Sourcefire VRT Rules Update

Date: 2011-11-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20570 <-> ENABLED <-> BOTNET-CNC Win32.Small.kb outbound connection attempt (botnet-cnc.rules)
 * 1:20573 <-> ENABLED <-> WEB-ACTIVEX Oracle AutoVueX Control ExportEdaBom ActiveX clsid access (web-activex.rules)
 * 1:20559 <-> DISABLED <-> WEB-CLIENT Nullsoft Winamp MIDI file buffer overflow attempt (web-client.rules)
 * 1:20568 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash SWF ActionScript 3 ByteArray class vulnerability (specific-threats.rules)
 * 1:20558 <-> ENABLED <-> BLACKLIST URI request for known malicious URI /stat2.php (blacklist.rules)
 * 1:20574 <-> ENABLED <-> WEB-ACTIVEX Oracle AutoVueX Control ExportEdaBom ActiveX function call access (web-activex.rules)
 * 1:20553 <-> ENABLED <-> WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt (web-client.rules)
 * 1:20554 <-> ENABLED <-> CHAT MSN Messenger and Windows Live Messenger Code Execution attempt (chat.rules)
 * 1:20555 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash MP4 ref_frame allocated buffer overflow attempt (specific-threats.rules)
 * 1:20572 <-> ENABLED <-> WEB-MISC Microsoft Windows Font Library file buffer overflow attempt (web-misc.rules)
 * 1:20571 <-> ENABLED <-> BOTNET-CNC Win32.Small.kb outbound connection attempt (botnet-cnc.rules)
 * 1:20552 <-> DISABLED <-> SPECIFIC-THREATS Mercury Mail Transport System buffer overflow attempt (specific-threats.rules)
 * 1:20564 <-> DISABLED <-> FILE-IDENTIFY amf file magic detection (file-identify.rules)
 * 1:20566 <-> ENABLED <-> WEB-CLIENT Nullsoft Winamp AMF file buffer overflow attempt (web-client.rules)
 * 1:20557 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionDefineFunction2 length overflow attempt (specific-threats.rules)
 * 1:20567 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash SWF AVM2 namespace lookup deref exploit (specific-threats.rules)
 * 1:20565 <-> ENABLED <-> WEB-CLIENT Nullsoft Winamp AMF file buffer overflow attempt (web-client.rules)
 * 1:20569 <-> ENABLED <-> BOTNET-CNC Win32.Small.kb outbound connection attempt (botnet-cnc.rules)
 * 1:20556 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player PlaceObjectX null pointer dereference attempt (specific-threats.rules)
 * 1:20562 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.PWSBanker.SHE contact to cnc-server attempt (botnet-cnc.rules)
 * 1:20561 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.PWSBanker.SHE contact to cnc-server attempt (botnet-cnc.rules)
 * 1:20560 <-> ENABLED <-> EXPLOIT Adobe Flash Player salign null javascript access attempt (exploit.rules)
 * 1:20563 <-> DISABLED <-> FILE-IDENTIFY amf file download attempt (file-identify.rules)

Modified Rules:


 * 1:15014 <-> ENABLED <-> WEB-CLIENT Adobe Reader and Acrobat util.printf buffer overflow attempt (web-client.rules)
 * 1:20469 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:16383 <-> ENABLED <-> ORACLE MDSYS drop table trigger injection attempt (oracle.rules)
 * 1:12454 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Media ASF file magic detection (file-identify.rules)
 * 1:12641 <-> ENABLED <-> FILE-IDENTIFY Microsoft Word for Mac 5 file magic detection (file-identify.rules)
 * 1:13571 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel dval record arbitrary code excecution attempt (web-client.rules)
 * 1:20269 <-> ENABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:17662 <-> ENABLED <-> BAD-TRAFFIC Sun Solaris DHCP Client Arbitrary Code Execution attempt (bad-traffic.rules)
 * 1:20468 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:9325 <-> ENABLED <-> DOS Citrix IMA DOS event data length denial of service attempt (dos.rules)
 * 1:16214 <-> DISABLED <-> DOS Squid Proxy invalid HTTP response code denial of service attempt (dos.rules)
 * 1:19677 <-> ENABLED <-> DNS Microsoft DNS NAPTR remote unauthenticated code execution vulnerability (dns.rules)
 * 1:20472 <-> DISABLED <-> FILE-IDENTIFY RAR file magic detection (file-identify.rules)
 * 1:20465 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:20464 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:20463 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:17283 <-> DISABLED <-> SMTP Mercury Mail Transport System buffer overflow attempt (smtp.rules)
 * 1:18555 <-> ENABLED <-> MISC VERITAS NetBackup java authentication service format string exploit attempt (misc.rules)
 * 1:17551 <-> ENABLED <-> CHAT MSN Messenger and Windows Live Messenger Code Execution attempt (chat.rules)
 * 1:17668 <-> ENABLED <-> POLICY download of a PDF with embedded JavaScript - JS string (policy.rules)
 * 1:20466 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)
 * 1:20467 <-> DISABLED <-> FILE-IDENTIFY ZIP file magic detection (file-identify.rules)