Sourcefire VRT Rules Update

Date: 2012-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21591 <-> ENABLED <-> BLACKLIST USER-AGENT known Adware user agent Gamevance tl_v (blacklist.rules)
 * 1:21590 <-> DISABLED <-> WEB-ACTIVEX IBM eGatherer ActiveX function call access (web-activex.rules)
 * 1:21589 <-> DISABLED <-> WEB-ACTIVEX IBM eGatherer ActiveX clsid access (web-activex.rules)
 * 1:21588 <-> ENABLED <-> BLACKLIST USER-AGENT known Adware user agent Softonic (blacklist.rules)
 * 1:21587 <-> DISABLED <-> WEB-CLIENT VisiWave VWR file parsing code execution attempt (web-client.rules)
 * 1:21586 <-> DISABLED <-> FILE-IDENTIFY VisiWave VWR file attachment detected (file-identify.rules)
 * 1:21585 <-> DISABLED <-> FILE-IDENTIFY VisiWave VWR file attachment detected (file-identify.rules)
 * 1:21584 <-> DISABLED <-> FILE-IDENTIFY VisiWave VWR file download request (file-identify.rules)
 * 1:21583 <-> ENABLED <-> SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123 (specific-threats.rules)
 * 1:21582 <-> DISABLED <-> SPECIFIC-THREATS PDF obfuscation attempt (specific-threats.rules)
 * 1:21581 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure-BBB (specific-threats.rules)
 * 1:21580 <-> ENABLED <-> SPECIFIC-THREATS JavaScript obfuscation - fromCharCode (specific-threats.rules)
 * 1:21579 <-> ENABLED <-> SPECIFIC-THREATS JavaScript obfuscation - fromCharCode (specific-threats.rules)
 * 1:21578 <-> ENABLED <-> SPECIFIC-THREATS JavaScript obfuscation - eval (specific-threats.rules)
 * 1:21577 <-> ENABLED <-> SPECIFIC-THREATS JavaScript obfuscation - charcode (specific-threats.rules)

Modified Rules:


 * 1:21572 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 1:21571 <-> ENABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 1:21568 <-> DISABLED <-> DOS RDP RST denial of service attempt (dos.rules)
 * 1:21492 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch (specific-threats.rules)
 * 1:21427 <-> ENABLED <-> BOTNET-CNC W32.Trojan.Delf variant outbound connection (botnet-cnc.rules)
 * 1:21347 <-> DISABLED <-> BLACKLIST URI possible Blackhole URL - .php?page= (blacklist.rules)
 * 1:21060 <-> DISABLED <-> EXPLOIT Symantec IM Manager Administrator console site injection attempt (exploit.rules)
 * 1:20900 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows Media MIDI file memory corruption attempt (specific-threats.rules)
 * 1:20846 <-> ENABLED <-> WEB-ACTIVEX Oracle Hyperion strategic finance client SetDevNames heap buffer overflow ActiveX clsid access (web-activex.rules)
 * 1:20635 <-> DISABLED <-> WEB-MISC HP Data Protector GetPolicies SQL Injection attempt (web-misc.rules)
 * 1:20628 <-> DISABLED <-> WEB-MISC HP Data Protector FinishedCopy SQL Injection attempt (web-misc.rules)
 * 1:20113 <-> DISABLED <-> EXPLOIT Microsoft Sharepoint XSS vulnerability attempt (exploit.rules)
 * 1:20112 <-> DISABLED <-> EXPLOIT Microsoft Sharepoint XSS vulnerability attempt (exploit.rules)
 * 1:19192 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Windows IIS Repeated Parameter Request denial of service attempt (specific-threats.rules)
 * 1:19158 <-> ENABLED <-> POLICY HP Universal CMDB server axis2 service upload attempt (policy.rules)
 * 1:19157 <-> ENABLED <-> WEB-MISC HP Universal CMDB server axis2 default credentials attempt (web-misc.rules)
 * 1:18800 <-> DISABLED <-> SPECIFIC-THREATS Adobe RoboHelp Server Arbitrary File Upload (specific-threats.rules)
 * 1:12278 <-> DISABLED <-> FILE-IDENTIFY Microsoft Media Player compressed skin download request (file-identify.rules)
 * 1:18795 <-> ENABLED <-> WEB-MISC HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt (web-misc.rules)
 * 1:13571 <-> DISABLED <-> WEB-CLIENT Microsoft Office Excel dval record arbitrary code excecution attempt (web-client.rules)
 * 1:15306 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:15713 <-> DISABLED <-> SCADA DNP3 device trouble (scada.rules)
 * 1:15714 <-> DISABLED <-> SCADA DNP3 corrupt configuration (scada.rules)
 * 1:15715 <-> DISABLED <-> SCADA DNP3 event buffer overflow error (scada.rules)
 * 1:17296 <-> ENABLED <-> WEB-MISC Microsoft Office Outlook Web Access XSRF attempt (web-misc.rules)
 * 1:17210 <-> DISABLED <-> POLICY Portable Executable binary file transfer over SMB (policy.rules)
 * 1:15718 <-> DISABLED <-> SCADA DNP3 unsupported function code error (scada.rules)
 * 1:15716 <-> DISABLED <-> SCADA DNP3 parameter error (scada.rules)
 * 1:15717 <-> DISABLED <-> SCADA DNP3 unknown object error (scada.rules)