Sourcefire VRT Rules Update

Date: 2011-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:13569 <-> ENABLED <-> WEB-CLIENT Microsoft Excel macro validation arbitrary code execution attempt  (web-client.rules)
 * 1:15462 <-> ENABLED <-> WEB-CLIENT Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt  (web-client.rules)
 * 1:15526 <-> ENABLED <-> EXPLOIT Microsoft Works 4.x converter font name buffer overflow attempt  (exploit.rules)
 * 1:17750 <-> ENABLED <-> DOS Microsoft IIS 7.5 client verify null pointer attempt  (dos.rules)
 * 1:17753 <-> ENABLED <-> MULTIMEDIA Windows Media Player network sharing service RTSP code execution attempt  (multimedia.rules)
 * 1:17754 <-> ENABLED <-> EXPLOIT Microsoft Word bookmark bound check remote code execution attempt  (exploit.rules)
 * 1:17755 <-> ENABLED <-> EXPLOIT Microsoft Word unchecked index value remote code execution attempt  (exploit.rules)
 * 1:17756 <-> ENABLED <-> WEB-CLIENT Microsoft Word XP PLFLSInTableStream heap overflow attempt  (web-client.rules)
 * 1:17757 <-> ENABLED <-> WEB-CLIENT Microsoft Excel CrErr record integer overflow attempt  (web-client.rules)
 * 1:17758 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt  (specific-threats.rules)
 * 1:17759 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel invalid SerAr object exploit attempt  (specific-threats.rules)
 * 1:17760 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt  (specific-threats.rules)
 * 1:17763 <-> ENABLED <-> EXPLOIT Microsoft Excel GhostRw record exploit attempt  (exploit.rules)
 * 1:17764 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel PtgName invalid index exploit attempt  (specific-threats.rules)
 * 1:17766 <-> ENABLED <-> EXPLOIT IE8 XSS in toStaticHTML API attempt  (exploit.rules)
 * 1:17767 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer IE8 tostaticHTML CSS import vulnerability  (exploit.rules)
 * 1:17768 <-> ENABLED <-> EXPLOIT IE8 object event handler use after free exploit attempt  (exploit.rules)
 * 1:17769 <-> ENABLED <-> EXPLOIT IE8 CSS invalid mapping exploit attempt  (exploit.rules)
 * 1:17770 <-> ENABLED <-> WEB-ACTIVEX Microsoft HtmlDlgHelper ActiveX clsid access  (web-activex.rules)
 * 1:17771 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer cross-domain information disclosure attempt  (exploit.rules)
 * 1:17772 <-> ENABLED <-> WEB-ACTIVEX Microsoft Scriptlet Component ActiveX clsid access  (web-activex.rules)
 * 1:17774 <-> ENABLED <-> EXPLOIT IE8 CSS XSRF exploit attempt  (exploit.rules)
 * 1:18067 <-> ENABLED <-> WEB-CLIENT Microsoft Office RTF parsing remote code execution attempt  (web-client.rules)
 * 1:18068 <-> ENABLED <-> EXPLOIT Microsoft Excel malformed MsoDrawingObject record attempt  (exploit.rules)
 * 1:18069 <-> ENABLED <-> WEB-CLIENT Microsoft Office Art drawing invalid shape identifier attempt  (web-client.rules)
 * 1:18070 <-> ENABLED <-> NETBIOS Microsoft Office pptimpconv.dll dll-load exploit attempt  (netbios.rules)
 * 1:18071 <-> ENABLED <-> WEB-CLIENT Microsoft Office pptimpconv.dll dll-load exploit attempt  (web-client.rules)
 * 1:18076 <-> ENABLED <-> WEB-CLIENT Forefront UAG URL XSS alternate attempt  (web-client.rules)
 * 1:18102 <-> ENABLED <-> WEB-CLIENT Adobe Reader invalid PDF JavaScript extension call  (web-client.rules)
 * 1:18197 <-> ENABLED <-> WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt  (web-activex.rules)
 * 1:18198 <-> ENABLED <-> WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt  (web-activex.rules)
 * 1:18199 <-> ENABLED <-> WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt  (web-activex.rules)
 * 1:18200 <-> ENABLED <-> EXPLOIT Microsoft Office .CGM file cell array heap overflow attempt  (exploit.rules)
 * 1:18201 <-> ENABLED <-> EXPLOIT Microsoft Office TIFF filter remote code execution attempt  (exploit.rules)
 * 1:18204 <-> ENABLED <-> WEB-CLIENT Windows Address Book wab32res.dll malicious DLL load  (web-client.rules)
 * 1:18205 <-> ENABLED <-> WEB-CLIENT Windows Address Book msoeres32.dll malicious DLL load  (web-client.rules)
 * 1:18206 <-> ENABLED <-> NETBIOS Windows Address Book wab32res.dll malicious DLL load  (netbios.rules)
 * 1:18207 <-> ENABLED <-> NETBIOS Windows Address Book msoeres32.dll malicious DLL load  (netbios.rules)
 * 1:18208 <-> ENABLED <-> WEB-CLIENT Windows 7 Home peerdist.dll dll-load exploit attempt  (web-client.rules)
