Sourcefire VRT Rules Update

Date: 2012-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23113 <-> ENABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules)
 * 1:23131 <-> ENABLED <-> FILE-OTHER Adobe X500 DistinguishedName property access attempt (file-other.rules)
 * 1:23129 <-> ENABLED <-> FILE-OTHER Adobe SecureSocket use without Connect attempt (file-other.rules)
 * 1:23132 <-> DISABLED <-> FILE-OTHER Adobe Flash Player DefineSound tag long recordheader length field attempt (file-other.rules)
 * 1:23135 <-> DISABLED <-> FILE-OTHER Adobe Flash SWF flash.DisplayObject memory corruption attempt (file-other.rules)
 * 1:23136 <-> DISABLED <-> WEB-MISC toStaticHTML cross-site scripting attempt (web-misc.rules)
 * 1:23137 <-> DISABLED <-> WEB-MISC toStaticHTML cross-site scripting attempt (web-misc.rules)
 * 1:23138 <-> ENABLED <-> EXPLOIT Apple CUPS IPP memory corruption attempt (exploit.rules)
 * 1:23114 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules)
 * 1:23139 <-> ENABLED <-> EXPLOIT Apple CUPS IPP memory corruption attempt (exploit.rules)
 * 1:23115 <-> ENABLED <-> SQL MySQL/MariaDB client authentication bypass attempt (sql.rules)
 * 1:23116 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 9 CTreeNode use after free attempt (web-client.rules)
 * 1:23118 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer console object use after free attempt (web-client.rules)
 * 1:23117 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 9 DOM element use after free attempt (web-client.rules)
 * 1:23119 <-> DISABLED <-> DELETED rule (deleted.rules)
 * 1:23120 <-> DISABLED <-> DELETED rule (deleted.rules)
 * 1:23121 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer center element dynamic manipulation attempt (web-client.rules)
 * 1:23122 <-> DISABLED <-> WEB-CLIENT Internet Explorer use after free attempt (web-client.rules)
 * 1:23123 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (web-client.rules)
 * 1:23124 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer html table column span width increase memory corruption attempt (web-client.rules)
 * 1:23125 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer DOM manipulation memory corruption attempt (web-client.rules)
 * 1:23126 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer insertAdjacentText memory corruption attempt (web-client.rules)
 * 1:23127 <-> DISABLED <-> FILE-OTHER .NET xbap STGMEDIUM.unionmember arbitrary number overwrite attempt (file-other.rules)
 * 1:23128 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 9 memory disclosure attempt (web-client.rules)
 * 1:23112 <-> DISABLED <-> DOS SAP NetWeaver Dispatcher denial of service attempt (dos.rules)
 * 1:23134 <-> DISABLED <-> WEB-CLIENT Adobe Flash Player broker destructor DoS attempt (web-client.rules)
 * 1:23133 <-> DISABLED <-> FILE-OTHER Adobe Flash SWF flash.display.BitmapData constuctor overflow attempt (file-other.rules)
 * 1:23111 <-> DISABLED <-> POLICY PHP uri tag injection attempt (policy.rules)
 * 1:23130 <-> ENABLED <-> FILE-OTHER Adobe X509 direct instantiation property access attempt (file-other.rules)

Modified Rules:


 * 1:15571 <-> DISABLED <-> EXPLOIT RealNetworks Helix Server RTSP SETUP stack buffer overflow attempt (exploit.rules)
 * 1:18319 <-> DISABLED <-> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (specific-threats.rules)
 * 1:16168 <-> ENABLED <-> DOS Microsoft SMBv2 integer overflow denial of service attempt (dos.rules)
 * 1:17056 <-> DISABLED <-> SPECIFIC-THREATS Novell NetIdentity Agent XTIERRPCPIPE remote code execution attempt (specific-threats.rules)
 * 1:13714 <-> DISABLED <-> MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt (mysql.rules)
 * 1:14900 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:12392 <-> DISABLED <-> SERVER-MAIL GNU Mailutils request tag format string vulnerability attempt (server-mail.rules)
 * 1:13363 <-> ENABLED <-> EXPLOIT Cisco Unified Communications Manager heap overflow attempt (exploit.rules)
 * 1:12358 <-> DISABLED <-> EXPLOIT Helix DNA Server RTSP require tag heap overflow attempt (exploit.rules)
 * 1:12635 <-> DISABLED <-> DOS RPC NTLMSSP malformed credentials attempt (dos.rules)
 * 1:12984 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt (netbios.rules)
 * 1:10603 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (netbios.rules)
 * 1:11073 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt (netbios.rules)
 * 1:10407 <-> DISABLED <-> EXPLOIT Helix Server LoadTestPassword buffer overflow attempt (exploit.rules)
 * 1:12198 <-> DISABLED <-> SNMP Microsoft Windows getbulk request attempt (snmp.rules)
 * 1:11947 <-> DISABLED <-> WEB-CLIENT Microsoft Windows schannel security package (web-client.rules)
 * 1:11442 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:10036 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt (netbios.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Novell NetMail APPEND command buffer overflow attempt (server-mail.rules)
 * 1:16020 <-> DISABLED <-> SPECIFIC-THREATS Oracle MySQL login handshake information disclosure attempt (specific-threats.rules)
 * 1:17057 <-> DISABLED <-> SPECIFIC-THREATS Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt (specific-threats.rules)
 * 1:17151 <-> DISABLED <-> SPECIFIC-THREATS Samba smbd flags2 header parsing denial of service attempt - 1 (specific-threats.rules)
 * 1:16058 <-> DISABLED <-> SPECIFIC-THREATS Samba WINS Server Name Registration handling stack buffer overflow attempt (specific-threats.rules)
 * 1:17152 <-> DISABLED <-> SPECIFIC-THREATS Samba smbd flags2 header parsing denial of service attempt - 2 (specific-threats.rules)
 * 1:17579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Drawing Record msofbtOPT Code Execution attempt (file-office.rules)
 * 1:18189 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18191 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules)
 * 1:18267 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (netbios.rules)
 * 1:18315 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (netbios.rules)
 * 1:18472 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (netbios.rules)
 * 1:8925 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (netbios.rules)
 * 1:18589 <-> DISABLED <-> SPECIFIC-THREATS Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt (specific-threats.rules)
 * 1:15902 <-> ENABLED <-> SHELLCODE x86 win2k-2k3 decoder base shellcode (shellcode.rules)
 * 1:19436 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (web-client.rules)
 * 1:16066 <-> DISABLED <-> EXPLOIT Microsoft Windows Server driver crafted SMB data denial of service (exploit.rules)
 * 1:19574 <-> DISABLED <-> BACKDOOR Worm Win32.Chiviper.C outbound connection (backdoor.rules)
 * 1:16167 <-> DISABLED <-> DOS Microsoft LSASS integer wrap denial of service attempt (dos.rules)
 * 1:21087 <-> DISABLED <-> BOTNET-CNC Bindow.Worm runtime traffic detected (botnet-cnc.rules)
 * 1:20768 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:21262 <-> DISABLED <-> SPECIFIC-THREATS NETBIOS DCERPC ISystemActivate flood attempt (specific-threats.rules)
 * 1:16684 <-> DISABLED <-> DOS Samba smbd Session Setup AndX security blob length dos attempt (dos.rules)
 * 1:2705 <-> DISABLED <-> WEB-CLIENT Microsoft Multiple Products JPEG parser heap overflow attempt (web-client.rules)
 * 1:21281 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (specific-threats.rules)
 * 1:5712 <-> DISABLED <-> WEB-CLIENT Microsoft Windows Media Player invalid data offset bitmap heap overflow attempt (web-client.rules)
 * 1:5095 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt (netbios.rules)
 * 1:7070 <-> DISABLED <-> POLICY script tag in URI - likely cross-site scripting attempt (policy.rules)
 * 1:15930 <-> ENABLED <-> NETBIOS Microsoft Windows SMB malformed process ID high field remote code execution attempt (netbios.rules)
 * 1:16016 <-> DISABLED <-> SPECIFIC-THREATS Microsoft client for netware overflow attempt (specific-threats.rules)
 * 1:15512 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (netbios.rules)
 * 1:15965 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Explorer long share name buffer overflow attempt (specific-threats.rules)
 * 1:15573 <-> ENABLED <-> EXPLOIT RealNetworks Helix Server RTSP SET_PARAMETER heap buffer overflow attempt (exploit.rules)
 * 3:16534 <-> ENABLED <-> DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (dos.rules)
 * 3:16418 <-> ENABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules)
 * 3:16237 <-> ENABLED <-> DOS Microsoft Active Directory NTDSA stack space exhaustion attempt (dos.rules)
 * 3:15974 <-> ENABLED <-> EXPLOIT Microsoft IIS ASP handling buffer overflow attempt (exploit.rules)
 * 3:15973 <-> ENABLED <-> EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt (exploit.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)
 * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules)
 * 3:13835 <-> ENABLED <-> DOS Microsoft Active Directory LDAP cookie denial of service attempt (dos.rules)
 * 3:15149 <-> ENABLED <-> DOS Oracle Internet Directory pre-auth ldap denial of service attempt (dos.rules)
 * 3:13773 <-> ENABLED <-> DOS linux kernel snmp nat netfilter memory corruption attempt (dos.rules)
 * 3:14263 <-> ENABLED <-> CHAT Pidgin MSN MSNP2P message integer overflow attempt (chat.rules)
 * 3:13667 <-> ENABLED <-> BAD-TRAFFIC dns cache poisoning attempt (bad-traffic.rules)
 * 3:13475 <-> ENABLED <-> DOS Microsoft Active Directory LDAP denial of service attempt (dos.rules)
 * 3:15327 <-> ENABLED <-> BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt (bad-traffic.rules)
 * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules)
 * 3:18101 <-> ENABLED <-> EXPLOIT Sun Directory Server LDAP denial of service attempt (exploit.rules)
 * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules)
 * 3:13425 <-> ENABLED <-> DOS openldap server bind request denial of service attempt (dos.rules)
 * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules)
 * 3:13510 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest heap overflow attempt (exploit.rules)
 * 3:13476 <-> ENABLED <-> WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow (web-iis.rules)
 * 3:11619 <-> ENABLED <-> MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt (misc.rules)
 * 3:11672 <-> ENABLED <-> MISC Mozilla Network Security Services SSLv2 stack overflow attempt (misc.rules)
 * 3:12028 <-> ENABLED <-> SMTP Microsoft Exchange Server MIME base64 decoding code execution attempt (smtp.rules)
 * 3:10161 <-> ENABLED <-> NETBIOS SMB write_andx overflow attempt (netbios.rules)