Sourcefire VRT Rules Update

Date: 2012-02-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21414 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Excel MergeCells record parsing code execution attempt (specific-threats.rules)
 * 1:21416 <-> DISABLED <-> SPECIFIC-THREATS Trojan.Bankpatch.C authentication string detected (specific-threats.rules)
 * 1:21415 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Excel MergeCells record parsing code execution attempt (specific-threats.rules)
 * 1:21358 <-> DISABLED <-> WEB-MISC iPlanet Webserver command injection attempt (web-misc.rules)
 * 1:21360 <-> DISABLED <-> BACKDOOR Win32 Agent.dbzx runtime traffic detected (backdoor.rules)
 * 1:21361 <-> DISABLED <-> BACKDOOR Worm.Win32.TDownland.ca runtime traffic detected (backdoor.rules)
 * 1:21363 <-> DISABLED <-> SPECIFIC-THREATS Mozilla Firefox appendChild use-after-free attempt (specific-threats.rules)
 * 1:21364 <-> DISABLED <-> BACKDOOR DOQ.gen.y RUNTIME traffic detected (backdoor.rules)
 * 1:21365 <-> DISABLED <-> BACKDOOR DOQ.gen.y RUNTIME traffic detected (backdoor.rules)
 * 1:21367 <-> DISABLED <-> BACKDOOR Win32 VB.abcl runtime traffic detected (backdoor.rules)
 * 1:21368 <-> DISABLED <-> BOTNET-CNC Win32.Wallop.de runtime traffic detected (botnet-cnc.rules)
 * 1:21369 <-> DISABLED <-> BOTNET-CNC Win32.Wallop.de runtime traffic detected (botnet-cnc.rules)
 * 1:21370 <-> DISABLED <-> NETBIOS Samba name mangling buffer overflow attempt (netbios.rules)
 * 1:21372 <-> DISABLED <-> BACKDOOR Malware Defense runtime traffic detected (backdoor.rules)
 * 1:21373 <-> DISABLED <-> BACKDOOR Malware Defense runtime traffic detected (backdoor.rules)
 * 1:21408 <-> DISABLED <-> DELETED WEB-MISC paq8o file request (deleted.rules)
 * 1:21410 <-> DISABLED <-> FILE-IDENTIFY paq8o file download request (file-identify.rules)
 * 1:21411 <-> DISABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21412 <-> DISABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21417 <-> ENABLED <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit (specific-threats.rules)
 * 1:21402 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Ponfoy.A runtime detection (backdoor.rules)
 * 1:21401 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Kenzor.B outbound connection (botnet-cnc.rules)
 * 1:21403 <-> DISABLED <-> BACKDOOR Worm.Win32.Vobfus.DL runtime detection (backdoor.rules)
 * 1:21400 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Kenzor.B outbound connection (botnet-cnc.rules)
 * 1:21397 <-> DISABLED <-> SPECIFIC-THREATS MicroP mppl stack buffer overflow (specific-threats.rules)
 * 1:21398 <-> DISABLED <-> WEB-MISC MPPL file download attempt (web-misc.rules)
 * 1:21399 <-> DISABLED <-> WEB-CLIENT Opera Web Browser History Search Input validation vulnerability (web-client.rules)
 * 1:21396 <-> DISABLED <-> ORACLE 10g iSQLPlus service heap overflow attempt (oracle.rules)
 * 1:21395 <-> DISABLED <-> ORACLE 10g iSQLPlus service heap overflow attempt (oracle.rules)
 * 1:21392 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer writing-mode property memory corruption attempt (specific-threats.rules)
 * 1:21387 <-> DISABLED <-> WEB-CLIENT Oracle Java runtime RMIConnectionImpl deserialization execution attempt (oracle.rules)
 * 1:21394 <-> DISABLED <-> WEB-CLIENT Mozilla Firefox null byte file remote code execution attempt (web-client.rules)
 * 1:21393 <-> DISABLED <-> SPECIFIC-THREATS Magix Musik Maker 16 buffer overflow attempt (specific-threats.rules)
 * 1:21391 <-> DISABLED <-> BOTNET-CNC Win32.Agent.dcac runtime traffic detected (botnet-cnc.rules)
