Sourcefire VRT Rules Update

Date: 2011-12-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20659 <-> ENABLED <-> WEB-CLIENT Adobe Reader malformed shading modifier heap corruption attempt (web-client.rules)
 * 1:20658 <-> ENABLED <-> POLICY HP Printer firmware update attempt (policy.rules)
 * 1:20657 <-> ENABLED <-> WEB-PHP Free File Hosting remote file include in forgot_pass.php ad_body_temp (web-php.rules)
 * 1:20656 <-> ENABLED <-> WEB-PHP GestArtremote file include in aide.php3 aide (web-php.rules)
 * 1:20655 <-> ENABLED <-> CHAT Yahoo Messenger iframe injection status change attempt (chat.rules)
 * 1:20654 <-> ENABLED <-> WEB-PHP GrapAgenda remote file include in index.php page (web-php.rules)
 * 1:20653 <-> ENABLED <-> SMTP Windows Media Player ASX file ref href buffer overflow attempt (smtp.rules)
 * 1:20652 <-> ENABLED <-> WEB-PHP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (web-php.rules)
 * 1:20651 <-> ENABLED <-> WEB-PHP Modernbill remote file include in config.php DIR (web-php.rules)
 * 1:20650 <-> ENABLED <-> WEB-PHP MyNewsGroups remote file include in layersmenu.inc.php myng_root (web-php.rules)
 * 1:20649 <-> ENABLED <-> WEB-PHP ADNForum SQL injection in index.php fid attempt (web-php.rules)
 * 1:20648 <-> ENABLED <-> WEB-PHP Bit 5 Blog SQL injection in processlogin.php username via (web-php.rules)
 * 1:20647 <-> ENABLED <-> WEB-PHP inTouch SQL injection in index.php user attempt (web-php.rules)
 * 1:20646 <-> ENABLED <-> WEB-PHP Benders Calendar SQL injection in index.php this_day attempt (web-php.rules)
 * 1:20645 <-> ENABLED <-> WEB-PHP Lizard Cart CMS SQL injection in pages.php id attempt (web-php.rules)
 * 1:20644 <-> ENABLED <-> WEB-PHP Lizard Cart CMS SQL injection in detail.php id attempt (web-php.rules)
 * 1:20643 <-> ENABLED <-> WEB-PHP ScozBook SQL injection in auth.php adminname attempt (web-php.rules)
 * 1:20642 <-> ENABLED <-> WEB-PHP TankLogger SQL injection in showInfo.php livestock_id attempt (web-php.rules)
 * 1:20641 <-> ENABLED <-> WEB-PHP TheWebForum SQL injection in login.php username attempt (web-php.rules)
 * 1:20640 <-> ENABLED <-> WEB-PHP VEGO Web Forum SQL injection in login.php username attempt (web-php.rules)
 * 1:20639 <-> ENABLED <-> BOTNET-CNC Malware Trojan.Win32.Higest.N outbound connection attempt (botnet-cnc.rules)
 * 1:20638 <-> DISABLED <-> SCADA Progea Movicon/PowerHMI EIDP over HTTP memory corruption attempt (scada.rules)
 * 1:20637 <-> ENABLED <-> SPECIFIC-THREATS Adobe Photoshop CS5 gif file heap corruption attempt (specific-threats.rules)
 * 1:20636 <-> ENABLED <-> SPECIFIC-THREATS Adobe Photoshop CS5 gif file heap corruption attempt (specific-threats.rules)
 * 1:20635 <-> ENABLED <-> WEB-MISC HP Data Protector GetPolicies SQL Injection attempt (web-misc.rules)
 * 1:20634 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer onscroll DOS attempt (specific-threats.rules)
 * 1:20633 <-> DISABLED <-> WEB-PHP Boite de News remote file include in inc.php url_index (web-php.rules)
 * 1:20632 <-> DISABLED <-> WEB-PHP AnnoncesV remote file include in annonce.php page (web-php.rules)
 * 1:20631 <-> DISABLED <-> WEB-PHP Akarru remote file include in main_content.php bm_content (web-php.rules)