 * 1:18209 <-> ENABLED <-> NETBIOS Windows 7 Home peerdist.dll dll-load exploit attempt  (netbios.rules)
 * 1:18210 <-> ENABLED <-> WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt  (web-client.rules)
 * 1:18211 <-> ENABLED <-> NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt  (netbios.rules)
 * 1:18216 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 6 #default#anim attempt  (web-client.rules)
 * 1:18217 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer select element memory corruption attempt  (web-client.rules)
 * 1:18218 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer time element memory corruption attempt  (specific-threats.rules)
 * 1:18219 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ATMFD font driver remote code execution attempt  (web-client.rules)
 * 1:18221 <-> ENABLED <-> WEB-CLIENT Internet Explorer malformed table remote code execution attempt  (web-client.rules)
 * 1:18222 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt  (web-client.rules)
 * 1:18223 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt  (web-client.rules)
 * 1:18224 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt  (web-client.rules)
 * 1:18225 <-> ENABLED <-> NETBIOS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt  (netbios.rules)
 * 1:18226 <-> ENABLED <-> NETBIOS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt  (netbios.rules)
 * 1:18227 <-> ENABLED <-> NETBIOS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt  (netbios.rules)
 * 1:18229 <-> ENABLED <-> SPECIFIC-THREATS Microsoft FlashPix tile length overflow attempt  (specific-threats.rules)
 * 1:18230 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher memory corruption attempt  (specific-threats.rules)
 * 1:18231 <-> ENABLED <-> WEB-CLIENT Microsoft Publisher oversized oti length attempt  (web-client.rules)
 * 1:18233 <-> ENABLED <-> WEB-CLIENT Microsoft Publisher Adobe Font Driver code execution attempt  (web-client.rules)
 * 1:18235 <-> ENABLED <-> WEB-CLIENT Microsoft Office PICT graphics converter memory corruption attempt  (web-client.rules)
 * 1:18236 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office TIFFIM32.FLT filter memory corruption attempt  (specific-threats.rules)
 * 1:18237 <-> ENABLED <-> WEB-CLIENT Flashpix graphics filter fpx32.flt remote code execution attempt  (web-client.rules)
 * 1:18238 <-> ENABLED <-> EXPLOIT Microsoft Sharepoint document conversion remote code excution attempt  (exploit.rules)
 * 1:18276 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Data Access Components library attempt  (specific-threats.rules)
 * 1:18280 <-> ENABLED <-> WEB-CLIENT IE oversize recordset object cache size exploit attempt  (web-client.rules)
 * 1:18398 <-> ENABLED <-> WEB-CLIENT Microsoft Office thumbnail bitmap invalid biClrUsed attempt  (web-client.rules)
 * 1:18402 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD Adobe font driver remote code execution attempt  (specific-threats.rules)
 * 1:18403 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer datasrc overflow attempt  (web-client.rules)
 * 1:18404 <-> ENABLED <-> WEB-CLIENT IE document.insertBefore memory corruption attempt  (web-client.rules)
 * 1:18406 <-> ENABLED <-> SPECIFIC-THREATS Windows Server 2003 update service principal name spn dos executable attempt  (specific-threats.rules)
 * 1:18407 <-> ENABLED <-> SPECIFIC-THREATS Windows Server 2003 update service principal name spn dos attempt  (specific-threats.rules)
 * 1:18408 <-> ENABLED <-> EXPLOIT Microsoft WMI tracing api integer truncation attempt  (exploit.rules)
 * 1:18413 <-> ENABLED <-> EXPLOIT Microsoft WMI tracing api integer truncation attempt  (exploit.rules)
 * 1:18415 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Visio deserialization double free attempt  (specific-threats.rules)
 * 1:18416 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Visio ORMinfo classes length overflow attempt  (specific-threats.rules)
 * 1:18417 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Visio ORMinfo classes length overflow attempt  (specific-threats.rules)
 * 1:18418 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash player ActionScript apply function memory corruption attempt  (specific-threats.rules)
 * 1:18419 <-> ENABLED <-> WEB-CLIENT Adobe field flags exploit attempt  (web-client.rules)
