Sourcefire VRT Rules Update

Date: 2012-07-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23418 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23462 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23421 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23420 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23434 <-> DISABLED <-> WEB-MISC IBM Lotus Domino cross site scripting attempt (web-misc.rules)
 * 1:23403 <-> DISABLED <-> WEB-MISC Adobe JRun directory traversal attempt (web-misc.rules)
 * 1:23401 <-> DISABLED <-> WEB-MISC Oracle GlassFish server REST interface cross site request forgery attempt (web-misc.rules)
 * 1:23429 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23399 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Govdi.A connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23405 <-> DISABLED <-> WEB-PHP PHP-Nuke index.php SQL injection attempt (web-php.rules)
 * 1:23423 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23416 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23449 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Servstart.ax connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23452 <-> DISABLED <-> BLACKLIST DNS request for known malware domain d.ppns.info - Morto.A (blacklist.rules)
 * 1:23414 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23450 <-> DISABLED <-> BOTNET-CNC Trojan.McRat connect to server attempt (botnet-cnc.rules)
 * 1:23430 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23445 <-> DISABLED <-> WEB-CLIENT Mozilla Firefox use-after free remote code execution attempt (web-client.rules)
 * 1:23446 <-> DISABLED <-> SPYWARE-PUT Trojan.Sojax.A runtime detection attempt (spyware-put.rules)
 * 1:23415 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23444 <-> DISABLED <-> EXPLOIT Flexera FlexNet License Server buffer overflow attempt (exploit.rules)
 * 1:23411 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23432 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23413 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23407 <-> DISABLED <-> WEB-MISC Apple iChat url format string exploit attempt (web-misc.rules)
 * 1:23412 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23410 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23433 <-> DISABLED <-> WEB-MISC IBM Lotus Domino cross site scripting attempt (web-misc.rules)
 * 1:23425 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23406 <-> DISABLED <-> WEB-PHP PHP-Nuke index.php SQL injection attempt (web-php.rules)
 * 1:23409 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23447 <-> DISABLED <-> BOTNET-CNC Trojan.Sojax.A outbound connection attempt (botnet-cnc.rules)
 * 1:23424 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23408 <-> DISABLED <-> WEB-CLIENT Microsoft Windows large image resize denial of service attempt (web-client.rules)
 * 1:23456 <-> DISABLED <-> EXPLOIT IBM Tivoli name overflow attempt (exploit.rules)
 * 1:23465 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23471 <-> DISABLED <-> WEB-CLIENT Google Chrome net-internals uri fragment identifier XSS attempt (web-client.rules)
 * 1:23455 <-> DISABLED <-> BLACKLIST DNS request for known malware domain e.ppift.in - Morto.A (blacklist.rules)
 * 1:23453 <-> DISABLED <-> BLACKLIST DNS request for known malware domain e.ppift.net - Morto.A (blacklist.rules)
 * 1:23400 <-> DISABLED <-> FILE-OTHER Apple Quicktime JPEG2000 length integer underflow attempt (file-other.rules)
 * 1:23451 <-> DISABLED <-> BACKDOOR Win32.RedSip.A outbound connection attempt (backdoor.rules)
 * 1:23431 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23438 <-> DISABLED <-> WEB-PHP PHP-SHELL remote command shell initialization attempt (web-php.rules)
 * 1:23419 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23439 <-> DISABLED <-> WEB-PHP PHP-SHELL remote command shell upload attempt (web-php.rules)
 * 1:23436 <-> DISABLED <-> EXPLOIT Microsoft IDirectPlay4 denial of service attempt (exploit.rules)
 * 1:23440 <-> DISABLED <-> WEB-PHP PHP-SHELL remote command shell upload attempt (web-php.rules)
 * 1:23441 <-> DISABLED <-> WEB-PHP PHP-SHELL remote command shell upload attempt (web-php.rules)
 * 1:23437 <-> DISABLED <-> EXPLOIT Microsoft IDirectPlay4 denial of service attempt (exploit.rules)
 * 1:23442 <-> DISABLED <-> WEB-PHP PHP-SHELL remote command injection attempt (web-php.rules)
 * 1:23392 <-> DISABLED <-> DOS IBM SolidDB redundant where clause DoS attempt (dos.rules)
 * 1:23394 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Vbvoleur.a connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23395 <-> DISABLED <-> WEB-ACTIVEX Quest InTrust Annotation Objects ActiveX clsid access attempt (web-activex.rules)
 * 1:23396 <-> DISABLED <-> WEB-ACTIVEX Quest InTrust Annotation Objects ActiveX function call access attempt (web-activex.rules)
 * 1:23422 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23477 <-> ENABLED <-> FILE-IDENTIFY PLP file magic detected (file-identify.rules)
 * 1:23402 <-> DISABLED <-> WEB-MISC CVS remote file information disclosure attempt (web-misc.rules)
 * 1:23435 <-> DISABLED <-> SERVER-MAIL Alt-N MDaemon file attachment directory traversal attempt (server-mail.rules)
 * 1:23426 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23398 <-> DISABLED <-> EXPLOIT Citrix Provisioning Services stack buffer overflow attempt (exploit.rules)
 * 1:23397 <-> DISABLED <-> EXPLOIT Citrix Provisioning Services stack buffer overflow attempt (exploit.rules)
 * 1:23428 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23427 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)
 * 1:23393 <-> ENABLED <-> SQL IBM SolidDB initial banner (sql.rules)
 * 1:23443 <-> DISABLED <-> WEB-PHP PHP-SHELL failed remote command injection attempt (web-php.rules)
 * 1:23476 <-> ENABLED <-> FILE-IDENTIFY PLP file attachment detected (file-identify.rules)
 * 1:23454 <-> DISABLED <-> BLACKLIST DNS request for known malware domain e.ppift.com - Morto.A (blacklist.rules)
 * 1:23473 <-> ENABLED <-> BLACKLIST URI request for runforestrun - JS.Runfore (blacklist.rules)
 * 1:23469 <-> DISABLED <-> BOTNET-CNC Trojan.Dropper outbound connection attempt (botnet-cnc.rules)
 * 1:23458 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt (file-office.rules)
 * 1:23460 <-> DISABLED <-> BOTNET-CNC Trojan.Belesak.A outbound connection attempt (botnet-cnc.rules)
 * 1:23479 <-> DISABLED <-> FILE-OTHER ACDSee FotoSlate PLP file buffer overflow attempt (file-other.rules)
 * 1:23463 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML sampleData attribute overflow attempt (file-other.rules)
 * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules)
 * 1:23480 <-> DISABLED <-> WEB-MISC IBM Lotus Domino webadmin.nsf directory traversal attempt (web-misc.rules)
 * 1:23459 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt (file-office.rules)
 * 1:23461 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Transform attribute overflow attempt (file-other.rules)
 * 1:23475 <-> ENABLED <-> FILE-IDENTIFY PLP file attachment detected (file-identify.rules)
 * 1:23404 <-> DISABLED <-> EXPLOIT Mortal Universe POP Peeper date header overflow attempt (exploit.rules)
 * 1:23474 <-> ENABLED <-> FILE-IDENTIFY PLP file download request (file-identify.rules)
 * 1:23467 <-> DISABLED <-> BOTNET-CNC Win32.Mazben file download attempt (botnet-cnc.rules)
 * 1:23478 <-> DISABLED <-> FILE-OTHER ACDSee FotoSlate PLP file buffer overflow attempt (file-other.rules)
 * 1:23448 <-> DISABLED <-> BOTNET-CNC Worm WIN32.Psyokym.b connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23466 <-> ENABLED <-> WEB-MISC IBM System Storage DS storage manager profiler XSS attempt (web-misc.rules)
 * 1:23472 <-> ENABLED <-> SPYWARE-PUT FakeAV landing page request (spyware-put.rules)
 * 1:23470 <-> DISABLED <-> WEB-ACTIVEX StoneTrip S3DPlayer ActiveX clsid access attempt (web-activex.rules)
 * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules)
 * 1:23468 <-> DISABLED <-> BOTNET-CNC Trojan.Dropper outbound connection attempt (botnet-cnc.rules)
 * 1:23457 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel macro validation arbitrary code execution attempt (file-office.rules)
 * 1:23464 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:23417 <-> DISABLED <-> WEB-ACTIVEX Veritas Storage Exec ActiveX clsid access attempt (web-activex.rules)

Modified Rules:


 * 1:23349 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules)
 * 1:23348 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules)
 * 1:3007 <-> DISABLED <-> IMAP command overflow attempt (imap.rules)
 * 1:23316 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load exploit attempt (file-office.rules)
 * 1:23281 <-> ENABLED <-> WEB-MISC Microsoft Office SharePoint scriptresx.ashx XSS attempt (web-misc.rules)
 * 1:23312 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)
 * 1:23279 <-> DISABLED <-> WEB-MISC Microsoft Office SharePoint cross site scripting attempt (web-misc.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word imeshare.dll dll-load netbios exploit attempt (file-office.rules)
 * 1:23314 <-> DISABLED <-> NETBIOS SMB invalid character argument injection attempt (netbios.rules)