 * 1:20630 <-> ENABLED <-> BOTNET-CNC Win32.Winnti.A contact to cnc server attempt (botnet-cnc.rules)
 * 1:20629 <-> ENABLED <-> WEB-PHP geoBlog SQL injection in viewcat.php cat parameter attempt (web-php.rules)
 * 1:20628 <-> ENABLED <-> WEB-MISC HP Data Protector FinishedCopy SQL Injection attempt (web-misc.rules)
 * 1:20627 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Shylock.A C&C server response attempt (botnet-cnc.rules)
 * 1:20626 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Shylock.A contact to C&C server attempt (botnet-cnc.rules)

Modified Rules:


 * 1:9841 <-> ENABLED <-> SMTP Micrsoft Office Outlook VEVENT overflow attempt (smtp.rules)
 * 1:9625 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASX file ref href buffer overflow attempt (web-client.rules)
 * 1:8705 <-> DISABLED <-> SMTP YPOPS buffer overflow attempt (smtp.rules)
 * 1:8704 <-> DISABLED <-> SMTP YPOPS Banner (smtp.rules)
 * 1:6413 <-> DISABLED <-> SMTP Microsoft Windows Address Book Base64 encoded attachment detected (smtp.rules)
 * 1:6412 <-> DISABLED <-> SMTP Microsoft Windows Address Book attachment detected (smtp.rules)
 * 1:5714 <-> ENABLED <-> SMTP x-unix-mode executable mail attachment (smtp.rules)
 * 1:5711 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Media Player zero length bitmap heap overflow attempt (web-client.rules)
 * 1:5691 <-> DISABLED <-> SMTP SSLv2 Server_Hello request (smtp.rules)
 * 1:381 <-> ENABLED <-> ICMP PING Oracle Solaris (icmp-info.rules)
 * 1:3656 <-> DISABLED <-> SMTP MDaemon 6.5.1 and prior versions MAIL overflow attempt (smtp.rules)
 * 1:3655 <-> ENABLED <-> SMTP SEND overflow attempt (smtp.rules)
 * 1:3654 <-> ENABLED <-> SMTP SOML overflow attempt (smtp.rules)
 * 1:3653 <-> ENABLED <-> SMTP SAML overflow attempt (smtp.rules)
 * 1:3497 <-> DISABLED <-> SMTP SSLv2 Server_Hello request (smtp.rules)
 * 1:3078 <-> DISABLED <-> NNTP Microsoft WIndows SEARCH pattern overflow attempt (nntp.rules)
 * 1:2927 <-> DISABLED <-> NNTP Microsoft Windows XPAT pattern overflow attempt (nntp.rules)
 * 1:2275 <-> ENABLED <-> SMTP AUTH LOGON brute force attempt (smtp.rules)
 * 1:20620 <-> DISABLED <-> WEB-CLIENT CoreHTTP Long buffer overflow attempt (web-client.rules)
 * 1:20619 <-> DISABLED <-> SPECIFIC-THREATS CoreHTTP Long buffer overflow attempt (specific-threats.rules)
 * 1:20512 <-> DISABLED <-> FILE-IDENTIFY mx4 file magic detection (file-identify.rules)
 * 1:20511 <-> DISABLED <-> FILE-IDENTIFY bcproj file magic detection (file-identify.rules)
 * 1:20470 <-> DISABLED <-> FILE-IDENTIFY RIFF file magic detection (file-identify.rules)
 * 1:20290 <-> DISABLED <-> BACKDOOR Win32.Doschald.A inbound connection (backdoor.rules)
 * 1:20267 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer circular reference exploit attempt (specific-threats.rules)
 * 1:20248 <-> DISABLED <-> RPC IBM AIX and Oracle Solaris nfsd v4 nfs_portmon security bypass attempt (rpc.rules)
 * 1:18768 <-> ENABLED <-> SMTP Novell GroupWise internet agent RRULE parsing buffer overflow attempt (smtp.rules)
 * 1:18705 <-> ENABLED <-> SMTP Microsoft Office RTF malformed second pfragments field (smtp.rules)
 * 1:18704 <-> ENABLED <-> SMTP Microsoft Office RTF malformed second pfragments field (smtp.rules)