 * 1:18420 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash player ActionScript ASnative function remote code execution attempt  (specific-threats.rules)
 * 1:18426 <-> ENABLED <-> NETBIOS Acrobat Reader plugin sqlite.dll dll-load exploit attempt  (netbios.rules)
 * 1:18431 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin sqlite.dll dll-load exploit attempt  (web-client.rules)
 * 1:18432 <-> ENABLED <-> WEB-CLIENT Acrobat Reader d3dref9.dll dll-load exploit attempt  (web-client.rules)
 * 1:18433 <-> ENABLED <-> NETBIOS Acrobat Reader d3dref9.dll dll-load exploit attempt  (netbios.rules)
 * 1:18434 <-> ENABLED <-> NETBIOS Acrobat Reader plugin ace.dll dll-load exploit attempt  (netbios.rules)
 * 1:18435 <-> ENABLED <-> NETBIOS Acrobat Reader plugin agm.dll dll-load exploit attempt  (netbios.rules)
 * 1:18436 <-> ENABLED <-> NETBIOS Acrobat Reader plugin bibutils.dll dll-load exploit attempt  (netbios.rules)
 * 1:18437 <-> ENABLED <-> NETBIOS Acrobat Reader plugin cooltype.dll dll-load exploit attempt  (netbios.rules)
 * 1:18438 <-> ENABLED <-> NETBIOS Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt  (netbios.rules)
 * 1:18439 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin ace.dll dll-load exploit attempt  (web-client.rules)
 * 1:18440 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin agm.dll dll-load exploit attempt  (web-client.rules)
 * 1:18441 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin bibutils.dll dll-load exploit attempt  (web-client.rules)
 * 1:18442 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin cooltype.dll dll-load exploit attempt  (web-client.rules)
 * 1:18443 <-> ENABLED <-> WEB-CLIENT Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt  (web-client.rules)
 * 1:18445 <-> ENABLED <-> WEB-CLIENT Acrobat Flash Player nvapi.dll dll-load exploit attempt  (web-client.rules)
 * 1:18446 <-> ENABLED <-> NETBIOS Acrobat Flash Player nvapi.dll dll-load exploit attempt  (netbios.rules)
 * 1:18447 <-> ENABLED <-> EXPLOIT Adobe OpenAction crafted URI action thru Firefox attempt  (exploit.rules)
 * 1:18448 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat Universal 3D stream memory corruption attempt  (specific-threats.rules)
 * 1:18450 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed BMP RGBQUAD attempt  (specific-threats.rules)
 * 1:18451 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat ICC color integer overflow attempt  (specific-threats.rules)
 * 1:18452 <-> ENABLED <-> SPECIFIC-THREATS Adobe malicious IFF memory corruption attempt  (specific-threats.rules)
 * 1:18453 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt  (specific-threats.rules)
 * 1:18454 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat universal 3D format memory corruption attempt  (specific-threats.rules)
 * 1:18455 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed jpeg2000 superbox attempt  (specific-threats.rules)
 * 1:18456 <-> ENABLED <-> WEB-CLIENT Adobe Acrobat XML entity escape attempt  (web-client.rules)
 * 1:18457 <-> ENABLED <-> SPECIFIC-THREATS Adoboe Reader U3D rgba parsing overflow attempt  (specific-threats.rules)
 * 1:18494 <-> ENABLED <-> NETBIOS Microsoft product .dll dll-load exploit attempt  (netbios.rules)
 * 1:18495 <-> ENABLED <-> WEB-CLIENT Microsoft product .dll dll-load exploit attempt  (web-client.rules)
 * 1:18496 <-> ENABLED <-> WEB-CLIENT Windows Media Player ehtrace.dll dll-load exploit attempt  (web-client.rules)
 * 1:18497 <-> ENABLED <-> NETBIOS Windows Media Player ehtrace.dll dll-load exploit attempt  (netbios.rules)
 * 1:18498 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Media Player dvr-ms file parsing remote code execution attempt  (specific-threats.rules)
 * 1:18499 <-> ENABLED <-> WEB-CLIENT Groove mso.dll dll-load exploit attempt  (web-client.rules)
 * 1:18806 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Excel RealTimeData record exploit attempt  (specific-threats.rules)
 * 1:18755 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio Data Type Memory Corruption  (specific-threats.rules)
 * 1:18691 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows AFD.SYS null write attempt  (specific-threats.rules)
 * 1:18671 <-> ENABLED <-> WEB-CLIENT object management memory corruption attempt  (web-client.rules)
 * 1:18670 <-> ENABLED <-> WEB-CLIENT object management memory corruption attempt  (web-client.rules)
