Sourcefire VRT Rules Update

Date: 2012-09-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24164 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24165 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24144 <-> DISABLED <-> MALWARE-OTHER Dorifel/Quervar/XDocCrypt download (malware-other.rules)
 * 1:24143 <-> DISABLED <-> MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY (malware-other.rules)
 * 1:24163 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24160 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24161 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24158 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules)
 * 1:24140 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24156 <-> ENABLED <-> FILE-IDENTIFY .rtx file download request (file-identify.rules)
 * 1:24153 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt (file-pdf.rules)
 * 1:24148 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt (file-pdf.rules)
 * 1:24150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules)
 * 1:24139 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24138 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24162 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24142 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object confusion attempt (file-flash.rules)
 * 1:24167 <-> ENABLED <-> INDICATOR-OBFUSCATION document write of unescaped value with remote script (indicator-obfuscation.rules)
 * 1:24169 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection (malware-cnc.rules)
 * 1:24170 <-> ENABLED <-> EXPLOIT-KIT Blackhole Redirection to generated folder - js.js (exploit-kit.rules)
 * 1:24145 <-> DISABLED <-> MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email (malware-other.rules)
 * 1:24171 <-> ENABLED <-> EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder (exploit-kit.rules)
 * 1:24149 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt (file-pdf.rules)
 * 1:24147 <-> ENABLED <-> WEB-CGI HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt (web-cgi.rules)
 * 1:24151 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt (file-pdf.rules)
 * 1:24152 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt (file-pdf.rules)
 * 1:24154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24146 <-> DISABLED <-> BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel (blacklist.rules)
 * 1:24157 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules)
 * 1:24159 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24166 <-> DISABLED <-> FILE-OTHER AOL Desktop RTX file parsing buffer overflow attempt (file-other.rules)
 * 1:24141 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)

Modified Rules:


 * 1:21783 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules)
 * 1:21784 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting (indicator-obfuscation.rules)
 * 1:21787 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules)
 * 1:22088 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit javascript service method (exploit-kit.rules)
 * 1:23324 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:18612 <-> DISABLED <-> WEB-MISC Oracle Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21781 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt (indicator-obfuscation.rules)
 * 1:21786 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection (indicator-obfuscation.rules)
 * 1:21780 <-> ENABLED <-> INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt (indicator-obfuscation.rules)
 * 1:18764 <-> ENABLED <-> WEB-CGI HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt (web-cgi.rules)