Sourcefire VRT Rules Update

Date: 2012-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21313 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
 * 1:21312 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connectivity check (botnet-cnc.rules)
 * 1:21311 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
 * 1:21310 <-> DISABLED <-> WEB-CLIENT Microsoft product fputlsat.dll dll-load exploit attempt (web-client.rules)
 * 1:21309 <-> DISABLED <-> NETBIOS Microsoft product fputlsat.dll dll-load exploit attempt (netbios.rules)
 * 1:21308 <-> DISABLED <-> EXPLOIT Microsoft Windows C Run-Time Library remote code execution attempt (exploit.rules)
 * 1:21307 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Visio TAG_xxxSheet code execution attempt (specific-threats.rules)
 * 1:21306 <-> ENABLED <-> BOTNET-CNC Win32.Spyeye variant outbound connectivity check (botnet-cnc.rules)
 * 1:21305 <-> DISABLED <-> SPECIFIC-THREATS Microsoft .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (specific-threats.rules)
 * 1:21304 <-> DISABLED <-> BACKDOOR Win32 Mdmbot.B runtime traffic detected (backdoor.rules)
 * 1:21303 <-> DISABLED <-> BACKDOOR Win32 Initor.ag runtime traffic detected (backdoor.rules)
 * 1:21302 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Visio TAG_OLEChunk code execution attempt (specific-threats.rules)
 * 1:21301 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Visio TAG_xxxSect code execution attempt (specific-threats.rules)
 * 1:21300 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer 9 null character in string information disclosure attempt (web-client.rules)
 * 1:21299 <-> ENABLED <-> EXPLOIT Microsoft Silverlight privilege escalation attempt (exploit.rules)
 * 1:21298 <-> ENABLED <-> WEB-MISC Microsoft SharePoint chart webpart XSS attempt (web-misc.rules)
 * 1:21297 <-> ENABLED <-> WEB-MISC Microsoft Sharepoint themeweb.aspx XSS attempt (web-misc.rules)
 * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21294 <-> DISABLED <-> BACKDOOR Win32.Bancodor.be runtime traffic detected (backdoor.rules)
 * 1:21293 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Visio corrupted compressed data memory corruption attempt (specific-threats.rules)
 * 1:21292 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer style.position use-after-free memory corruption attempt (web-client.rules)
 * 1:21291 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Visio invalid row option attempt (specific-threats.rules)
 * 1:21290 <-> DISABLED <-> WEB-CLIENT Microsoft Color Control Panel STI.dll dll-load exploit attempt (web-client.rules)
 * 1:21289 <-> DISABLED <-> NETBIOS Microsoft Color Control Panel STI.dll dll-load exploit attempt (netbios.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detection (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules)
 * 1:21281 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:21280 <-> DISABLED <-> BACKDOOR Win32 Turkojan.C runtime traffic detected (backdoor.rules)
 * 1:21279 <-> DISABLED <-> BACKDOOR Win.32.Kbot.s runtime traffic detected (backdoor.rules)
 * 1:21278 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Google Bot (blacklist.rules)
 * 1:21277 <-> DISABLED <-> BACKDOOR Win32.Shexie.A runtime traffic detected (backdoor.rules)
 * 1:21276 <-> DISABLED <-> BACKDOOR Hupigon.hddn install time traffic detected (backdoor.rules)
 * 1:21275 <-> DISABLED <-> BACKDOOR Hupigon.hddn runtime traffic detected (backdoor.rules)
 * 1:21274 <-> DISABLED <-> BOTNET-CNC Tusha.cv runtime traffic detected (botnet-cnc.rules)
 * 1:21273 <-> DISABLED <-> BOTNET-CNC Tusha.cv runtime traffic detected (botnet-cnc.rules)
 * 1:21272 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer orphan DOM objects memory corruption attempt (web-client.rules)
 * 1:21271 <-> DISABLED <-> WEB-MISC Devellion CubeCart searchStr parameter SQL injection (web-misc.rules)
 * 1:21270 <-> DISABLED <-> WEB-MISC Devellion CubeCart multiple paramater XSS vulnerability (web-misc.rules)

Modified Rules:


 * 1:12382 <-> DISABLED <-> WEB-ACTIVEX Oracle EasyMail Objects ActiveX clsid access (web-activex.rules)
 * 1:14039 <-> ENABLED <-> EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt (exploit.rules)
 * 1:16423 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt (web-client.rules)
 * 1:16590 <-> DISABLED <-> SPECIFIC-THREATS Oracle EasyMail Objects ActiveX exploit attempt (specific-threats.rules)
 * 1:16591 <-> DISABLED <-> SPECIFIC-THREATS Oracle EasyMail Objects ActiveX exploit attempt (specific-threats.rules)
 * 1:16711 <-> DISABLED <-> WEB-ACTIVEX E-Book Systems FlipViewer FlipViewerX.dll activex clsid access ActiveX clsid access (web-activex.rules)
 * 1:17352 <-> DISABLED <-> EXPLOIT ClamAV CHM File Handling Integer Overflow attempt (exploit.rules)
 * 1:17400 <-> DISABLED <-> POLICY rename of JavaScript unescape function - likely malware obfuscation (policy.rules)
 * 1:17405 <-> ENABLED <-> EXPLOIT Microsoft Office Word Converter XST structure buffer overflow attempt (exploit.rules)
 * 1:17431 <-> ENABLED <-> EXPLOIT Microsoft Windows IIS SChannel improper certificate verification (exploit.rules)
 * 1:17631 <-> ENABLED <-> WEB-CLIENT Oracle Java Web Start JNLP java-vm-args buffer overflow attempt (web-client.rules)
 * 1:17907 <-> DISABLED <-> BLACKLIST URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (blacklist.rules)
 * 1:18200 <-> ENABLED <-> EXPLOIT Microsoft Office .CGM file cell array heap overflow attempt (exploit.rules)
 * 1:18201 <-> ENABLED <-> EXPLOIT Microsoft Office TIFF filter remote code execution attempt (exploit.rules)
 * 1:18297 <-> DISABLED <-> WEB-CLIENT Microsoft Windows Comctl32.dll third-party SVG viewer heap overflow attempt (web-client.rules)
 * 1:18413 <-> ENABLED <-> EXPLOIT Microsoft Windoss WMI tracing api integer truncation attempt (exploit.rules)
 * 1:18494 <-> DISABLED <-> NETBIOS Microsoft product .dll dll-load exploit attempt (netbios.rules)
 * 1:18495 <-> DISABLED <-> WEB-CLIENT Microsoft product .dll dll-load exploit attempt (web-client.rules)
 * 1:18531 <-> DISABLED <-> WEB-CLIENT Multiple Vendors iacenc.dll dll-load exploit attempt (web-client.rules)
 * 1:18532 <-> DISABLED <-> NETBIOS Multiple Vendors iacenc.dll dll-load exploit attempt (netbios.rules)
 * 1:20258 <-> DISABLED <-> EXPLOIT Microsoft Forefront UAG javascript handler in URI XSS attempt (exploit.rules)
 * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:20572 <-> DISABLED <-> WEB-MISC Microsoft Windows Font Library file buffer overflow attempt (web-misc.rules)
 * 1:20999 <-> ENABLED <-> WEB-CLIENT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt (web-client.rules)
 * 1:21261 <-> DISABLED <-> WEB-CLIENT Xitami if-modified-since header buffer overflow attempt (web-client.rules)
 * 1:3664 <-> DISABLED <-> EXPLOIT PPTP echo request buffer overflow attempt (exploit.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)