Sourcefire VRT Rules Update

Date: 2012-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21536 <-> DISABLED <-> WEB-CLIENT Adobe Actionscript Stage3D null dereference attempt (web-client.rules)
 * 1:21535 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (specific-threats.rules)
 * 1:21534 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (specific-threats.rules)
 * 1:21533 <-> ENABLED <-> SPECIFIC-THREATS Adobe Actionscript Stage3D null dereference attempt (specific-threats.rules)
 * 1:21532 <-> DISABLED <-> WEB-CLIENT Adobe Flash Player action script 3 bitmap malicious rectangle attempt (web-client.rules)
 * 1:21531 <-> DISABLED <-> WEB-CLIENT Adobe Flash Player action script 3 bitmap malicious rectangle attempt (web-client.rules)
 * 1:21530 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash Player action script 3 bitmap malicious rectangle attempt (specific-threats.rules)
 * 1:21520 <-> DISABLED <-> BOTNET-CNC Trojan.Bayrob initial connection attempt (botnet-cnc.rules)
 * 1:21519 <-> ENABLED <-> POLICY Dadongs obfuscated javascript (policy.rules)
 * 1:21521 <-> DISABLED <-> BOTNET-CNC Trojan.Bayrob update connection attempt (botnet-cnc.rules)
 * 1:21522 <-> DISABLED <-> EXPLOIT Apache Struts parameters interceptor remote code execution attempt (exploit.rules)
 * 1:21523 <-> DISABLED <-> BOTNET-CNC Trojan.Kazy variant outbound connection attempt (botnet-cnc.rules)
 * 1:21524 <-> DISABLED <-> EXPLOIT Microsoft Windows object packager dialogue code execution attempt (exploit.rules)
 * 1:21525 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader variant outbound connection (botnet-cnc.rules)
 * 1:21526 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user agent TCYWinHTTPDownload (botnet-cnc.rules)
 * 1:21527 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader registration connection detection (botnet-cnc.rules)
 * 1:21528 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader keep-alive connection detection (botnet-cnc.rules)
 * 1:21529 <-> DISABLED <-> NETBIOS SMB Trans2 Find_First2 filename overflow attempt  (netbios.rules)
 * 1:21493 <-> DISABLED <-> WEB-ACTIVEX Microsoft DRM technology msnetobj.dll ActiveX clsid access (web-activex.rules)
 * 1:21494 <-> DISABLED <-> SCADA General Electric D20ME backdoor attempt (scada.rules)
 * 1:21495 <-> DISABLED <-> BOTNET-CNC Trojan.Vilsel runtime detection (botnet-cnc.rules)
 * 1:21496 <-> DISABLED <-> BOTNET-CNC Trojan.Saeeka initial connection detection (botnet-cnc.rules)
 * 1:21497 <-> DISABLED <-> BOTNET-CNC Trojan.Saeeka runtime detection (botnet-cnc.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21501 <-> DISABLED <-> WEB-CLIENT JavaScript file upload keystroke hijack attempt (web-client.rules)
 * 1:21502 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.VBbot.V connect to server attempt (botnet-cnc.rules)
 * 1:21503 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Excel SXDB memory corruption (specific-threats.rules)
 * 1:21504 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (specific-threats.rules)
 * 1:21505 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (specific-threats.rules)
 * 1:21506 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (specific-threats.rules)
 * 1:21507 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (specific-threats.rules)
 * 1:21508 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (specific-threats.rules)
 * 1:21509 <-> ENABLED <-> SPECIFIC-THREATS Sakura exploit kit rhino jar request (specific-threats.rules)
 * 1:21510 <-> ENABLED <-> SPECIFIC-THREATS Sakura exploit kit logo transfer (specific-threats.rules)
 * 1:21511 <-> DISABLED <-> BOTNET-CNC Trojan.Vaxpy runtime detection (botnet-cnc.rules)
 * 1:21512 <-> DISABLED <-> BOTNET-CNC Backdoor.Win32.Zegost.B runtime detection (botnet-cnc.rules)
 * 1:21513 <-> DISABLED <-> DOS HOIC tool (dos.rules)
 * 1:21514 <-> DISABLED <-> BOTNET-CNC Trojan.Banbra connect to server attempt (botnet-cnc.rules)
 * 1:21515 <-> DISABLED <-> WEB-MISC Tomcat Web Application Manager access (web-misc.rules)
 * 1:21516 <-> DISABLED <-> WEB-MISC JBoss JMX console access (web-misc.rules)
 * 1:21517 <-> DISABLED <-> WEB-MISC JBoss admin-console access (web-misc.rules)
 * 1:21518 <-> DISABLED <-> BOTNET-CNC Trojan.Agent-59544 connect to server attempt (botnet-cnc.rules)

