Sourcefire VRT Rules Update

Date: 2012-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:22097 <-> DISABLED <-> WEB-PHP PHP-CGI command injection attempt (web-php.rules)
 * 1:22096 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buffet.servehttp.com (blacklist.rules)
 * 1:22095 <-> ENABLED <-> BOTNET-CNC Backdoor.Win32.Agent outbound connection (botnet-cnc.rules)
 * 1:22094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxErrBar sdtX memory corruption attempt (file-office.rules)
 * 1:22093 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxTrend sdtX memory corruption attempt (file-office.rules)
 * 1:22092 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record sdtY memory corruption attempt (file-office.rules)
 * 1:22091 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:22090 <-> ENABLED <-> SPECIFIC-THREATS Microsoft .NET framework malicious XBAP attempt (specific-threats.rules)
 * 1:22088 <-> ENABLED <-> SPECIFIC-THREATS Blackhole Exploit Kit javascript service method (specific-threats.rules)
 * 1:22087 <-> ENABLED <-> FILE-OTHER Microsoft Windows True Type Font maxComponentPoints overflow attempt (file-other.rules)
 * 1:22086 <-> DISABLED <-> FILE-OFFICE Microsoft Office GDI+ incorrect index validation of malformed EMF image attempt (file-office.rules)
 * 1:22085 <-> DISABLED <-> FILE-OFFICE Microsoft Office GDI+ incorrect index validation of malformed EMF image attempt (file-office.rules)
 * 1:22084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Powerpoint pptx file attachment detected (file-identify.rules)
 * 1:22083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Powerpoint pptx file attachment detected (file-identify.rules)
 * 1:22082 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Powerpoint pptx file download request (file-identify.rules)
 * 1:22081 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 1:22080 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer xbap custom ISeralizable object exception attempt (specific-threats.rules)
 * 1:22079 <-> DISABLED <-> SPECIFIC-THREATS Microsoft .NET framework EvidenceBase class remote code execution attempt (specific-threats.rules)
 * 1:22078 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:22077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:22076 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:22075 <-> DISABLED <-> FILE-OFFICE Microsoft Visio IndexDirectorySize greater than ChildrenSize memory access attempt (file-office.rules)
 * 3:22089 <-> ENABLED <-> WEB-CLIENT Microsoft RTF improper listoverride nesting attempt (web-client.rules)

Modified Rules:


 * 1:7199 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel label record overflow attempt (file-office.rules)
 * 1:22066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word ScriptBridge OCX controller attempt (file-office.rules)
 * 1:22065 <-> DISABLED <-> BOTNET-CNC Trojan.Zeprox variant outbound connection (botnet-cnc.rules)
 * 1:22064 <-> ENABLED <-> WEB-PHP PHP-CGI command injection attempt (web-php.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22063 <-> ENABLED <-> WEB-PHP PHP-CGI remote file include attempt (web-php.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22027 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected (file-identify.rules)
 * 1:22026 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected (file-identify.rules)
 * 1:22022 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected (file-identify.rules)
 * 1:22023 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio SLN file attachment detected (file-identify.rules)
 * 1:22019 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected (file-identify.rules)
 * 1:22018 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio PKP file attachment detected (file-identify.rules)
 * 1:22015 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected (file-identify.rules)
 * 1:22014 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio DBP file attachment detected (file-identify.rules)
 * 1:21980 <-> DISABLED <-> BOTNET-CNC Trojan.Winac outbound connection (botnet-cnc.rules)
 * 1:21977 <-> DISABLED <-> BOTNET-CNC Backdoor.Pinit outbound connection (botnet-cnc.rules)
 * 1:21975 <-> DISABLED <-> BOTNET-CNC Worm.Expichu runtime detection (botnet-cnc.rules)
 * 1:21849 <-> ENABLED <-> BOTNET-CNC TDS Sutra - HTTP header redirecting to a SutraTDS (botnet-cnc.rules)
 * 1:21974 <-> DISABLED <-> BOTNET-CNC Worm.Expichu runtime detection (botnet-cnc.rules)
 * 1:21973 <-> DISABLED <-> BOTNET-CNC Backdoor.ZZSlash runtime detection (botnet-cnc.rules)
 * 1:21963 <-> DISABLED <-> BOTNET-CNC X-Shell 601 communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:21851 <-> ENABLED <-> BOTNET-CNC TDS Sutra - redirect received (botnet-cnc.rules)
 * 1:21850 <-> ENABLED <-> BOTNET-CNC TDS Sutra - request hi.cgi (botnet-cnc.rules)
 * 1:21848 <-> ENABLED <-> BOTNET-CNC TDS Sutra - page redirecting to a SutraTDS (botnet-cnc.rules)
 * 1:21847 <-> ENABLED <-> BOTNET-CNC TDS Sutra - cookie set (botnet-cnc.rules)
 * 1:21846 <-> ENABLED <-> BOTNET-CNC TDS Sutra - request in.cgi (botnet-cnc.rules)
 * 1:15936 <-> DISABLED <-> SERVER-MAIL Sendmail identd command parsing vulnerability (server-mail.rules)
 * 1:16057 <-> DISABLED <-> SERVER-MAIL Sendmail smtp timeout buffer overflow attempt (server-mail.rules)
 * 1:17369 <-> DISABLED <-> SERVER-MAIL MailEnable service APPEND command handling buffer overflow attempt (server-mail.rules)
 * 1:21845 <-> ENABLED <-> BOTNET-CNC TDS Sutra - redirect received (botnet-cnc.rules)
 * 1:21292 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer style.position use-after-free memory corruption attempt (web-client.rules)
 * 1:21525 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader variant outbound connection (botnet-cnc.rules)
 * 1:21527 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader registration connection detection (botnet-cnc.rules)
 * 1:21554 <-> DISABLED <-> BOTNET-CNC Trojan.Waledac.exe download attempt (botnet-cnc.rules)
 * 1:21528 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader keep-alive connection detection (botnet-cnc.rules)
 * 1:21540 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus application download attempt (botnet-cnc.rules)
 * 1:21541 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus connect to server attempt (botnet-cnc.rules)
 * 1:21553 <-> DISABLED <-> BOTNET-CNC Trojan.Agent.cpze connect to server attempt (botnet-cnc.rules)
 * 1:21546 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .cn (botnet-cnc.rules)
 * 1:21545 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .ru (botnet-cnc.rules)
 * 1:21544 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .eu (botnet-cnc.rules)
 * 1:21543 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus html page download attempt (botnet-cnc.rules)
 * 1:21542 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus firefox extension download attempt (botnet-cnc.rules)
 * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)