Sourcefire VRT Rules Update

Date: 2012-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23221 <-> ENABLED <-> SPECIFIC-THREATS RedKit Jar File Naming Algorithm (specific-threats.rules)
 * 1:23218 <-> ENABLED <-> SPECIFIC-THREATS RedKit Repeated Exploit Request Pattern (specific-threats.rules)
 * 1:23225 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Received - applet and flowbit (specific-threats.rules)
 * 1:23224 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Requested - 8Digit.html (specific-threats.rules)
 * 1:23223 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Received - applet and code (specific-threats.rules)
 * 1:23217 <-> DISABLED <-> SHELLCODE x86 OS agnostic avoid_utf8_tolower javascript encoder (shellcode.rules)
 * 1:23214 <-> ENABLED <-> BACKDOOR Trojan.Win32.Waprox.A runtime detection (backdoor.rules)
 * 1:23213 <-> DISABLED <-> SQL Ruby on rails SQL injection attempt (sql.rules)
 * 1:23212 <-> DISABLED <-> WEB-CLIENT Mozilla Firefox IDB use-after-free attempt (web-client.rules)
 * 1:23216 <-> DISABLED <-> WEB-MISC Ruby on Rails SQL injection attempt (web-misc.rules)
 * 1:23219 <-> ENABLED <-> SPECIFIC-THREATS Redkit Java Exploit request to .class file (specific-threats.rules)
 * 1:23215 <-> DISABLED <-> BACKDOOR Trojan.Win32.Waprox.A runtime detection (backdoor.rules)
 * 1:23220 <-> ENABLED <-> SPECIFIC-THREATS RedKit Java Exploit Requested - 5 digit jar (specific-threats.rules)
 * 1:23226 <-> ENABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules)
 * 1:23222 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Received - applet and 5digit jar (specific-threats.rules)
 * 1:23227 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)

Modified Rules:


 * 1:19568 <-> DISABLED <-> BOTNET-CNC Trojan-Spy.Win32.PerfectKeylogger runtime detection (botnet-cnc.rules)
 * 1:22102 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF malformed pfragments field (file-office.rules)
 * 1:21484 <-> ENABLED <-> WEB-CLIENT zip file name buffer overflow attempt (web-client.rules)
 * 1:23174 <-> DISABLED <-> WEB-ACTIVEX IBM Lotus Quickr ActiveX stack buffer overflow attempt (web-activex.rules)
 * 1:22101 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF malformed pfragments field (file-office.rules)
 * 1:22081 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 3:17647 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt (web-client.rules)
 * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules)
 * 3:16530 <-> ENABLED <-> WEB-CLIENT CAB SIP authenticode alteration attempt (web-client.rules)