Sourcefire VRT Rules Update

Date: 2011-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20170 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded BMP parsing corruption attempt (specific-threats.rules)
 * 1:20171 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded BMP parsing corruption attempt (specific-threats.rules)
 * 1:20131 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt (specific-threats.rules)
 * 1:20132 <-> DISABLED <-> DOS SMB2 zero length write attempt (dos.rules)
 * 1:20133 <-> ENABLED <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules)
 * 1:20134 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)
 * 1:20136 <-> DISABLED <-> POLICY Glype proxy usage detected (policy.rules)
 * 1:20137 <-> ENABLED <-> WEB-CLIENT Possible generic javascript heap spray attempt (web-client.rules)
 * 1:20138 <-> DISABLED <-> SPECIFIC-THREATS Nortel Networks Multiple UNIStim VoIP Products Remote Eavesdrop Attempt (specific-threats.rules)
 * 1:20139 <-> ENABLED <-> WEB-CLIENT Microsoft Word document summary information string overflow attempt (web-client.rules)
 * 1:20140 <-> ENABLED <-> WEB-CLIENT Microsoft Word document summary information string overflow attempt (web-client.rules)
 * 1:20141 <-> ENABLED <-> WEB-CLIENT Microsoft Word document summary information string overflow attempt (web-client.rules)
 * 1:20142 <-> DISABLED <-> SPECIFIC-THREATS Adobe Reader app.openDoc path vulnerability (specific-threats.rules)
 * 1:20143 <-> DISABLED <-> SPYWARE-PUT Adware mightymagoo/playpickle/livingplay - User-Agent (spyware-put.rules)
 * 1:20144 <-> DISABLED <-> WEB-CLIENT Adobe Acrobat embedded TIFF DotRange structure memory corruption attempt (web-client.rules)
 * 1:20145 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded PICT parsing corruption attempt (specific-threats.rules)
 * 1:20146 <-> DISABLED <-> POLICY attempted download of a PDF with embedded PICT image (policy.rules)
 * 1:20147 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded PICT parsing corruption attempt (specific-threats.rules)
 * 1:20148 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded PICT parsing corruption attempt (specific-threats.rules)
 * 1:20149 <-> DISABLED <-> WEB-CLIENT Adobe Acrobat embedded IFF file RGBA chunk memory corruption attempt (web-client.rules)
 * 1:20150 <-> DISABLED <-> SPECIFIC-THREATS Adobe Reader embedded PCX parsing corruption attempt (specific-threats.rules)
 * 1:20151 <-> DISABLED <-> POLICY attempted download of a PDF with embedded PCX image (policy.rules)
 * 1:20152 <-> DISABLED <-> SPECIFIC-THREATS Adobe Acrobat GDI object leak memory corruption attempt (specific-threats.rules)
 * 1:20153 <-> DISABLED <-> SPECIFIC-THREAT Adobe Acrobat embedded JPEG file APP0 chunk memory corruption attempt (specific-threats.rules)
 * 1:20154 <-> DISABLED <-> SPECIFIC-THREATS Adobe Reader glyf directory table vulnerability (specific-threats.rules)
 * 1:20155 <-> DISABLED <-> SPECIFIC-THREATS Adobe Reader glyf composite vulnerability (specific-threats.rules)
 * 1:20156 <-> DISABLED <-> WEB-CLIENT Adobe Acrobat getCosObj file overwrite attempt (web-client.rules)
 * 1:20157 <-> ENABLED <-> POLICY Oracle Sun GlassFish Server war file upload attempt (policy.rules)
 * 1:20158 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server default credentials login attempt (web-misc.rules)
 * 1:20159 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server authentication bypass attempt (web-misc.rules)
 * 1:20160 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server successful authentication bypass attempt (web-misc.rules)
 * 1:20161 <-> DISABLED <-> DELETED WEB-CLIENT attempt (deleted.rules)
 * 1:20162 <-> ENABLED <-> WEB-CLIENT Adobe Reader sandbox disable attempt (web-client.rules)
 * 1:20163 <-> DISABLED <-> DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt (deleted.rules)
 * 1:20164 <-> DISABLED <-> DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt (deleted.rules)
 * 1:20165 <-> DISABLED <-> DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt (deleted.rules)
 * 1:20166 <-> DISABLED <-> DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt (deleted.rules)
 * 1:20167 <-> DISABLED <-> DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt (deleted.rules)
 * 1:20168 <-> DISABLED <-> WEB-ACTIVEX ChemView SaveAsMolFile vulnerability ActiveX clsid access (web-activex.rules)
 * 1:20169 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader embedded BMP parsing corruption attempt (specific-threats.rules)
 * 3:20135 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)

Modified Rules:


 * 1:7202 <-> ENABLED <-> WEB-CLIENT Microsoft Word document summary information string overflow attempt (web-client.rules)
 * 1:7201 <-> ENABLED <-> WEB-CLIENT Microsoft Word summary information null string overflow attempt (web-client.rules)
 * 1:7200 <-> ENABLED <-> WEB-CLIENT Microsoft Word document summary information null string overflow attempt (web-client.rules)
 * 1:7198 <-> ENABLED <-> WEB-CLIENT Excel MSO.DLL malformed string parsing multi byte buffer over attempt (web-client.rules)
 * 1:7197 <-> ENABLED <-> WEB-CLIENT Excel MSO.DLL malformed string parsing single byte buffer over attempt (web-client.rules)
 * 1:3149 <-> DISABLED <-> WEB-CLIENT object type overflow attempt (web-client.rules)
 * 1:2437 <-> ENABLED <-> WEB-CLIENT RealPlayer arbitrary javascript command attempt (web-client.rules)
 * 1:20105 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string IPHONE (blacklist.rules)
 * 1:20008 <-> DISABLED <-> BOTNET-CNC Malware Backdoor PDFMarca.A runtime traffic detected (botnet-cnc.rules)
 * 1:19932 <-> ENABLED <-> WEB-CLIENT Microsoft Office Publisher 2007 pointer dereference attempt (web-client.rules)
 * 1:17111 <-> ENABLED <-> WEB-CLIENT known JavaScript obfuscation routine (web-client.rules)
 * 1:7864 <-> ENABLED <-> WEB-ACTIVEX McSubMgr ActiveX CLSID access (web-activex.rules)
 * 1:17061 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid access (web-activex.rules)
 * 1:7203 <-> ENABLED <-> WEB-CLIENT Microsoft Word information string overflow attempt (web-client.rules)
 * 1:18335 <-> ENABLED <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules)
 * 1:19237 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer contenteditable corruption attempt (web-client.rules)
 * 1:19289 <-> ENABLED <-> WEB-MISC MHTML file request (web-misc.rules)
 * 1:10131 <-> DISABLED <-> WEB-CLIENT mozilla compareTo arbitrary code execution attempt (web-client.rules)
 * 1:10173 <-> DISABLED <-> WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX clsid access (web-activex.rules)
 * 1:10175 <-> DISABLED <-> WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX function call access (web-activex.rules)
 * 1:10419 <-> DISABLED <-> WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX clsid access (web-activex.rules)
 * 1:10421 <-> DISABLED <-> WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX function call access (web-activex.rules)
 * 1:11673 <-> DISABLED <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access (web-activex.rules)
 * 1:11675 <-> DISABLED <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access (web-activex.rules)
 * 1:12087 <-> DISABLED <-> WEB-ACTIVEX McAfee NeoTrace ActiveX clsid access (web-activex.rules)
 * 1:12089 <-> DISABLED <-> WEB-ACTIVEX McAfee NeoTrace ActiveX function call access (web-activex.rules)
 * 1:13258 <-> DISABLED <-> WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX clsid access (web-activex.rules)
 * 1:13262 <-> DISABLED <-> WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX clsid access (web-activex.rules)
 * 1:14997 <-> DISABLED <-> WEB-ACTIVEX DjVu MSOffice Converter ActiveX clsid access (web-activex.rules)
 * 1:15181 <-> DISABLED <-> WEB-ACTIVEX SaschArt SasCam Webcam Server ActiveX clsid access (web-activex.rules)
 * 1:15434 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt (web-misc.rules)
 * 1:15703 <-> ENABLED <-> WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt (web-client.rules)
 * 1:15704 <-> ENABLED <-> WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt (web-client.rules)
 * 1:15705 <-> ENABLED <-> WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt (web-client.rules)
 * 1:15706 <-> ENABLED <-> WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt (web-client.rules)
 * 1:15707 <-> ENABLED <-> WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt (web-client.rules)
 * 1:16569 <-> DISABLED <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid access (web-activex.rules)
 * 1:16571 <-> DISABLED <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call access (web-activex.rules)
 * 1:16601 <-> ENABLED <-> WEB-CLIENT Amaya web editor XML and HTML Parser Buffer overflow attempt (web-client.rules)
 * 1:16607 <-> DISABLED <-> SPECIFIC-THREATS RealPlayer RAM Download Handler ActiveX exploit attempt (specific-threats.rules)
 * 1:16608 <-> DISABLED <-> SPECIFIC-THREATS HP Mercury Quality Center SPIDERLib ActiveX buffer overflow attempt (specific-threats.rules)
 * 1:16671 <-> ENABLED <-> SPECIFIC-THREATS IBM Lotus Domino Web Access ActiveX exploit attempt (specific-threats.rules)
 * 1:16687 <-> DISABLED <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules)
 * 1:17078 <-> DISABLED <-> WEB-ACTIVEX GOM Player GomWeb ActiveX clsid access (web-activex.rules)
 * 1:16714 <-> ENABLED <-> SPECIFIC-THREATS SoftArtisans XFile FileManager ActiveX Control buffer overflow attempt (specific-threats.rules)
 * 1:16725 <-> DISABLED <-> SPECIFIC-THREATS ActivePDF WebGrabber APWebGrb.ocx GetStatus method overflow attempt (specific-threats.rules)
 * 1:17084 <-> DISABLED <-> WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid access (web-activex.rules)
 * 1:17080 <-> DISABLED <-> WEB-ACTIVEX GOM Player GomWeb ActiveX function call access (web-activex.rules)