Sourcefire VRT Rules Update

Date: 2012-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23238 <-> DISABLED <-> NETBIOS Wireshark console.lua file load exploit attempt (netbios.rules)
 * 1:23237 <-> DISABLED <-> NETBIOS SMB2 client NetBufferList NULL entry remote code execution attempt (netbios.rules)
 * 1:23261 <-> ENABLED <-> BOTNET-CNC known command and control traffic - Pushbot (botnet-cnc.rules)
 * 1:23239 <-> DISABLED <-> WEB-CLIENT Wireshark console.lua file load exploit attempt (web-client.rules)
 * 1:23243 <-> ENABLED <-> WEB-CLIENT Java Zip file directory record overflow attempt (web-client.rules)
 * 1:23244 <-> ENABLED <-> BOTNET-CNC Trojan.Kuluoz variant outbound connection attempt (botnet-cnc.rules)
 * 1:23245 <-> ENABLED <-> BOTNET-CNC Trojan.Downloader variant outbound connection attempt (botnet-cnc.rules)
 * 1:23259 <-> DISABLED <-> EXPLOIT LANDesk Thinkmanagement Suite ServerSetup Directory Transversal attempt (exploit.rules)
 * 1:23246 <-> ENABLED <-> SPYWARE-PUT Wajam Monitizer url download attempt - post infection (spyware-put.rules)
 * 1:23258 <-> DISABLED <-> EXPLOIT LANDesk Thinkmanagement Suite ServerSetup Directory Transversal attempt (exploit.rules)
 * 1:23257 <-> DISABLED <-> BOTNET-CNC Trojan.Duojeen variant outbound connection attempt (botnet-cnc.rules)
 * 1:23256 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:23253 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care XMLSimpleAccessor ActiveX function call access attempt (web-activex.rules)
 * 1:23254 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Delf.CL connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23248 <-> ENABLED <-> SPECIFIC-THREATS Unknown Exploit Kit getfile.php (specific-threats.rules)
 * 1:23250 <-> ENABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:23251 <-> DISABLED <-> BOTNET-CNC Trojan.Spyeye variant outbound connection attempt (botnet-cnc.rules)
 * 1:23249 <-> ENABLED <-> FILE-PDF Unknown Exploit Kit PDF Drop - sdfsdfsd (file-pdf.rules)
 * 1:23236 <-> ENABLED <-> SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (shellcode.rules)
 * 1:23231 <-> DISABLED <-> DOS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (dos.rules)
 * 1:23234 <-> DISABLED <-> BOTNET-CNC Frethog.MK runtime traffic detected (botnet-cnc.rules)
 * 1:23235 <-> DISABLED <-> BOTNET-CNC PBin.A runtime traffic detected (botnet-cnc.rules)
 * 1:23228 <-> DISABLED <-> WEB-ACTIVEX Oracle Webcenter ActiveX clsid access (web-activex.rules)
 * 1:23233 <-> DISABLED <-> DOS Microsoft Windows NT DHCP DISCOVER hostname overflow attempt (dos.rules)
 * 1:23230 <-> DISABLED <-> DOS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (dos.rules)
 * 1:23229 <-> DISABLED <-> WEB-ACTIVEX Oracle Webcenter ActiveX function call access (web-activex.rules)
 * 1:23232 <-> DISABLED <-> DOS Microsoft Windows NT DHCP DISCOVER client identifier overflow attempt (dos.rules)
 * 1:23240 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:23247 <-> ENABLED <-> SPYWARE-PUT Wajam Monitizer download attempt - post infection (spyware-put.rules)
 * 1:23252 <-> DISABLED <-> BOTNET-CNC MacOS.MacKontrol variant outbound connection attempt (botnet-cnc.rules)
 * 1:23255 <-> DISABLED <-> SPYWARE-PUT Trojan.Duojeen runtime detection attempt (spyware-put.rules)
 * 1:23241 <-> DISABLED <-> WEB-CLIENT HP DPNECentral RequestCopy type SQL injection attempt (web-client.rules)
 * 1:23242 <-> ENABLED <-> BOTNET-CNC Win32.Banker.boxg connect to cnc server attempt (botnet-cnc.rules)
 * 1:23260 <-> DISABLED <-> WEB-MISC SAP NetWeaver cross site scripting attempt (web-misc.rules)
 * 1:23262 <-> DISABLED <-> BOTNET-CNC Trojan.Banker outbound connection attempt (botnet-cnc.rules)

Modified Rules:


 * 1:22115 <-> DISABLED <-> SERVER-MAIL Metamail header length exploit attempt (server-mail.rules)
 * 1:21162 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:16341 <-> ENABLED <-> EXPLOIT IBM DB2 Database Server invalid data stream denial of service attempt (exploit.rules)
 * 1:17209 <-> ENABLED <-> SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow (sql.rules)
 * 1:17599 <-> DISABLED <-> SPECIFIC-THREATS IBM DB2 Universal Database rdbname denial of service attempt (specific-threats.rules)
 * 1:23179 <-> DISABLED <-> INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect (indicator-compromise.rules)
 * 1:22110 <-> DISABLED <-> SERVER-MAIL Metamail format string exploit attempt (server-mail.rules)
 * 1:2582 <-> DISABLED <-> WEB-MISC SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (web-misc.rules)
 * 1:22114 <-> DISABLED <-> SERVER-MAIL Metamail header length exploit attempt (server-mail.rules)
 * 1:22113 <-> DISABLED <-> SERVER-MAIL Metamail header length exploit attempt (server-mail.rules)
 * 1:22111 <-> DISABLED <-> SERVER-MAIL Metamail format string exploit attempt (server-mail.rules)
 * 1:22112 <-> DISABLED <-> SERVER-MAIL Metamail format string exploit attempt (server-mail.rules)
 * 1:21214 <-> DISABLED <-> WEB-MISC Apache server mod_proxy reverse proxy bypass attempt (web-misc.rules)
 * 1:22006 <-> ENABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)
 * 1:20528 <-> DISABLED <-> WEB-MISC Apache mod_proxy reverse proxy information disclosure attempt (web-misc.rules)
 * 1:17340 <-> ENABLED <-> SHELLCODE x86 OS agnostic alpha numeric upper case decoder (shellcode.rules)
 * 1:20445 <-> DISABLED <-> FILE-PDF Foxit Reader title overflow attempt (file-pdf.rules)