Sourcefire VRT Rules Update

Date: 2012-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23951 <-> DISABLED <-> DNS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt (dns.rules)
 * 1:23952 <-> DISABLED <-> DOS Tors Hammer slow post flood attempt (dos.rules)
 * 1:23937 <-> ENABLED <-> WEB-PHP Invalid global flag attachment attempt (web-php.rules)
 * 1:23953 <-> DISABLED <-> BOTNET-CNC Trojan.Comfoo variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23935 <-> DISABLED <-> BOTNET-CNC Win.Trojan.Zakahic variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23945 <-> ENABLED <-> BOTNET-CNC Trojan.Backdoor outbound connection attempt (botnet-cnc.rules)
 * 1:23938 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Ibabyfa.dldr runtime detection (botnet-cnc.rules)
 * 1:23941 <-> DISABLED <-> BOTNET-CNC OSX.Trojan.Aharm variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23949 <-> DISABLED <-> BOTNET-CNC W32.Trojan.TKcik variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23948 <-> DISABLED <-> BOTNET-CNC Win.Trojan.Sicisono variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23947 <-> DISABLED <-> SQL IBM System Storage DS storage manager profiler sql injection attempt (sql.rules)
 * 1:23946 <-> ENABLED <-> BOTNET-CNC Trojan.Backdoor file download attempt (botnet-cnc.rules)
 * 1:23934 <-> ENABLED <-> WEB-ATTACKS Symantec Web Gateway blocked.php blind sql injection attempt (web-attacks.rules)
 * 1:23942 <-> ENABLED <-> BOTNET-CNC Win.Trojan.C0D0SO0 variant outbound traffic (botnet-cnc.rules)
 * 1:23950 <-> DISABLED <-> DNS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt (dns.rules)
 * 1:23936 <-> DISABLED <-> BOTNET-CNC Win.Trojan.Zakahic variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23940 <-> DISABLED <-> ORACLE FlashTunnelSvc arbitrary file creation attempt (oracle.rules)
 * 1:23944 <-> DISABLED <-> WEB-PHP empty zip file upload attempt (web-php.rules)
 * 1:23939 <-> DISABLED <-> ORACLE FlashTunnelSvc arbitrary file creation attempt (oracle.rules)
 * 1:23943 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt (web-client.rules)

Modified Rules:


 * 1:13715 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt (web-misc.rules)
 * 1:15462 <-> DISABLED <-> WEB-CLIENT Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (web-client.rules)
 * 1:17768 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer 8 object event handler use after free exploit attempt (exploit.rules)
 * 1:21039 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules)