Sourcefire VRT Rules Update

Date: 2012-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23884 <-> DISABLED <-> FILE-PDF Adober Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:23850 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - hwehes (specific-threats.rules)
 * 1:23852 <-> ENABLED <-> FILE-PDF Blackhole related malicious file detection (file-pdf.rules)
 * 1:23889 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23859 <-> ENABLED <-> SMTP heapspray characters detected - hexadecimal encoding (smtp.rules)
 * 1:23873 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt (deleted.rules)
 * 1:23870 <-> DISABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23871 <-> DISABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23868 <-> ENABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23869 <-> ENABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23863 <-> ENABLED <-> SPYWARE-PUT LiveSecurityPlatinum.A runtime detection - initial connection (spyware-put.rules)
 * 1:23866 <-> DISABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23865 <-> DISABLED <-> FILE-PDF Adobe Reader invalid font WeightVector attempt (file-pdf.rules)
 * 1:23861 <-> ENABLED <-> WEB-CLIENT heapspray characters detected - binary (web-client.rules)
 * 1:23864 <-> DISABLED <-> FILE-PDF Adobe Reader invalid font WeightVector attempt (file-pdf.rules)
 * 1:23860 <-> ENABLED <-> WEB-CLIENT heapspray characters detected - ASCII (web-client.rules)
 * 1:23858 <-> ENABLED <-> SMTP heapspray characters detected - binary (smtp.rules)
 * 1:23856 <-> ENABLED <-> FILE-OTHER string heapspray flash file - likely attack (file-other.rules)
 * 1:23857 <-> ENABLED <-> SMTP heapspray characters detected - ASCII (smtp.rules)
 * 1:23849 <-> ENABLED <-> SPECIFIC-THREATS Blackhole redirection attempt (specific-threats.rules)
 * 1:23848 <-> ENABLED <-> SPECIFIC-THREATS Blackhole redirection attempt (specific-threats.rules)
 * 1:23862 <-> ENABLED <-> WEB-CLIENT heapspray characters detected - hexadecimal encoding (web-client.rules)
 * 1:23853 <-> ENABLED <-> FILE-OTHER Adobe Flash OpenType font memory corruption attempt (file-other.rules)
 * 1:23854 <-> ENABLED <-> FILE-OTHER Adobe Flash OpenType font memory corruption attempt (file-other.rules)
 * 1:23867 <-> DISABLED <-> FILE-PDF Adobe Reader invalid inline image attempt (file-pdf.rules)
 * 1:23851 <-> ENABLED <-> FILE-PDF Blackhole related malicious file detection (file-pdf.rules)
 * 1:23855 <-> ENABLED <-> FILE-OTHER string heapspray flash file - likely attack (file-other.rules)
 * 1:23872 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt (deleted.rules)
 * 1:23874 <-> ENABLED <-> FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:23875 <-> ENABLED <-> FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt (file-pdf.rules)
 * 1:23886 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (deleted.rules)
 * 1:23885 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (deleted.rules)
 * 1:23888 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (deleted.rules)
 * 1:23887 <-> DISABLED <-> DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (deleted.rules)
 * 1:23892 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23890 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23891 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23876 <-> DISABLED <-> BOTNET-CNC W32.Trojan.Scirib variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23877 <-> DISABLED <-> BOTNET-CNC W32.Trojan.Dtfanri variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23882 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23878 <-> ENABLED <-> WEB-ACTIVEX Oracle JRE Deployment Toolkit ActiveX clsid access attempt (web-activex.rules)
 * 1:23883 <-> DISABLED <-> FILE-PDF Adober Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt (file-pdf.rules)
 * 1:23881 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)

Modified Rules:


 * 1:23833 <-> ENABLED <-> SPECIFIC-THREATS Malvertising redirection campaign - blackmuscat (specific-threats.rules)
 * 1:23843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:23680 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:23611 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23842 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:21377 <-> ENABLED <-> WEB-MISC Cisco Unified Communications Manager sql injection attempt (web-misc.rules)
 * 1:22088 <-> ENABLED <-> SPECIFIC-THREATS Blackhole Exploit Kit javascript service method (specific-threats.rules)
 * 1:23408 <-> DISABLED <-> WEB-CLIENT Microsoft Windows large image resize denial of service attempt (web-client.rules)
 * 1:23612 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:20496 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20575 <-> DISABLED <-> FILE-PDF Adobe Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)