Sourcefire VRT Rules Update

Date: 2011-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19893 <-> ENABLED <-> WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by CLSID / param tag (web-activex.rules)
 * 1:19892 <-> ENABLED <-> SPECIFIC-THREATS Symantec Alert Management System modem string buffer overflow attempt (specific-threats.rules)
 * 1:19891 <-> DISABLED <-> DELETED WEB-MISC Symantec Alert Management System pin number buffer overflow attempt (deleted.rules)
 * 1:19890 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP CA Arcserve Backup directory traversal attempt (netbios.rules)
 * 1:19889 <-> ENABLED <-> POLICY base64-encoded data object found (policy.rules)
 * 1:19888 <-> DISABLED <-> POLICY potential javascript unescape obfuscation attempt detected (policy.rules)
 * 1:19887 <-> DISABLED <-> POLICY potential javascript unescape obfuscation attempt detected (policy.rules)
 * 1:19886 <-> DISABLED <-> WEB-CLIENT Internet Explorer ani file processing - remote code execution attempt (web-client.rules)
 * 1:19885 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer daxctle.ocx spline method buffer overflow attempt (web-client.rules)
 * 1:19884 <-> ENABLED <-> POLICY String.fromCharCode with multiple encoding types detected (policy.rules)
 * 1:19883 <-> ENABLED <-> SPECIFIC-THREATS VideoLAN VLC Media Player libdirectx_plugin.dll AMV parsing buffer overflow attempt (specific-threats.rules)
 * 1:19882 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A (blacklist.rules)
 * 1:19881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qfsl.co.be - Win32/Morto.A (blacklist.rules)
 * 1:19880 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qfsl.co.cc - Win32/Morto.A (blacklist.rules)
 * 1:19879 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jifr.net - Win32/Morto.A (blacklist.rules)
 * 1:19878 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jifr.co.be - Win32/Morto.A (blacklist.rules)
 * 1:19877 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jifr.co.cc - Win32/Morto.A (blacklist.rules)
 * 1:19876 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jifr.info - Win32/Morto.A (blacklist.rules)
 * 1:19875 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jaifr.com - Win32/Morto.A (blacklist.rules)
 * 1:19874 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qfsl.net - Win32/Morto.A (blacklist.rules)
 * 1:19873 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt (web-client.rules)
 * 1:19872 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer MDAC remote code execution attempt (web-client.rules)
 * 1:19871 <-> ENABLED <-> WEB-CLIENT Internet Explorer VML buffer overflow attempt (web-client.rules)
 * 1:19870 <-> ENABLED <-> DOS Anonymous Perl RefRef DoS tool (dos.rules)
 * 1:19869 <-> ENABLED <-> DOS Anonymous PHP RefRef DoS tool (dos.rules)
 * 1:19868 <-> DISABLED <-> WEB-CLIENT hidden 1x1 div tag - potential malware obfuscation (web-client.rules)
 * 1:19867 <-> ENABLED <-> POLICY randomized javascript encodings detected (policy.rules)
 * 1:19866 <-> DISABLED <-> BACKDOOR Win32.Fusing.AA outbound connection (backdoor.rules)
 * 1:19865 <-> DISABLED <-> BACKDOOR Win32.Arhost.D outbound connection (backdoor.rules)
 * 1:19864 <-> DISABLED <-> BACKDOOR Win32.Nvbpass.A outbound connection (backdoor.rules)
 * 1:19863 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Httpbot.yi Runtime Detection (backdoor.rules)
 * 1:19862 <-> DISABLED <-> BACKDOOR Trojan.Win32.Scar.iej contact to server attempt (backdoor.rules)
 * 1:19861 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Agent.cqcv contact to server attempt (backdoor.rules)
 * 1:19860 <-> DISABLED <-> SPYWARE-PUT Trust Warrior Runtime Detection (spyware-put.rules)
 * 1:19859 <-> DISABLED <-> SPYWARE-PUT XP Deluxe Protector outbound connection (spyware-put.rules)
 * 1:19858 <-> DISABLED <-> BACKDOOR Win32.Hupigon.hhbd outbound connection - non-Windows (backdoor.rules)
 * 1:19857 <-> DISABLED <-> BACKDOOR Win32.Hupigon.hhbd outbound connection - Windows (backdoor.rules)
 * 1:19856 <-> DISABLED <-> BACKDOOR Packed.Win32.Krap.i outbound connection (backdoor.rules)
 * 1:19855 <-> DISABLED <-> BACKDOOR W32.Sality.AM runtime detection (backdoor.rules)
 * 1:19854 <-> DISABLED <-> BACKDOOR W32.Sality.AM runtime detection (backdoor.rules)
 * 1:19853 <-> DISABLED <-> SPYWARE-PUT Wowpa KI outbound connection (spyware-put.rules)
 * 1:19852 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Delf.tbv outbound connection (backdoor.rules)
 * 1:19851 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.AutoRun.qgg runtime detection (spyware-put.rules)
 * 1:19850 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.AutoRun.qgg runtime detection (spyware-put.rules)
 * 1:19849 <-> DISABLED <-> SPYWARE-PUT Adware.Virtumonde runtime detection (spyware-put.rules)
 * 1:19848 <-> DISABLED <-> SPYWARE-PUT Adware.Virtumonde runtime detection (spyware-put.rules)
 * 1:19847 <-> DISABLED <-> BACKDOOR SRaT 1.6 runtime detection (backdoor.rules)
 * 1:19846 <-> DISABLED <-> BACKDOOR SRaT 1.6 runtime detection (backdoor.rules)
 * 1:19845 <-> DISABLED <-> BACKDOOR Trojan.TDSS.1.Gen install detection (backdoor.rules)
 * 1:19844 <-> DISABLED <-> BACKDOOR Trojan.TDSS.1.Gen install detection (backdoor.rules)
 * 1:19843 <-> DISABLED <-> SPYWARE-PUT Windows Antivirus 2008 (spyware-put.rules)
 * 1:19842 <-> DISABLED <-> SPYWARE-PUT Windows Antivirus 2008 (spyware-put.rules)
 * 1:19841 <-> DISABLED <-> SPYWARE-PUT 0desa MSN password stealer (spyware-put.rules)
 * 1:19840 <-> DISABLED <-> SPYWARE-PUT XP Antispyware 2009 runtime detection (spyware-put.rules)
 * 1:19839 <-> DISABLED <-> SPYWARE-PUT Antivirus XP 2008 runtime detection (spyware-put.rules)
 * 1:19838 <-> DISABLED <-> SPYWARE-PUT Spyware Guard 2008 runtime detection (spyware-put.rules)
 * 1:19837 <-> DISABLED <-> SPYWARE-PUT Spyware Guard 2008 runtime detection (spyware-put.rules)
 * 1:19836 <-> DISABLED <-> BACKDOOR Spy-Net 0.7 runtime (backdoor.rules)
 * 1:19835 <-> DISABLED <-> SPYWARE-PUT Delphi-Piette Windows (spyware-put.rules)
 * 1:19834 <-> DISABLED <-> BACKDOOR Trojan.Spy.ZBot.RD runtime detection (backdoor.rules)
 * 1:19833 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Banload.bda runtime detection (backdoor.rules)
 * 1:19832 <-> DISABLED <-> BACKDOOR Trojan-Backdoor.Win32.Veslorn.gen.A runtime detection (backdoor.rules)
 * 1:19831 <-> DISABLED <-> BACKDOOR Trojan.Spy.Zbot.SO runtime detection (backdoor.rules)
 * 1:19830 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Poebot.BP runtime detection (backdoor.rules)
 * 1:19829 <-> DISABLED <-> BACKDOOR Backdoor.Win32.Rbot.gen runtime detection (backdoor.rules)
 * 1:19828 <-> DISABLED <-> BACKDOOR Backdoor.Win32.SpyAgent.B runtime detection (backdoor.rules)
 * 1:19827 <-> DISABLED <-> SPYWARE-PUT PWS-QQGame runtime detection (spyware-put.rules)
 * 1:16224 <-> ENABLED <-> WEB-CLIENT iTunes invalid tref box exploit attempt (web-client.rules)

