Sourcefire VRT Rules Update

Date: 2011-09-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20059 <-> DISABLED <-> SPECIFIC-THREATS Apple Quicktime PictureViewer GIF rendering vulnerability (specific-threats.rules)
 * 1:20060 <-> ENABLED <-> EXPLOIT CVS annotate command buffer overflow attempt (exploit.rules)
 * 1:20063 <-> DISABLED <-> SPYWARE-PUT SecurityTool outbound connection (spyware-put.rules)
 * 1:20061 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23,40, and 41 overflow attempt (netbios.rules)
 * 1:20062 <-> DISABLED <-> EXPLOIT Microsoft Office Excel File Importing Code Execution (exploit.rules)
 * 1:20080 <-> DISABLED <-> BACKDOOR Win32.Derusbi.A outbound connection (backdoor.rules)
 * 1:20079 <-> DISABLED <-> BACKDOOR Win32.Russkill.C outbound connection (backdoor.rules)
 * 1:20078 <-> DISABLED <-> BACKDOOR Win32.Russkill.C outbound connection (backdoor.rules)
 * 1:20077 <-> DISABLED <-> BACKDOOR Win32.Agobot.ast outbound connection (backdoor.rules)
 * 1:20076 <-> DISABLED <-> BACKDOOR Win32.Agobot.ast outbound connection (backdoor.rules)
 * 1:20075 <-> DISABLED <-> BACKDOOR Win32.Ruskill.abl outbound connection (backdoor.rules)
 * 1:20074 <-> DISABLED <-> BACKDOOR Win32.IRCBot.iseee outbound connection (backdoor.rules)
 * 1:20073 <-> ENABLED <-> SPECIFIC-THREATS Microsoft ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20072 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox nsTreeRange Use After Free attempt (web-client.rules)
 * 1:20071 <-> ENABLED <-> WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access (web-activex.rules)
 * 1:20064 <-> ENABLED <-> BOTNET-CNC Malware Trojan.Win32.Clemag.A contact to server attempt (botnet-cnc.rules)
 * 1:20065 <-> ENABLED <-> BOTNET-CNC Trojan Win32 SensLiceld.A runtime traffic detected (botnet-cnc.rules)
 * 1:20066 <-> ENABLED <-> BOTNET-CNC Trojan Win32 SensLiceld.A runtime traffic detected (botnet-cnc.rules)
 * 1:20067 <-> ENABLED <-> BOTNET-CNC Trojan Win32 Zatvex.A runtime traffic detected (botnet-cnc.rules)
 * 1:20068 <-> ENABLED <-> BOTNET-CNC Trojan Jetilms.A runtime activity detected (botnet-cnc.rules)
 * 1:20069 <-> ENABLED <-> BOTNET-CNC Trojan VB.alhq runtime traffic detected (botnet-cnc.rules)
 * 1:20070 <-> ENABLED <-> WEB-CLIENT BIN file download request (web-client.rules)
 * 1:20041 <-> DISABLED <-> SPYWARE-PUT Adware.BB outbound connection (spyware-put.rules)
 * 1:20042 <-> ENABLED <-> BOTNET-CNC Trojan Sinowal outbond connection (botnet-cnc.rules)
 * 1:20043 <-> ENABLED <-> BOTNET-CNC Adware Kraddare.AZ outbound connection (botnet-cnc.rules)
 * 1:20044 <-> ENABLED <-> WEB-ACTIVEX F-Secure Anti-Virus fsresh.dll clsid access (web-activex.rules)
 * 1:20045 <-> DISABLED <-> SQL PHPSESSID SQL injection attempt (sql.rules)
 * 1:20046 <-> DISABLED <-> SQL PHPSESSID SQL injection attempt (sql.rules)
 * 1:20047 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules)
 * 1:20048 <-> DISABLED <-> EXPLOIT Trend Micro Control Manager CasLogDirectInsertHandler.cs cross site request forgery attempt (exploit.rules)
 * 1:20049 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel SLK file excessive Picture records exploit attempt (specific-threats.rules)
 * 1:20050 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash Player memory consumption vulnerability (specific-threats.rules)
 * 1:20051 <-> DISABLED <-> SPECIFIC-THREATS SAP MaxDB malformed handshake request buffer overflow attempt (specific-threats.rules)
 * 1:20052 <-> DISABLED <-> SCADA IntelliCom NetBiter config utility hostname overflow attempt (scada.rules)
 * 1:20053 <-> DISABLED <-> SPECIFIC-THREATS MySQL Database SELECT subquery denial of service attempt (specific-threats.rules)
 * 1:20054 <-> DISABLED <-> DOS HP OpenView Network Node Manager Denial of Service (dos.rules)
 * 1:20055 <-> DISABLED <-> SPECIFIC-THREATS Sun Java runtime JPEGImageReader overflow attempt (specific-threats.rules)
 * 1:20056 <-> DISABLED <-> WEB-MISC Sun Java class file request (web-misc.rules)
 * 1:20057 <-> DISABLED <-> BOTNET-CNC BitCoin Miner IP query (botnet-cnc.rules)
 * 1:20058 <-> ENABLED <-> EXPLOIT VMWare authorization service user credential parsing DoS attempt (exploit.rules)
 * 1:20081 <-> ENABLED <-> BOTNET-CNC Trojan Downloader.Win32.Yakes.cbi outbound connection (botnet-cnc.rules)
 * 1:20082 <-> DISABLED <-> BACKDOOR Win32.Inject.raw outbound connection (backdoor.rules)
 * 1:20083 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Fucobha.A outbound connection (botnet-cnc.rules)
 * 1:20084 <-> DISABLED <-> SPECIFIC-THREATS ALTAP Salamander PE Viewer PDB Filename Buffer Overflow (specific-threats.rules)
