Sourcefire VRT Rules Update

Date: 2011-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19714 <-> ENABLED <-> SPECIFIC-THREATS Mozilla Array.reduceRight integer overflow (specific-threats.rules)
 * 1:19713 <-> ENABLED <-> SPECIFIC-THREATS Mozilla Array.reduceRight integer overflow (specific-threats.rules)
 * 1:19712 <-> ENABLED <-> BOTNET-CNC Trojan Downloader W32.Genome.gen outbound connection (botnet-cnc.rules)
 * 1:19711 <-> ENABLED <-> BOTNET-CNC Trojan.Jorik contact to server attemtpt (botnet-cnc.rules)
 * 1:19710 <-> ENABLED <-> WEB-CLIENT Google Chrome float rendering corruption attempt (web-client.rules)
 * 1:19709 <-> ENABLED <-> DOS Apache APR apr_fn match infinite loop denial of service attempt (dos.rules)
 * 1:19708 <-> ENABLED <-> SMTP Postfix SMTP Server SASL AUTH Handle Reuse Memory Corruption (smtp.rules)
 * 1:19707 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Word Converter sprmTSplit overflow attempt (specific-threats.rules)
 * 1:19706 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.cer outbound connection (botnet-cnc.rules)
 * 1:19705 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.grdm outbound connection (botnet-cnc.rules)
 * 1:19704 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.grdm outbound connection (botnet-cnc.rules)
 * 1:19703 <-> ENABLED <-> BOTNET-CNC Worm Win32.Dusta.br outbound connnection (botnet-cnc.rules)
 * 1:19702 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Zboter.E outbound connection (botnet-cnc.rules)
 * 1:19701 <-> DISABLED <-> BOTNET-CNC Backdoor Win32.Hassar.A outbound connection (botnet-cnc.rules)
 * 1:19700 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Agent.tnr Runtime Detection (backdoor.rules)
 * 1:19699 <-> DISABLED <-> SPYWARE-PUT TrojanDownloader.Win32.Korklic.A contact to server attempt (spyware-put.rules)
 * 1:19698 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.Prosti.AG contact to server attempt (spyware-put.rules)
 * 1:19697 <-> DISABLED <-> BACKDOOR Trojan Spy.Win32.VB.btm outbound connection (backdoor.rules)
 * 1:19696 <-> DISABLED <-> BACKDOOR Win32.SdBot.nng inbound connection (backdoor.rules)
 * 1:19695 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.VB.nec outbound connection (backdoor.rules)

Modified Rules:


 * 1:19683 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player ActionScript 3 buffer overflow attempt (web-client.rules)
 * 1:19666 <-> ENABLED <-> WEB-CLIENT Internet Explorer multi-window access memory corruption attempt (web-client.rules)
 * 1:19682 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player ActionScript 3 integer overflow attempt (web-client.rules)
 * 1:15483 <-> ENABLED <-> WEB-MISC Adobe Shockwave Flash file request (web-misc.rules)
 * 1:19177 <-> ENABLED <-> WEB-MISC cookiejacking attempt (web-misc.rules)
 * 1:19176 <-> ENABLED <-> WEB-MISC cookiejacking attempt (web-misc.rules)
 * 1:18767 <-> DISABLED <-> TFTP Multiple TFTP product buffer overflow attempt (tftp.rules)