 * 1:18703 <-> ENABLED <-> SMTP Microsoft Office RTF malformed pfragments field (smtp.rules)
 * 1:18702 <-> ENABLED <-> SMTP Microsoft Office RTF malformed pfragments field (smtp.rules)
 * 1:10012 <-> ENABLED <-> SMTP Micrsoft Office Outlook VEVENT non-TZID overflow attempt (smtp.rules)
 * 1:10136 <-> DISABLED <-> TELNET Oracle Solaris login environment variable authentication bypass attempt (telnet.rules)
 * 1:18701 <-> DISABLED <-> SMTP Rich text file .rtf attachment (smtp.rules)
 * 1:11837 <-> ENABLED <-> SMTP Microsoft Windows Mail UNC navigation remote command execution (smtp.rules)
 * 1:12080 <-> DISABLED <-> EXPLOIT Oracle Solaris printd arbitrary file deletion vulnerability (exploit.rules)
 * 1:12198 <-> DISABLED <-> SNMP Microsoft Windows getbulk request (snmp.rules)
 * 1:13894 <-> ENABLED <-> SMTP Micrsoft Office Outlook Web Access From field cross-site scripting attempt  (smtp.rules)
 * 1:18554 <-> DISABLED <-> SMTP Microsoft Office Powerpoint .ppt attachment (smtp.rules)
 * 1:13895 <-> ENABLED <-> SMTP Micrsoft Office Outlook Web Access invalid CSS escape sequence script execution attempt  (smtp.rules)
 * 1:15367 <-> DISABLED <-> SMTP Microsoft Office Outlook web access script injection attempt (smtp.rules)
 * 1:16439 <-> DISABLED <-> BOTNET-CNC Possible Zeus User-Agent - _TEST_ (botnet-cnc.rules)
 * 1:16440 <-> DISABLED <-> BOTNET-CNC Possible Zeus User-Agent - ie (botnet-cnc.rules)
 * 1:18553 <-> DISABLED <-> SMTP Microsoft Office Excel .xlw attachment (smtp.rules)
 * 1:16441 <-> DISABLED <-> BOTNET-CNC Possible Zeus User-Agent - Download (botnet-cnc.rules)
 * 1:16442 <-> DISABLED <-> BOTNET-CNC Possible Zeus User-Agent - Mozilla (botnet-cnc.rules)
 * 1:16705 <-> ENABLED <-> RPC Oracle Solaris sadmind UDP array size buffer overflow attempt (rpc.rules)
 * 1:16706 <-> ENABLED <-> RPC Oracle Solaris sadmind TCP array size buffer overflow attempt (rpc.rules)
 * 1:18552 <-> DISABLED <-> SMTP Microsoft Office Excel .xls attachment (smtp.rules)
 * 1:16796 <-> ENABLED <-> RPC Oracle Solaris sadmind UDP data length integer overflow attempt (rpc.rules)
 * 1:16797 <-> ENABLED <-> RPC Oracle Solaris sadmind TCP data length integer overflow attempt (rpc.rules)
 * 1:17034 <-> ENABLED <-> SMTP Microsoft Office Outlook AttachMethods local file execution attempt  (smtp.rules)
 * 1:18551 <-> DISABLED <-> SMTP Microsoft Office Word .doc attachment (smtp.rules)
 * 1:18310 <-> ENABLED <-> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules)
 * 1:17662 <-> ENABLED <-> BAD-TRAFFIC Oracle Solaris DHCP Client Arbitrary Code Execution attempt (bad-traffic.rules)
 * 1:17433 <-> DISABLED <-> EXPLOIT Oracle Solaris DHCP Client Arbitrary Code Execution attempt (exploit.rules)
 * 1:17353 <-> DISABLED <-> EXPLOIT Oracle Solaris printd Daemon Arbitrary File Deletion attempt (exploit.rules)
 * 1:17333 <-> ENABLED <-> SMTP Lotus Notes Attachment Viewer UUE file buffer overflow attempt (smtp.rules)
 * 1:17332 <-> ENABLED <-> SMTP Content-Disposition attachment (smtp.rules)
 * 1:17035 <-> ENABLED <-> SMTP Microsoft Office Outlook AttachMethods local file execution attempt  (smtp.rules)
 * 1:17036 <-> ENABLED <-> SMTP Microsoft Office Outlook AttachMethods local file execution attempt  (smtp.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)