 * 1:20085 <-> DISABLED <-> BACKDOOR Win32.Veebuu.BX outbound connection (backdoor.rules)
 * 1:20086 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Banload.ABY outbound connection (botnet-cnc.rules)
 * 1:20087 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Banker.FGU outbound connection (botnet-cnc.rules)
 * 1:20088 <-> DISABLED <-> BACKDOOR Win32.Emudbot.A outbound connection (backdoor.rules)
 * 1:20089 <-> DISABLED <-> POLICY IRC nick change on non-standard port (policy.rules)
 * 1:20090 <-> DISABLED <-> POLICY IRC DCC file transfer request on non-standard port (policy.rules)
 * 1:20091 <-> DISABLED <-> POLICY IRC DCC chat request on non-standard port (policy.rules)
 * 1:20093 <-> DISABLED <-> POLICY IRC channel notice on non-standard port (policy.rules)
 * 1:20092 <-> DISABLED <-> POLICY IRC channel join on non-standard port (policy.rules)
 * 1:20094 <-> DISABLED <-> POLICY IRC message on non-standard port (policy.rules)
 * 1:20095 <-> DISABLED <-> POLICY IRC dns request on non-standard port (policy.rules)
 * 1:20096 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir outbound connection (botnet-cnc.rules)
 * 1:20097 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Agent.dcir infected host at destination ip (botnet-cnc.rules)
 * 1:20098 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.KeyLogger.wav outbound connection (botnet-cnc.rules)
 * 1:20099 <-> DISABLED <-> BACKDOOR Win32.Xtrat.A outbound connection (backdoor.rules)
 * 1:20100 <-> DISABLED <-> SPYWARE-PUT Adware Arcade Web - installation/update (spyware-put.rules)
 * 1:20101 <-> DISABLED <-> SPYWARE-PUT Adware Arcade Web - User-Agent (spyware-put.rules)
 * 1:20102 <-> DISABLED <-> SPYWARE-PUT Adware Arcade Web - X-Arcadeweb header (spyware-put.rules)
 * 1:20103 <-> DISABLED <-> SPYWARE-PUT Adware playsushi - User-Agent (spyware-put.rules)
 * 1:20104 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string InfoBot (blacklist.rules)
 * 1:20105 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string IPHONE (blacklist.rules)
 * 1:20106 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string darkness (blacklist.rules)
 * 1:20107 <-> ENABLED <-> BOTNET-CNC Trojan Downloader.Win32.Small.Cns outbound connection (botnet-cnc.rules)
 * 1:20108 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Banker.Pher outbound connection (botnet-cnc.rules)
 * 1:20109 <-> DISABLED <-> BACKDOOR Win32.Zombie.sm outbound connection (backdoor.rules)
 * 1:20110 <-> ENABLED <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules)
 * 1:20111 <-> ENABLED <-> EXPLOIT Microsoft Sharepoint XSS vulnerability attempt (exploit.rules)
 * 1:20112 <-> ENABLED <-> EXPLOIT Microsoft Sharepoint XSS vulnerability attempt (exploit.rules)
 * 1:20113 <-> ENABLED <-> EXPLOIT MIcrosoft Sharepoint XSS vulnerability attempt (exploit.rules)
 * 1:20114 <-> ENABLED <-> EXPLOIT Microsoft SharePoint hiddenSpanData cross site scripting attempt (exploit.rules)
 * 1:20115 <-> ENABLED <-> EXPLOIT Microsoft Sharepoint XML external entity exploit attempt (exploit.rules)
 * 1:20116 <-> ENABLED <-> EXPLOIT Microsoft Sharepoint Javascript XSS attempt (exploit.rules)
 * 1:20118 <-> ENABLED <-> NETBIOS Windows shell extensions deskpan.dll dll-load exploit attempt (netbios.rules)
 * 1:20117 <-> ENABLED <-> EXPLOIT Microsoft SharePoint XSS (exploit.rules)
 * 1:20130 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel MergeCells record parsing code execution attempt (specific-threats.rules)
 * 1:20129 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office BpscBulletProof uninitialized pointer dereference attempt (specific-threats.rules)
 * 1:20128 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office invalid MS-OGRAPH DataFormat record (specific-threats.rules)
 * 1:20127 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel Conditional Formatting record vulnerability (specific-threats.rules)
 * 1:20126 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid Lbl record (specific-threats.rules)
 * 1:20125 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid Lbl record (specific-threats.rules)
 * 1:20124 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid Lbl record (specific-threats.rules)
 * 1:20123 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid ShrFmla record (specific-threats.rules)
 * 1:20122 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid AxisParent record (specific-threats.rules)
 * 1:20121 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel invalid AxisParent record (specific-threats.rules)
 * 1:20120 <-> ENABLED <-> BAD-TRAFFIC WINS internal communications on network exploit attempt (bad-traffic.rules)
