Sourcefire VRT Rules Update

Date: 2012-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24184 <-> DISABLED <-> MALWARE-CNC Win.Worm.Rokiwobi outbound connection (malware-cnc.rules)
 * 1:24186 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt (file-office.rules)
 * 1:24185 <-> ENABLED <-> MALWARE-CNC Win.Work.Rokiwobi inbound command from C&C (malware-cnc.rules)
 * 1:24189 <-> DISABLED <-> FILE-IMAGE XPM file format overflow attempt (file-image.rules)
 * 1:24182 <-> DISABLED <-> MALWARE-CNC Win.Worm.Helompy outbound connection (malware-cnc.rules)
 * 1:24194 <-> DISABLED <-> WEB-PHP socket_connect buffer overflow attempt (web-php.rules)
 * 1:24193 <-> DISABLED <-> WEB-PHP socket_connect buffer overflow attempt (web-php.rules)
 * 1:24192 <-> DISABLED <-> WEB-PHP socket_connect buffer overflow attempt (web-php.rules)
 * 1:24191 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Raven variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24190 <-> ENABLED <-> FILE-IDENTIFY X PixMap file magic detected (file-identify.rules)
 * 1:24188 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow (browser-firefox.rules)
 * 1:24181 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24179 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24180 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24177 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24178 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24174 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules)
 * 1:24176 <-> DISABLED <-> FILE-OTHER eZip Wizard stack overflow attempt (file-other.rules)
 * 1:24206 <-> ENABLED <-> FILE-IDENTIFY LZH archive file magic detected (file-identify.rules)
 * 1:24175 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules)
 * 1:24172 <-> DISABLED <-> SQL use of concat function with select - likely SQL injection (sql.rules)
 * 1:24173 <-> DISABLED <-> MALWARE-BACKDOOR Trojan-Downloader.Win32.Doneltart.A runtime detection (malware-backdoor.rules)
 * 1:24209 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow (file-other.rules)
 * 1:24207 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow (file-other.rules)
 * 1:24195 <-> DISABLED <-> WEB-PHP socket_connect buffer overflow attempt (web-php.rules)
 * 1:24187 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow (browser-firefox.rules)
 * 1:24183 <-> DISABLED <-> BLACKLIST DNS request for known malware domain peradjoka.t35.com - Win.Worm.Helompy (blacklist.rules)
 * 1:24196 <-> DISABLED <-> WEB-ACTIVEX GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt (web-activex.rules)
 * 1:24197 <-> DISABLED <-> WEB-ACTIVEX GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (web-activex.rules)
 * 1:24210 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt (browser-ie.rules)
 * 1:24198 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint name field cross site scripting attempt (file-office.rules)
 * 1:24199 <-> DISABLED <-> WEB-CLIENT IBM Lotus Notes URI handler command execution attempt (web-client.rules)
 * 1:24200 <-> DISABLED <-> WEB-CLIENT IBM Lotus Notes URI handler command execution attempt (web-client.rules)
 * 1:24202 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:24201 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:24203 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:24204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:24205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:24208 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow (file-other.rules)

Modified Rules:


 * 1:12629 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint cross site scripting attempt (file-office.rules)
 * 1:15236 <-> DISABLED <-> FILE-IMAGE ACD Systems ACDSee XPM file format overflow attempt (file-image.rules)
 * 1:16560 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint XSS attempt (file-office.rules)
 * 1:16660 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint Server 2007 help.aspx denial of service attempt (file-office.rules)
 * 1:18238 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint document conversion remote code excution attempt (file-office.rules)
 * 1:20111 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint XSS vulnerability attempt (file-office.rules)
 * 1:20112 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint XSS vulnerability attempt (file-office.rules)
 * 1:20113 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint XSS vulnerability attempt (file-office.rules)
 * 1:20114 <-> DISABLED <-> FILE-OFFICE Microsoft SharePoint hiddenSpanData cross site scripting attempt (file-office.rules)
 * 1:20115 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint XML external entity exploit attempt (file-office.rules)
 * 1:20116 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint Javascript XSS attempt (file-office.rules)
 * 1:20117 <-> DISABLED <-> FILE-OFFICE Microsoft SharePoint XSS (file-office.rules)
 * 1:21046 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Sykipot C&C (malware-cnc.rules)
 * 1:21048 <-> DISABLED <-> BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot (blacklist.rules)
 * 1:21297 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint themeweb.aspx XSS attempt (file-office.rules)
 * 1:21298 <-> ENABLED <-> FILE-OFFICE Microsoft SharePoint chart webpart XSS attempt (file-office.rules)
 * 1:23278 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested list memory corruption attempt (browser-ie.rules)
 * 1:23279 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint name field cross site scripting attempt (file-office.rules)
 * 1:23281 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint scriptresx.ashx XSS attempt (file-office.rules)
 * 1:23282 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint query.iqy XSS attempt (file-office.rules)