Sourcefire VRT Rules Update

Date: 2012-02-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21357 <-> DISABLED <-> EXPLOIT Microsoft Windows OLEAUT32.DLL malicious WMF file remote code execution attempt (exploit.rules)
 * 1:21356 <-> DISABLED <-> WEB-CLIENT Apache URI directory traversal attempt (web-client.rules)
 * 1:21353 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer mouse drag hijack (web-client.rules)
 * 1:21351 <-> DISABLED <-> EXPLOIT IBM Tivoli kuddb2 denial of service attempt (exploit.rules)
 * 1:21350 <-> DISABLED <-> EXPLOIT HP OpenView Storage Data Protector stack overflow attempt (exploit.rules)
 * 1:21349 <-> DISABLED <-> EXPLOIT HP OpenView Storage Data Protector stack overflow attempt (exploit.rules)
 * 1:21348 <-> ENABLED <-> BLACKLIST URI possible Blackhole URL - search.php?page= (blacklist.rules)
 * 1:21347 <-> DISABLED <-> BLACKLIST URI possible Blackhole URL - .php?page= (blacklist.rules)
 * 1:21346 <-> DISABLED <-> SPECIFIC-THREATS possible Blackhole exploit kit malicious jar download (specific-threats.rules)
 * 1:21345 <-> DISABLED <-> SPECIFIC-THREATS possible Blackhole exploit kit malicious jar request (specific-threats.rules)
 * 1:21344 <-> ENABLED <-> SPECIFIC-THREATS Blackhole exploit kit pdf download (specific-threats.rules)
 * 1:21343 <-> DISABLED <-> SPECIFIC-THREATS Blackhole exploit kit pdf request (specific-threats.rules)
 * 1:21342 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'cprt' field attempt (exploit.rules)
 * 1:21341 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'dscp' field attempt (exploit.rules)
 * 1:21340 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'titl' field attempt (exploit.rules)
 * 1:21339 <-> ENABLED <-> EXPLOIT Adobe Flash Player MP4 zero length atom 'auth' field attempt (exploit.rules)
 * 1:21338 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash Player MP4 zero length atom attempt (specific-threats.rules)
 * 1:21337 <-> DISABLED <-> WEB-MISC Apache XML HMAC truncation authentication bypass attempt (web-misc.rules)
 * 1:21336 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash ASConstructor insecure calling attempt (specific-threats.rules)
 * 1:21335 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash Player ActionScript bytecode type confusion null dereference attempt (specific-threats.rules)
 * 1:21334 <-> DISABLED <-> WEB-MISC Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (web-misc.rules)
 * 1:21333 <-> DISABLED <-> WEB-MISC Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (web-misc.rules)
 * 1:21332 <-> DISABLED <-> POLICY Synergy network kvm usage detected (policy.rules)
 * 1:21331 <-> DISABLED <-> EXPLOIT Synergy clipboard format client integer overflow attempt (exploit.rules)
 * 1:21330 <-> DISABLED <-> EXPLOIT Synergy clipboard format server integer overflow attempt (exploit.rules)
 * 1:21329 <-> DISABLED <-> EXPLOIT Synergy clipboard format client integer overflow attempt (exploit.rules)
 * 1:21328 <-> DISABLED <-> EXPLOIT Synergy clipboard format server integer overflow attempt (exploit.rules)
 * 1:21327 <-> ENABLED <-> BLACKLIST USER-AGENT ASafaWeb Scan (blacklist.rules)
 * 1:21326 <-> DISABLED <-> EXPLOIT Adobe Flash Player ActiveX URL import attempt (exploit.rules)
 * 1:21325 <-> DISABLED <-> SPECIFIC-THREATS Adobe Flash Player cross site request forgery attempt (specific-threats.rules)
 * 1:21324 <-> DISABLED <-> WEB-CLIENT Acrobat Flash Player uxtheme.dll dll-load exploit attempt (web-client.rules)
 * 1:21323 <-> DISABLED <-> WEB-CLIENT Acrobat Flash Player atl.dll dll-load exploit attempt (web-client.rules)
 * 1:21322 <-> DISABLED <-> WEB-CLIENT Acrobat Flash Player version.dll dll-load exploit attempt (web-client.rules)
 * 1:21321 <-> DISABLED <-> NETBIOS Acrobat Flash Player uxtheme.dll dll-load exploit attempt (netbios.rules)
 * 1:21320 <-> DISABLED <-> NETBIOS Acrobat Flash Player atl.dll dll-load exploit attempt (netbios.rules)
 * 1:21319 <-> DISABLED <-> NETBIOS Acrobat Flash Player version.dll dll-load exploit attempt (netbios.rules)
 * 1:21318 <-> ENABLED <-> BOTNET-CNC Win32.FakeAV TDSS/PurpleHaze outbound connection - base64 encoded (botnet-cnc.rules)
 * 1:21317 <-> DISABLED <-> WEB-CLIENT BACnet OPC client csv file buffer overflow attempt (web-client.rules)
 * 1:21316 <-> DISABLED <-> SPECIFIC-THREATS Adobe shockwave director tSAC string termination memory corruption attempt (specific-threats.rules)
 * 1:21315 <-> DISABLED <-> SPECIFIC-THREATS Quest NetVault SmartDisk libnvbasics.dll DOS attempt (specific-threats.rules)
 * 1:21314 <-> DISABLED <-> WEB-MISC HP Insight Diagnostics XSS attempt (web-misc.rules)
 * 3:21354 <-> ENABLED <-> BAD-TRAFFIC dns query - storing query and txid (bad-traffic.rules)
 * 3:21355 <-> ENABLED <-> BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid (bad-traffic.rules)
 * 3:21352 <-> ENABLED <-> SMTP Microsoft Fax Cover Page Editor heap corruption attempt (web-client.rules)

Modified Rules:


 * 1:10064 <-> DISABLED <-> EXPLOIT Peercast URL Parameter overflow attempt (exploit.rules)
 * 1:18636 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint SlideAtom record exploit attempt (specific-threats.rules)
 * 1:17410 <-> DISABLED <-> WEB-MISC Generic HyperLink buffer overflow attempt (web-misc.rules)
 * 1:20129 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office BpscBulletProof uninitialized pointer dereference attempt (specific-threats.rules)
 * 1:21042 <-> ENABLED <-> BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f= (blacklist.rules)
 * 1:21043 <-> ENABLED <-> BLACKLIST URI possible Blackhole post-compromise download attempt - .php?e= (blacklist.rules)
 * 1:21240 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan outbound connection (botnet-cnc.rules)
 * 1:21241 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan initial outbound connection (botnet-cnc.rules)
 * 1:21242 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan outbound connection (botnet-cnc.rules)
 * 1:21261 <-> DISABLED <-> WEB-CLIENT Xitami if-modified-since header buffer overflow attempt (web-client.rules)
 * 1:21270 <-> DISABLED <-> WEB-MISC Devellion CubeCart multiple parameter XSS vulnerability (web-misc.rules)
 * 1:21299 <-> ENABLED <-> EXPLOIT Microsoft Silverlight privilege escalation attempt (exploit.rules)
 * 1:3657 <-> DISABLED <-> ORACLE ctxsys.driload attempt (oracle.rules)
 * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API 'WSDAPI' URL processing buffer corruption attempt (web-misc.rules)
 * 3:15474 <-> ENABLED <-> BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (bad-traffic.rules)