Sourcefire VRT Rules Update

Date: 2012-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21185 <-> DISABLED <-> BACKDOOR Worm.Win32.Kufgal.A inbound connection (backdoor.rules)
 * 1:21184 <-> DISABLED <-> SPYWARE-PUT Internet Security 2010 outbound connection (spyware-put.rules)
 * 1:21183 <-> DISABLED <-> BACKDOOR Win32.Agent.alfu outbound connection (backdoor.rules)
 * 1:21178 <-> DISABLED <-> BOTNET-CNC Trojan Downloader Win32.Chekafe.A outbound connection (botnet-cnc.rules)
 * 1:21180 <-> DISABLED <-> BACKDOOR Worm.Win32.Magania.clfv outbound connection (backdoor.rules)
 * 1:21177 <-> DISABLED <-> BACKDOOR Win32.Ganipin.A inbound connection (backdoor.rules)
 * 1:21181 <-> DISABLED <-> BACKDOOR Win32.Agent.czgu outbound connection (backdoor.rules)
 * 1:21170 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office OLESS stream object name corruption attempt (specific-threats.rules)
 * 1:21171 <-> DISABLED <-> POLICY APP-CONTROL Thunder p2p application activity detection (policy.rules)
 * 1:21172 <-> DISABLED <-> POLICY APP-CONTROL Thunder p2p application activity detection (policy.rules)
 * 1:21173 <-> DISABLED <-> POLICY APP-CONTROL Thunder p2p application download detection (policy.rules)
 * 1:21174 <-> ENABLED <-> FILE-IDENTIFY RealPlayer realtext file download request (file-identify.rules)
 * 1:21175 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Win32 Amti (blacklist.rules)
 * 1:21176 <-> DISABLED <-> SPYWARE-PUT Win32.WindowsOptimizationAndSecurity outbound connection (spyware-put.rules)
 * 1:21186 <-> DISABLED <-> ORACLE MDSYS drop table trigger injection attempt (oracle.rules)
 * 1:21187 <-> DISABLED <-> BACKDOOR Win32.Xlahlah.A outbound connection (backdoor.rules)
 * 1:21188 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string API Guide test program (blacklist.rules)
 * 1:21182 <-> DISABLED <-> BACKDOOR Win32.MeSub.ac outbound connection (backdoor.rules)
 * 1:21179 <-> DISABLED <-> BACKDOOR Win32.Coofus.RFM outbound connection (backdoor.rules)
 * 1:21189 <-> ENABLED <-> WEB-CLIENT Apple Safari innerHTML use after free exploit attempt (web-client.rules)

Modified Rules:


 * 1:16383 <-> DISABLED <-> ORACLE MDSYS drop table trigger injection attempt (oracle.rules)
 * 1:16506 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt (web-client.rules)
 * 1:18743 <-> DISABLED <-> WEB-MISC VLC player web interface format string attack (web-misc.rules)
 * 1:18759 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST (web-misc.rules)
 * 1:18760 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET (web-misc.rules)
 * 1:19955 <-> DISABLED <-> BACKDOOR PaiN RAT 0.1 outbound connection (backdoor.rules)
 * 1:20999 <-> ENABLED <-> WEB-CLIENT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt (web-client.rules)
 * 1:21164 <-> DISABLED <-> NETBIOS Samba username map script command injection attempt (netbios.rules)
 * 1:2923 <-> DISABLED <-> NETBIOS SMB repeated logon failure (netbios.rules)
 * 1:2924 <-> DISABLED <-> NETBIOS SMB-DS repeated logon failure (netbios.rules)
 * 1:3822 <-> DISABLED <-> WEB-MISC Real Player realtext long URI request attempt (web-misc.rules)
 * 1:3823 <-> DISABLED <-> WEB-MISC Real Player realtext file bad version buffer overflow attempt (web-misc.rules)