Sourcefire VRT Rules Update

Date: 2011-12-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20798 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20796 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:20794 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file download request (deleted.rules)
 * 1:20795 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:20793 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:20790 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:20791 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Excel file download request (deleted.rules)
 * 1:20788 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:20789 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:20786 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer layout-grid-char value exploit attempt (web-client.rules)
 * 1:20787 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:20785 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt (specific-threats.rules)
 * 1:20783 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar (specific-threats.rules)
 * 1:20782 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar (specific-threats.rules)
 * 1:20781 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt (specific-threats.rules)
 * 1:20780 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls (specific-threats.rules)
 * 1:20779 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar (specific-threats.rules)
 * 1:20778 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar (specific-threats.rules)
 * 1:20777 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption attempt (specific-threats.rules)
 * 1:20768 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20771 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20772 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20774 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20775 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20776 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20752 <-> ENABLED <-> SPYWARE-PUT Win32.GameVance outbound connection (spyware-put.rules)
 * 1:20753 <-> ENABLED <-> SPYWARE-PUT Win32.GamePlayLabs outbound connection (spyware-put.rules)
 * 1:20754 <-> ENABLED <-> BOTNET-CNC Win32.Virut-3 outbound connection (botnet-cnc.rules)
 * 1:20755 <-> DISABLED <-> BOTNET-CNC Win32.Krap outbound connection (botnet-cnc.rules)
 * 1:20756 <-> ENABLED <-> BOTNET-CNC Win32.Jorik variant outbound connection (botnet-cnc.rules)
 * 1:20757 <-> ENABLED <-> BOTNET-CNC Win32.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:20758 <-> DISABLED <-> POLICY Progrea Movicon TCPUploadServer.exe unauthenticated access attempt (policy.rules)
 * 1:20759 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Gbot.oce outbound connection (botnet-cnc.rules)
 * 1:20760 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Sasfis outbound connection (botnet-cnc.rules)
 * 1:20761 <-> ENABLED <-> EXPLOIT HP OpenView Storage Data Protector buffer overflow attempt (exploit.rules)
 * 1:20762 <-> DISABLED <-> BOTNET-CNC MacOS.Flashback.A outbound connection (botnet-cnc.rules)
 * 1:20763 <-> ENABLED <-> BOTNET-CNC Trojan.Spyeye-206 outbound connection (botnet-cnc.rules)
 * 1:20764 <-> ENABLED <-> WEB-MISC SyBase MBusiness xml closing tag overflow attempt (web-misc.rules)
 * 1:20765 <-> ENABLED <-> WEB-CLIENT Windows 7 x86-64 Safari Browser iFrame DoS Attempt (web-client.rules)
 * 1:20766 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer contenteditable corruption attempt (web-client.rules)
 * 1:20767 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:20784 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls (specific-threats.rules)
 * 1:20792 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:20797 <-> DISABLED <-> DELETED FILE-IDENTIFY Adobe Shockwave Flash file download request (deleted.rules)
 * 1:20770 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20773 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20802 <-> ENABLED <-> SPECIFIC-THREATS Adobe Acrobat Reader PRC file MarkupLinkedItem arbitrary code execution attempt (specific-threats.rules)
 * 1:20801 <-> ENABLED <-> FILE-IDENTIFY MIME file type file attachment detected (file-identify.rules)
 * 1:20800 <-> ENABLED <-> FILE-IDENTIFY MIME file type file attachment detected (file-identify.rules)
 * 1:20769 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20799 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)

Modified Rules:


 * 1:16271 <-> ENABLED <-> BACKDOOR Trojan.TDSS.1.Gen keepalive detection (backdoor.rules)
 * 1:18268 <-> DISABLED <-> BLACKLIST DNS request for known malware domain 35free.net (blacklist.rules)
 * 1:18269 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dnf.6bom.com (blacklist.rules)
 * 1:18270 <-> DISABLED <-> BLACKLIST DNS request for known malware domain koonol.com (blacklist.rules)
 * 1:18271 <-> DISABLED <-> BLACKLIST DNS request for known malware domain move.su (blacklist.rules)
 * 1:18272 <-> DISABLED <-> BLACKLIST DNS request for known malware domain www.886.com (blacklist.rules)
 * 1:18488 <-> ENABLED <-> WEB-CLIENT Adobe Photoshop wintab32.dll dll-load exploit attempt (web-client.rules)
 * 1:18489 <-> ENABLED <-> NETBIOS Adobe Photoshop wintab32.dll dll-load exploit attempt (netbios.rules)
 * 1:18648 <-> ENABLED <-> SCADA IGSS IGSSDataServer.exe file upload/download attempt (scada.rules)
 * 1:18657 <-> ENABLED <-> SCADA IGSS dc.exe file execution directory traversal attempt (scada.rules)
 * 1:19188 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:19237 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer contenteditable corruption attempt (web-client.rules)
 * 1:19243 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer layout-grid-char value exploit attempt (web-client.rules)
 * 1:19262 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19263 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19264 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19265 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:19266 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer layout-grid-char value exploit attempt (specific-threats.rules)
 * 1:20030 <-> ENABLED <-> SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (scada.rules)
 * 1:20031 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:20032 <-> ENABLED <-> FILE-IDENTIFY MIME file type file download request (file-identify.rules)
 * 1:20073 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:20131 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript callMethod type confusion attempt (specific-threats.rules)
 * 1:20157 <-> ENABLED <-> POLICY Oracle Sun GlassFish Server war file upload attempt (policy.rules)
 * 1:20158 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server default credentials login attempt (web-misc.rules)
 * 1:20159 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server authentication bypass attempt (web-misc.rules)
 * 1:20160 <-> ENABLED <-> WEB-MISC Oracle Sun GlassFish Server successful authentication bypass attempt (web-misc.rules)
 * 1:20659 <-> ENABLED <-> WEB-CLIENT Adobe Reader malformed shading modifier heap corruption attempt (web-client.rules)