Sourcefire VRT Rules Update

Date: 2011-12-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20814 <-> ENABLED <-> WEB-CLIENT Mozilla favicon href javascript execution attempt (web-client.rules)
 * 1:20815 <-> DISABLED <-> WEB-PHP Vmist Downstat remote file include in chart.php art (web-php.rules)
 * 1:20816 <-> DISABLED <-> WEB-PHP Vmist Downstat remote file include in admin.php art (web-php.rules)
 * 1:20817 <-> DISABLED <-> WEB-PHP Vmist Downstat remote file include in modes.php art (web-php.rules)
 * 1:20818 <-> DISABLED <-> WEB-PHP Vmist Downstat remote file include in stats.php art (web-php.rules)
 * 1:20819 <-> DISABLED <-> WEB-PHP ACal Calendar Project cookie based authentication bypass attempt (web-php.rules)
 * 1:20820 <-> ENABLED <-> WEB-CLIENT Java JNLP parameter argument injection attempt (web-client.rules)
 * 1:20821 <-> DISABLED <-> EXPLOIT Apache APR header memory corruption attempt (exploit.rules)
 * 1:20822 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer contenteditable corruption attempt malicious string (specific-threats.rules)
 * 1:20823 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 1:20824 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)

Modified Rules:


 * 1:18702 <-> ENABLED <-> SMTP Microsoft Office RTF malformed pfragments field (smtp.rules)
 * 1:18550 <-> ENABLED <-> POLICY Microsoft Office PowerPoint with embedded Flash file attachment (policy.rules)
 * 1:18603 <-> ENABLED <-> SPECIFIC-THREATS IBM Lotus Notes Applix Graphics Parsing Buffer Overflow (specific-threats.rules)
 * 1:20812 <-> ENABLED <-> TELNET FreeBSD telnetd enc_keyid overflow attempt (telnet.rules)
 * 1:18476 <-> ENABLED <-> SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow (specific-threats.rules)
 * 1:18477 <-> ENABLED <-> SMTP Lotus Notes MIF viewer statement data overflow 2 (specific-threats.rules)
 * 1:18310 <-> ENABLED <-> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules)
 * 1:12465 <-> DISABLED <-> EXPLOIT Apache APR memory corruption attempt (exploit.rules)
 * 1:16342 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile truncated media file processing memory corruption attempt (web-client.rules)
 * 1:17275 <-> ENABLED <-> SPECIFIC-THREATS Symantec Brightmail AntiSpam nested Zip handling denial of service attempt (specific-threats.rules)
 * 1:18548 <-> ENABLED <-> POLICY Microsoft Office Excel with embedded Flash file attachment (policy.rules)
 * 1:18704 <-> ENABLED <-> SMTP Microsoft Office RTF malformed second pfragments field (smtp.rules)
 * 1:20813 <-> ENABLED <-> TELNET FreeBSD telnetd dec_keyid overflow attempt (telnet.rules)
 * 1:18549 <-> ENABLED <-> POLICY Microsoft Office Word with embedded Flash file attachment (policy.rules)
 * 1:18544 <-> ENABLED <-> SPECIFIC-THREATS embedded Shockwave dropper in email attachment (specific-threats.rules)