Modified Rules:


 * 1:11822 <-> DISABLED <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid access (web-activex.rules)
 * 1:11823 <-> DISABLED <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid unicode access (web-activex.rules)
 * 1:11824 <-> DISABLED <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call access (web-activex.rules)
 * 1:11825 <-> DISABLED <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call unicode access (web-activex.rules)
 * 1:16452 <-> DISABLED <-> WEB-CLIENT IE .hlp samba share download attempt (web-client.rules)
 * 1:16489 <-> ENABLED <-> BOTNET-CNC Bobax botnet contact to C&C server attempt (botnet-cnc.rules)
 * 1:16495 <-> ENABLED <-> BOTNET-CNC Rustock botnet contact to C&C server attempt (botnet-cnc.rules)
 * 1:16605 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer nested SPAN tag memory corruption attempt (specific-threats.rules)
 * 1:16676 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration (specific-threats.rules)
 * 1:17291 <-> ENABLED <-> POLICY base64-encoded uri data object found (policy.rules)
 * 1:17379 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules)
 * 1:17400 <-> ENABLED <-> WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation (web-client.rules)
 * 1:17401 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped (specific-threats.rules)
 * 1:18675 <-> DISABLED <-> WEB-CLIENT Microsoft Windows Fax Cover page document file download attempt (web-client.rules)
 * 1:18679 <-> ENABLED <-> EXPLOIT Sun Java Applet2ClassLoader Remote Code Execution (exploit.rules)
 * 1:18944 <-> DISABLED <-> BOTNET-CNC URI request for known malicious URI - Suspected Crimepack (botnet-cnc.rules)
 * 1:18988 <-> ENABLED <-> SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt (specific-threats.rules)
 * 1:19071 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player memory corruption attempt (specific-threats.rules)
 * 1:19218 <-> DISABLED <-> WEB-CLIENT Microsoft Windows Fax Cover page document file download attempt (web-client.rules)
 * 1:19219 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption (specific-threats.rules)
 * 1:19408 <-> ENABLED <-> SPECIFIC-THREATS Adobe flash player newfunction memory corruption exploit attempt (specific-threats.rules)
 * 1:5710 <-> DISABLED <-> WEB-CLIENT Windows Media Player Plugin for Non-IE browsers buffer overflow attempt (web-client.rules)
 * 1:7985 <-> ENABLED <-> WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access (web-activex.rules)
 * 1:8419 <-> ENABLED <-> WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call (web-activex.rules)
 * 1:9823 <-> DISABLED <-> WEB-CLIENT QuickTime RTSP URI overflow attempt (web-client.rules)