetc (deleted.rules)
 * 1:19630 <-> DISABLED <-> DELETED BLACKLIST URI request for known malicious URI - /?epl= (deleted.rules)
 * 1:19634 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /a.gif?V= (blacklist.rules)