Sourcefire VRT Rules Update

Date: 2012-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21802 <-> ENABLED <-> FILE-IDENTIFY HT-MP3Player file download request (file-identify.rules)
 * 1:21803 <-> ENABLED <-> FILE-IDENTIFY HT-MP3Player file attachment detected (file-identify.rules)
 * 1:21804 <-> ENABLED <-> FILE-IDENTIFY HT-MP3Player file attachment detected (file-identify.rules)
 * 1:21805 <-> DISABLED <-> EXPLOIT HT-MP3Player file parsing boundary buffer overflow attempt (exploit.rules)
 * 1:21806 <-> DISABLED <-> NETBIOS Samba malicious user defined array size and buffer attempt (netbios.rules)

Modified Rules:


 * 1:15167 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .cn dns query (indicator-compromise.rules)
 * 1:21799 <-> ENABLED <-> FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt (file-office.rules)
 * 1:21797 <-> ENABLED <-> FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt (file-office.rules)
 * 1:21793 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer vector graphics reference counting use-after-free attempt (web-client.rules)
 * 1:21796 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Exploroer iframe onreadystatechange handler use-after-free attempt (web-client.rules)
 * 1:21801 <-> ENABLED <-> FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt (file-office.rules)
 * 1:21800 <-> ENABLED <-> FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt (file-office.rules)
 * 1:15168 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ru dns query (indicator-compromise.rules)
 * 1:21798 <-> ENABLED <-> FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt (file-office.rules)
 * 1:19020 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .cc dns query (indicator-compromise.rules)