 * 1:20119 <-> ENABLED <-> WEB-CLIENT Windows shell extensions deskpan.dll dll-load exploit attempt (web-client.rules)

Modified Rules:


 * 1:10063 <-> ENABLED <-> WEB-CLIENT Firefox query interface suspicious function call access attempt (web-client.rules)
 * 1:12382 <-> DISABLED <-> WEB-ACTIVEX EasyMail Objects ActiveX clsid access (web-activex.rules)
 * 1:12384 <-> DISABLED <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid access (web-activex.rules)
 * 1:12386 <-> DISABLED <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call access (web-activex.rules)
 * 1:13232 <-> DISABLED <-> WEB-ACTIVEX Persits Software XUpload ActiveX clsid access (web-activex.rules)
 * 1:13419 <-> ENABLED <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid access (web-activex.rules)
 * 1:13520 <-> ENABLED <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules)
 * 1:15697 <-> DISABLED <-> WEB-CLIENT Generic javascript obfuscation attempt (web-client.rules)
 * 1:15866 <-> DISABLED <-> WEB-CLIENT libxml2 file processing long entity overflow attempt (web-client.rules)
 * 1:16359 <-> ENABLED <-> WEB-CLIENT Adobe Illustrator DSC comment overflow attempt (web-client.rules)
 * 1:16574 <-> ENABLED <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode (web-activex.rules)
 * 1:16581 <-> DISABLED <-> SPECIFIC-THREATS Persits Software XUpload ActiveX clsid unsafe function access attempt (specific-threats.rules)
 * 1:16587 <-> DISABLED <-> SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities buffer overflow attempt (specific-threats.rules)
 * 1:16590 <-> ENABLED <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 1 (specific-threats.rules)
 * 1:16591 <-> ENABLED <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 2 (specific-threats.rules)
 * 1:16690 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt (specific-threats.rules)
 * 1:16783 <-> ENABLED <-> WEB-ACTIVEX Autodesk iDrop ActiveX clsid access (web-activex.rules)
 * 1:16784 <-> ENABLED <-> WEB-ACTIVEX Autodesk iDrop ActiveX function call access (web-activex.rules)
 * 1:16787 <-> ENABLED <-> SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (specific-threats.rules)
 * 1:17051 <-> DISABLED <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid access (web-activex.rules)
 * 1:17052 <-> DISABLED <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid unicode access (web-activex.rules)
 * 1:17053 <-> DISABLED <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call access (web-activex.rules)
 * 1:17054 <-> DISABLED <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call unicode access (web-activex.rules)
 * 1:17063 <-> ENABLED <-> WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid access (web-activex.rules)
 * 1:17065 <-> ENABLED <-> WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid access (web-activex.rules)
 * 1:17067 <-> ENABLED <-> WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid access (web-activex.rules)
 * 1:17069 <-> ENABLED <-> WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid access (web-activex.rules)
 * 1:17071 <-> ENABLED <-> WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid access (web-activex.rules)
 * 1:17073 <-> ENABLED <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid access (web-activex.rules)
 * 1:17075 <-> ENABLED <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call access (web-activex.rules)
 * 1:17077 <-> ENABLED <-> SPECIFIC-THREATS Ask Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX control buffer overflow attempt (specific-threats.rules)
 * 1:17746 <-> ENABLED <-> NETBIOS SMB client TRANS response Find_First2 filesize overflow attempt (netbios.rules)
 * 1:18331 <-> ENABLED <-> WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt (web-client.rules)
 * 1:18803 <-> ENABLED <-> WEB-MISC Oracle Java Runtime CMM readMabCurveData buffer overflow attempt (web-misc.rules)
 * 1:19304 <-> DISABLED <-> WEB-ACTIVEX Oracle EasyMail ActiveX clsid access (web-activex.rules)
 * 1:19972 <-> ENABLED <-> NETBIOS SMB client TRANS response paramcount overflow attempt (netbios.rules)
 * 1:2437 <-> ENABLED <-> WEB-CLIENT RealPlayer arbitrary javascript commnad attempt (web-client.rules)
 * 1:7024 <-> ENABLED <-> WEB-CLIENT excel style handling overflow attempt (web-client.rules)
 * 1:8727 <-> DISABLED <-> WEB-ACTIVEX XMLHTTP 4.0 ActiveX clsid access (web-activex.rules)
 * 1:9816 <-> DISABLED <-> WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX function call access (web-activex.rules)
 * 3:18494 <-> ENABLED <-> NETBIOS Microsoft product .dll dll-load exploit attempt (netbios.rules)
 * 3:18495 <-> ENABLED <-> WEB-CLIENT Microsoft product .dll dll-load exploit attempt (web-client.rules)