 * 1:23084 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ultrasoft.in - Flame (blacklist.rules)
 * 1:23263 <-> ENABLED <-> FILE-PDF Adobe flash player newfunction memory corruption attempt (file-pdf.rules)
 * 1:23083 <-> DISABLED <-> BLACKLIST DNS request for known malware domain syncupdate.info - Flame (blacklist.rules)
 * 1:23272 <-> ENABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23080 <-> DISABLED <-> BLACKLIST DNS request for known malware domain synclock.info - Flame (blacklist.rules)
 * 1:23271 <-> ENABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23082 <-> DISABLED <-> BLACKLIST DNS request for known malware domain syncsource.info - Flame (blacklist.rules)
 * 1:23079 <-> DISABLED <-> BLACKLIST DNS request for known malware domain smartservicesite.info - Flame (blacklist.rules)
 * 1:23081 <-> DISABLED <-> BLACKLIST DNS request for known malware domain syncprovider.info - Flame (blacklist.rules)
 * 1:23078 <-> DISABLED <-> BLACKLIST DNS request for known malware domain serverss.info - Flame (blacklist.rules)
 * 1:23075 <-> DISABLED <-> BLACKLIST DNS request for known malware domain newsync.info - Flame (blacklist.rules)
 * 1:23077 <-> DISABLED <-> BLACKLIST DNS request for known malware domain serveflash.info - Flame (blacklist.rules)
 * 1:23074 <-> DISABLED <-> BLACKLIST DNS request for known malware domain newstatisticfeeder.com - Flame (blacklist.rules)
 * 1:23076 <-> DISABLED <-> BLACKLIST DNS request for known malware domain rsscenter.webhop.info - Flame (blacklist.rules)
 * 1:23073 <-> DISABLED <-> BLACKLIST DNS request for known malware domain netsharepoint.info - Flame (blacklist.rules)
 * 1:23069 <-> DISABLED <-> BLACKLIST DNS request for known malware domain isyncautomation.in - Flame (blacklist.rules)
 * 1:23070 <-> DISABLED <-> BLACKLIST DNS request for known malware domain isyncautoupdater.in - Flame (blacklist.rules)
 * 1:23072 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mysync.info - Flame (blacklist.rules)
 * 1:23071 <-> DISABLED <-> BLACKLIST DNS request for known malware domain micromedia.in - Flame (blacklist.rules)
 * 1:23068 <-> DISABLED <-> BLACKLIST DNS request for known malware domain flushdns.info - Flame (blacklist.rules)
 * 1:23064 <-> DISABLED <-> BLACKLIST DNS request for known malware domain chchengine.net - Flame (blacklist.rules)
 * 1:23065 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dailynewsupdater.com - Flame (blacklist.rules)
 * 1:23067 <-> DISABLED <-> BLACKLIST DNS request for known malware domain flashp.webhop.net - Flame (blacklist.rules)
 * 1:23066 <-> DISABLED <-> BLACKLIST DNS request for known malware domain diznet.biz - Flame (blacklist.rules)
 * 1:23063 <-> DISABLED <-> BLACKLIST DNS request for known malware domain chchengine.com - Flame (blacklist.rules)
 * 1:19362 <-> DISABLED <-> BOTNET-CNC generic IRC botnet connection attempt (botnet-cnc.rules)
 * 1:21100 <-> DISABLED <-> RPC Novell Netware xdr decode string length buffer overflow attempt (rpc.rules)
 * 1:19180 <-> DISABLED <-> FILE-OFFICE Microsoft Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:23062 <-> DISABLED <-> BLACKLIST DNS request for known malware domain bannerzone.in - Flame (blacklist.rules)
 * 1:17134 <-> DISABLED <-> FILE-OFFICE Microsoft Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:23061 <-> DISABLED <-> BLACKLIST DNS request for known malware domain bannerspot.in - Flame (blacklist.rules)
 * 1:16521 <-> DISABLED <-> WEB-CLIENT Squid Proxy http version number overflow attempt (web-client.rules)
 * 1:18447 <-> ENABLED <-> EXPLOIT Adobe OpenAction crafted URI action thru Firefox attempt (exploit.rules)
 * 1:17605 <-> ENABLED <-> WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt (web-cgi.rules)
 * 1:16168 <-> DISABLED <-> DOS Microsoft SMBv2 integer overflow denial of service attempt (dos.rules)
 * 1:11196 <-> DISABLED <-> EXPLOIT MaxDB WebDBM get buffer overflow (exploit.rules)
 * 1:16028 <-> DISABLED <-> WEB-MISC Novell Groupwise Messenger parameters invalid memory access attempt (web-misc.rules)
 * 1:12360 <-> DISABLED <-> WEB-PHP PHP function CRLF injection attempt (web-php.rules)
 * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules)
 * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules)
 * 3:13803 <-> ENABLED <-> WEB-CLIENT RTF control word overflow attempt (web-client.rules)
 * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules)
 * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:15125 <-> ENABLED <-> WEB-CLIENT Microsoft Word rich text file unpaired dpendgroup exploit attempt (web-client.rules)