Sourcefire VRT Rules Update

Date: 2011-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19452 <-> ENABLED <-> EXPLOIT Oracle VM server agent command injection (exploit.rules)
 * 1:19451 <-> ENABLED <-> EXPLOIT Oracle VM server agent command injection (exploit.rules)
 * 1:19450 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt (web-client.rules)
 * 1:19449 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt (web-client.rules)
 * 1:19448 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media pixel aspect ratio header RCE attempt (web-client.rules)
 * 1:19447 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media content type header RCE attempt (web-client.rules)
 * 1:19446 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media file name header RCE attempt (web-client.rules)
 * 1:19445 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Timecode header RCE attempt (web-client.rules)
 * 1:19444 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media sample duration header RCE attempt (web-client.rules)
 * 1:19443 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office embedded Office Art drawings execution attempt (specific-threats.rules)
 * 1:19442 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office embedded Office Art drawings execution attempt (specific-threats.rules)
 * 1:19441 <-> ENABLED <-> WEB-MISC Oracle Virtual Server Agent command injection attempt (web-misc.rules)
 * 1:19440 <-> ENABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules)
 * 1:19439 <-> ENABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules)
 * 1:19438 <-> ENABLED <-> SQL url ending in comment characters - possible sql injection attempt (sql.rules)
 * 1:19437 <-> ENABLED <-> SQL select concat statement - possible sql injection obfuscation (sql.rules)
 * 1:19436 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (web-client.rules)
 * 1:19435 <-> ENABLED <-> BACKDOOR Win32.Litmus.203 outbound connection (backdoor.rules)
 * 1:19434 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string ErrCode (blacklist.rules)
 * 1:19433 <-> DISABLED <-> BACKDOOR W32.Fujacks.aw outbound connection (backdoor.rules)
 * 1:19432 <-> ENABLED <-> WEB-CLIENT Nullsoft Winamp MIDI Timestamp buffer overflow attempt (web-client.rules)
 * 1:19431 <-> ENABLED <-> WEB-CLIENT Nullsoft Winamp MIDI Timestamp buffer overflow attempt (web-client.rules)
 * 1:19430 <-> ENABLED <-> WEB-CLIENT Midi file download request (web-client.rules)
 * 1:19429 <-> ENABLED <-> BACKDOOR Trojan Proxy Win32.Dosenjo.C Runtime Detection (backdoor.rules)
 * 1:19428 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Adload.BG outbound connection (backdoor.rules)
 * 1:19427 <-> DISABLED <-> BACKDOOR Win32.Agent.amjz outbound connection (backdoor.rules)
 * 1:19426 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Crypter.i outbound connection (backdoor.rules)
 * 1:19425 <-> ENABLED <-> WEB-CLIENT mks file download attempt (web-client.rules)
 * 1:19424 <-> ENABLED <-> WEB-CLIENT mka file download attempt (web-client.rules)
 * 1:19423 <-> ENABLED <-> WEB-CLIENT mkv file download attempt (web-client.rules)
 * 1:19422 <-> ENABLED <-> WEB-CLIENT matroska file magic detection (web-client.rules)
 * 1:19421 <-> ENABLED <-> SPECIFIC-THREATS VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow (specific-threats.rules)
 * 1:19420 <-> ENABLED <-> SPECIFIC-THREATS VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow (specific-threats.rules)
 * 1:19419 <-> DISABLED <-> WEB-CLIENT iOS 4.3.3 jailbreak for iPod download attempt (web-client.rules)
 * 1:19418 <-> DISABLED <-> WEB-CLIENT iOS 4.3.3 jailbreak for iPhone download attempt (web-client.rules)
 * 1:19417 <-> DISABLED <-> WEB-CLIENT iOS 4.3.3 jailbreak for iPad download attempt (web-client.rules)
 * 1:19416 <-> DISABLED <-> WEB-CLIENT iOS 4.3.3 jailbreak for iPad download attempt (web-client.rules)
 * 1:19415 <-> ENABLED <-> BACKDOOR vsFTPd 2.3.4 backdoor connection attempt (backdoor.rules)
 * 1:19414 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher 2007 and earlier stack buffer overflow attempt (specific-threats.rules)
 * 1:19413 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher 2007 and earlier stack buffer overflow attempt (specific-threats.rules)
 * 1:19412 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel RealTimeData record parsing memory corruption (specific-threats.rules)
 * 3:16663 <-> ENABLED <-> WEB-CLIENT Windows Media Player JPG header record mismatch memory corruption attempt (web-client.rules)

Modified Rules:


 * 1:13990 <-> ENABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:18464 <-> ENABLED <-> WEB-CGI Adobe ColdFusion locale directory traversal attempt (web-cgi.rules)
 * 1:17241 <-> ENABLED <-> WEB-CLIENT Microsoft wmv file download request (web-client.rules)
 * 1:18659 <-> DISABLED <-> SCADA RealWin 2.1 SCPC_INITIALIZE overflow attempt (scada.rules)
 * 3:16542 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher 2007 and earlier stack buffer overflow attempt (specific-threats.rules)
 * 3:18218 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer time element memory corruption attempt (specific-threats.rules)