 * 1:21385 <-> ENABLED <-> WEB-MISC Cisco Common Services Help servlet XSS attempt (web-misc.rules)
 * 1:21390 <-> DISABLED <-> BOTNET-CNC Win32.Agobot.dl runtime traffic detected (botnet-cnc.rules)
 * 1:21389 <-> ENABLED <-> WEB-MISC Cisco Common Services Device Center XSS attempt (web-misc.rules)
 * 1:21388 <-> DISABLED <-> WEB-CLIENT Java JAR file download attempt (oracle.rules)
 * 1:21386 <-> DISABLED <-> BOTNET-CNC Win32.Wadolin.A runtime traffic detected (botnet-cnc.rules)
 * 1:21382 <-> DISABLED <-> BOTNET-CNC Win32.Nuqel.Q host setting3.yeahost.com runtime traffic detected (botnet-cnc.rules)
 * 1:21384 <-> DISABLED <-> BOTNET-CNC Win32.Nuqel.Q host freewebs.com runtime traffic detected (botnet-cnc.rules)
 * 1:21377 <-> ENABLED <-> WEB-MISC Cisco Unified Communications Manager sql injection attempt (web-misc.rules)
 * 1:21383 <-> DISABLED <-> BOTNET-CNC Win32.Nuqel.Q host 9999mb.com runtime traffic detected (botnet-cnc.rules)
 * 1:21381 <-> DISABLED <-> BOTNET-CNC Win32.Dialer.ngb runtime traffic detected (botnet-cnc.rules)
 * 1:21379 <-> DISABLED <-> BOTNET-CNC Win32.Genome.Amqj runtime traffic detected (botnet-cnc.rules)
 * 1:21380 <-> DISABLED <-> BLACKLIST USER-AGENT Win.32.Sramler.A runtime traffic detected (blacklist.rules)
 * 1:21376 <-> DISABLED <-> SPYWARE-PUT Trojan Microjoin activity (spyware-put.rules)
 * 1:21378 <-> DISABLED <-> EXPLOIT Novell iPrint attributes-natural-language buffer overflow attempt (exploit.rules)
 * 1:21359 <-> DISABLED <-> BACKDOOR Win32.VB.jju runtime traffic detected (backdoor.rules)
 * 1:21406 <-> DISABLED <-> WEB-ACTIVEX McAfee Security Center ActiveX clsid access (web-activex.rules)
 * 1:21407 <-> DISABLED <-> EXPLOIT Symantic multiple products VRTSweb code execution (exploit.rules)
 * 1:21409 <-> DISABLED <-> DELETED WEB-CLIENT PeaZip command injection attempt (deleted.rules)
 * 1:21413 <-> DISABLED <-> WEB-CLIENT PeaZip command injection attempt (web-client.rules)
 * 1:21374 <-> DISABLED <-> BACKDOOR Win32.Bifrose.EF runtime traffic detected (backdoor.rules)
 * 1:21375 <-> ENABLED <-> WEB-PHP Remote Execution Backdoor Attempt Against Horde (web-php.rules)
 * 1:21371 <-> DISABLED <-> WEB-CLIENT Adobe Shockwave Director KEY chunk buffer overflow attempt (web-client.rules)
 * 1:21366 <-> DISABLED <-> BACKDOOR DOQ.gen.y INSTALL traffic detected (backdoor.rules)
 * 1:21362 <-> DISABLED <-> BACKDOOR Trojan Win32.TDSS.aa runtime traffic detected (backdoor.rules)
 * 1:21405 <-> DISABLED <-> WEB-CLIENT Microsoft Anti-Cross Site Scripting library bypass attempt (web-client.rules)
 * 1:21404 <-> DISABLED <-> BACKDOOR Worm.Win32.Vobfus.DL runtime detection cont (backdoor.rules)

Modified Rules:


 * 1:16377 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (exploit.rules)
 * 1:21108 <-> ENABLED <-> SPECIFIC-THREATS unknown exploit kit obfuscated landing page (specific-threats.rules)
 * 1:2699 <-> DISABLED <-> ORACLE TO_CHAR buffer overflow attempt (oracle.rules)
 * 1:20884 <-> DISABLED <-> WEB-CLIENT Microsoft Anti-Cross Site Scripting library bypass attempt (web-client.rules)
 * 1:20585 <-> DISABLED <-> WEB-CLIENT Mozilla multiple content-length headers malicious redirect attempt (web-client.rules)
 * 1:20586 <-> DISABLED <-> WEB-CLIENT Mozilla multiple content-disposition headers malicious redirect attempt (web-client.rules)
 * 1:20584 <-> DISABLED <-> WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt (web-client.rules)
 * 1:17410 <-> DISABLED <-> WEB-MISC Generic HyperLink buffer overflow attempt (web-misc.rules)
 * 1:20583 <-> DISABLED <-> WEB-CLIENT Mozilla multiple location headers malicious redirect attempt (web-client.rules)