 * 1:18668 <-> ENABLED <-> WEB-ACTIVEX Microsoft Windows Messenger ActiveX clsid access  (web-activex.rules)
 * 1:18655 <-> ENABLED <-> BAD-TRAFFIC LLMNR invalid reverse name lookup stack corruption attempt  (bad-traffic.rules)
 * 1:18646 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer 6/7 CSS swapNode memory corruption attempt  (specific-threats.rules)
 * 1:18645 <-> ENABLED <-> SPECIFIC-THREATS Microsoft GDI+ arbitrary code execution attempt  (specific-threats.rules)
 * 1:18644 <-> ENABLED <-> SPECIFIC-THREATS OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt  (specific-threats.rules)
 * 1:18643 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Word Converter sprmTTextFflow overflow attempt  (specific-threats.rules)
 * 1:18642 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Word Converter sprmTSplit overflow attempt  (specific-threats.rules)
 * 1:18639 <-> ENABLED <-> EXPLOIT Excel CatSerRange record exploit attempt  (exploit.rules)
 * 1:18638 <-> ENABLED <-> EXPLOIT Excel OfficeArtSpContainer record exploit attempt  (exploit.rules)
 * 1:18637 <-> ENABLED <-> EXPLOIT Powerpoint ExObjRefAtom within an OfficeArtClientData container exploit attempt  (exploit.rules)
 * 1:18636 <-> ENABLED <-> SPECIFIC-THREATS Microsoft PowerPoint SlideAtom record exploit attempt  (specific-threats.rules)
 * 1:18635 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Powerpoint malformed record call to freed object attempt  (specific-threats.rules)
 * 1:18634 <-> ENABLED <-> WEB-CLIENT Microsoft Excel Workspace file FontCount record memory corruption attempt  (web-client.rules)
 * 1:18633 <-> ENABLED <-> WEB-CLIENT Microsoft Excel RealTimeData record memory corruption attempt  (web-client.rules)
 * 1:18629 <-> ENABLED <-> NETBIOS MFC applications mfc100.dll dll-load exploit attempt  (netbios.rules)
 * 1:18628 <-> ENABLED <-> NETBIOS MFC applications mfc90.dll dll-load exploit attempt  (netbios.rules)
 * 1:18627 <-> ENABLED <-> NETBIOS MFC applications mfc80.dll dll-load exploit attempt  (netbios.rules)
 * 1:18626 <-> ENABLED <-> NETBIOS MFC applications mfc42.dll dll-load exploit attempt  (netbios.rules)
 * 1:18625 <-> ENABLED <-> NETBIOS MFC applications mfc40.dll dll-load exploit attempt  (netbios.rules)
 * 1:18624 <-> ENABLED <-> EXPLOIT Microsoft .NET framework optimizer escalation attempt  (exploit.rules)
 * 1:18623 <-> ENABLED <-> WEB-CLIENT MFC applications mfc100.dll dll-load exploit attempt  (web-client.rules)
 * 1:18622 <-> ENABLED <-> WEB-CLIENT MFC applications mfc90.dll dll-load exploit attempt  (web-client.rules)
 * 1:18621 <-> ENABLED <-> WEB-CLIENT MFC applications mfc80.dll dll-load exploit attempt  (web-client.rules)
 * 1:18620 <-> ENABLED <-> WEB-CLIENT MFC applications mfc42.dll dll-load exploit attempt  (web-client.rules)
 * 1:18619 <-> ENABLED <-> WEB-CLIENT MFC applications mfc40.dll dll-load exploit attempt  (web-client.rules)
 * 1:18544 <-> ENABLED <-> SPECIFIC-THREATS embedded Shockwave dropper in email attachment  (specific-threats.rules)
 * 1:18507 <-> ENABLED <-> WEB-CLIENT Adobe Reader CCITT stream compression filter invalid image size heap overflow attempt  (web-client.rules)
 * 1:18543 <-> ENABLED <-> SPECIFIC-THREATS embedded Shockwave dropper download  (specific-threats.rules)
 * 1:18506 <-> ENABLED <-> WEB-CLIENT Adobe Reader CCITT stream compression filter invalid image size heap overflow attempt  (web-client.rules)
 * 1:18500 <-> ENABLED <-> NETBIOS Groove mso.dll dll-load exploit attempt  (netbios.rules)
 * 1:18503 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt  (specific-threats.rules)

Modified Rules:


 * 1:10064 <-> ENABLED <-> EXPLOIT Peercast URL Parameter overflow attempt (exploit.rules)
 * 1:20089 <-> DISABLED <-> POLICY IRC nick change on non-standard port (policy.rules)
 * 1:20090 <-> DISABLED <-> POLICY IRC DCC file transfer request on non-standard port (policy.rules)
 * 1:20091 <-> DISABLED <-> POLICY IRC DCC chat request on non-standard port (policy.rules)
 * 1:20092 <-> DISABLED <-> POLICY IRC channel join on non-standard port (policy.rules)
 * 1:20093 <-> DISABLED <-> POLICY IRC channel notice on non-standard port (policy.rules)
 * 1:20094 <-> DISABLED <-> POLICY IRC message on non-standard port (policy.rules)
 * 1:20095 <-> DISABLED <-> POLICY IRC dns request on non-standard port (policy.rules)
 * 1:3590 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt (netbios.rules)