Modified Rules:


 * 1:11176 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office PowerPoint Viewer ActiveX clsid access (web-activex.rules)
 * 1:11178 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office PowerPoint Viewer ActiveX function call access (web-activex.rules)
 * 1:11181 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Excel Viewer ActiveX clsid access (web-activex.rules)
 * 1:11183 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Excel Viewer ActiveX function call access (web-activex.rules)
 * 1:11187 <-> ENABLED <-> WEB-ACTIVEX Microsoft Office Word Viewer ActiveX clsid access (web-activex.rules)
 * 1:11189 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office Word Viewer ActiveX function call access (web-activex.rules)
 * 1:14649 <-> ENABLED <-> NETBIOS SMB Search Search filename size integer underflow attempt  (netbios.rules)
 * 1:15540 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer DOM memory corruption attempt (web-client.rules)
 * 1:15727 <-> ENABLED <-> POLICY transfer of a PDF with embedded Flash (policy.rules)
 * 1:16159 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office Excel Add-in for SQL Analysis Services 1 ActiveX clsid access (web-activex.rules)
 * 1:16161 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office Excel Add-in for SQL Analysis Services 2 ActiveX clsid access (web-activex.rules)
 * 1:16163 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office Excel Add-in for SQL Analysis Services 3 ActiveX clsid access (web-activex.rules)
 * 1:16165 <-> DISABLED <-> WEB-ACTIVEX Microsoft Office Excel Add-in for SQL Analysis Services 4 ActiveX clsid access (web-activex.rules)
 * 1:16326 <-> DISABLED <-> EXPLOIT Microsoft Internet Explorer 8 DOM memory corruption attempt (exploit.rules)
 * 1:17536 <-> DISABLED <-> WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt (web-misc.rules)
 * 1:18327 <-> DISABLED <-> SCADA Kingview HMI heap overflow attempt (scada.rules)
 * 1:18681 <-> DISABLED <-> POLICY transfer of a PDF with embedded JavaScript - JavaScript string (policy.rules)
 * 1:18682 <-> DISABLED <-> POLICY transfer of a PDF with OpenAction object (policy.rules)
 * 1:18683 <-> ENABLED <-> POLICY Microsoft Office Excel file with embedded PDF object (policy.rules)
 * 1:18684 <-> ENABLED <-> POLICY PDF file with embedded PDF object (policy.rules)
 * 1:18732 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18733 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18734 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18735 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18736 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18737 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt (scada.rules)
 * 1:18738 <-> DISABLED <-> SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 integer overflow attempt (scada.rules)
 * 1:19362 <-> DISABLED <-> BOTNET-CNC generic IRC botnet connection attempt (botnet-cnc.rules)
 * 1:19646 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:19647 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:19648 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:20176 <-> DISABLED <-> SCADA DAQFactory NETB protcol stack overflow attempt (scada.rules)
 * 1:21417 <-> ENABLED <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit (specific-threats.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:518 <-> DISABLED <-> TFTP Put (tftp.rules)
 * 1:21454 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Banbra.vec runtime detection (botnet-cnc.rules)