Sourcefire VRT Rules Update

Date: 2011-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20274 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request (netbios.rules)
 * 1:20273 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer jscript9 parsing corruption attempt (specific-threats.rules)
 * 1:20272 <-> ENABLED <-> DOS Microsoft Forefront UAG NLSessionS cookie overflow attempt (dos.rules)
 * 1:20271 <-> ENABLED <-> DOS Microsoft Host Integration Server SNA length dos attempt (dos.rules)
 * 1:20270 <-> ENABLED <-> WEB-CLIENT Microsoft Windows afd.sys kernel-mode memory corruption attempt (web-client.rules)
 * 1:20269 <-> ENABLED <-> WEB-CLIENT FON font file request (web-client.rules)
 * 1:20268 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer Marquee stylesheet object removal (specific-threats.rules)
 * 1:20267 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer circular reference exploit attempt (specific-threats.rules)
 * 1:20266 <-> ENABLED <-> WEB-MISC IE8 Javascript negative option index attack attempt (web-misc.rules)
 * 1:20265 <-> ENABLED <-> SPECIFIC-THREATS IE null attribute crash (specific-threats.rules)
 * 1:20264 <-> ENABLED <-> SPECIFIC-THREATS IE selection option and form reset attack (specific-threats.rules)
 * 1:20263 <-> ENABLED <-> WEB-CLIENT htmlfile null attribute access (web-client.rules)
 * 1:20262 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer onscroll DOS attempt (web-client.rules)
 * 1:20261 <-> ENABLED <-> WEB-CLIENT Microsoft Windows win32k.sys kernel mode null pointer dereference attempt (web-client.rules)
 * 1:20260 <-> ENABLED <-> WEB-CLIENT Microsoft Client Agent Helper JAR download attempt (web-client.rules)
 * 1:20259 <-> ENABLED <-> WEB-MISC Malicious Microsoft Agent Helper JAR download attempt (web-misc.rules)
 * 1:20258 <-> ENABLED <-> EXPLOIT javascript handler in URI XSS attempt (exploit.rules)
 * 1:20257 <-> ENABLED <-> WEB-MISC Microsoft ForeFront UAG ExcelTable.asp XSS attempt (web-misc.rules)
 * 1:20256 <-> ENABLED <-> EXPLOIT Microsoft Forefront UAG http response splitting attempt (exploit.rules)
 * 1:20255 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Silverlight inheritance restriction bypass (specific-threats.rules)
 * 1:20254 <-> ENABLED <-> WEB-CLIENT Microsoft products oleaut32.dll dll-load exploit attempt (web-client.rules)
 * 1:20253 <-> ENABLED <-> NETBIOS Microsoft products oleaut32.dll dll-load exploit attempt (netbios.rules)
 * 1:20252 <-> ENABLED <-> BOTNET-CNC DroidKungFu check-in (botnet-cnc.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)

Modified Rules:


 * 1:6701 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected zTXt overflow attempt (web-client.rules)
 * 1:6699 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected iTXt overflow attempt (web-client.rules)
 * 1:13573 <-> ENABLED <-> WEB-CLIENT Microsoft Outlook arbitrary command line attempt  (web-client.rules)
 * 1:16214 <-> ENABLED <-> DOS Squid Proxy invalid HTTP response code denial of service attempt (dos.rules)
 * 1:16377 <-> ENABLED <-> EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt  (exploit.rules)
 * 1:16425 <-> ENABLED <-> WEB-CLIENT request for Portable Executable binary file (web-client.rules)
 * 1:16426 <-> ENABLED <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (web-misc.rules)
 * 1:6698 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected tIME overflow attempt (web-client.rules)
 * 1:16427 <-> ENABLED <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method (web-misc.rules)
 * 1:17625 <-> ENABLED <-> ORACLE Oracle Database Core RDBMS component denial of service attempt (oracle.rules)
 * 1:17746 <-> ENABLED <-> NETBIOS SMB client TRANS response Find_First2 filename overflow attempt (netbios.rules)
 * 1:6697 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected sPLT overflow attempt (web-client.rules)
 * 1:18496 <-> ENABLED <-> WEB-CLIENT Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (web-client.rules)
 * 1:18497 <-> ENABLED <-> NETBIOS Windows Media Player and shell extension ehtrace.dll dll-load exploit attempt (netbios.rules)
 * 1:19889 <-> ENABLED <-> POLICY base64-encoded data object found (policy.rules)
 * 1:20034 <-> DISABLED <-> EXPLOIT ESTsoft ALZip MIM File Buffer Overflow Attempt (exploit.rules)
 * 1:20228 <-> ENABLED <-> BOTNET-CNC Win32.Hupigon variant outbound connection (botnet-cnc.rules)
 * 1:6696 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected pHYs overflow attempt (web-client.rules)
 * 1:2656 <-> DISABLED <-> WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt (web-misc.rules)
 * 1:6689 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected cHRM overflow attempt (web-client.rules)
 * 1:6695 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected tRNS overflow attempt (web-client.rules)
 * 1:6692 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected sRGB overflow attempt (web-client.rules)
 * 1:6694 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected hIST overflow attempt (web-client.rules)
 * 1:6693 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected bKGD overflow attempt (web-client.rules)
 * 1:6690 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected iCCP overflow attempt (web-client.rules)
 * 1:6691 <-> DISABLED <-> WEB-CLIENT Malformed PNG detected sBIT overflow attempt (web-client.rules)