Sourcefire VRT Rules Update

Date: 2012-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23177 <-> DISABLED <-> WEB-PHP Symantec Web Gateway timer.php cross site scripting attempt (web-php.rules)
 * 1:23175 <-> DISABLED <-> WEB-ACTIVEX IBM Lotus Quickr ActiveX stack buffer overflow attempt (web-activex.rules)
 * 1:23176 <-> DISABLED <-> BOTNET-CNC Donbot.A runtime traffic attempt detected (botnet-cnc.rules)
 * 1:23174 <-> DISABLED <-> WEB-ACTIVEX IBM Lotus Quickr ActiveX stack buffer overflow attempt (web-activex.rules)
 * 1:23173 <-> DISABLED <-> BOTNET-CNC Android Zitmo trojan command and control channel traffic (botnet-cnc.rules)

Modified Rules:


 * 1:21606 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21796 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer iframe onreadystatechange handler use-after-free attempt (web-client.rules)
 * 1:21604 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21605 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21600 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21603 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21602 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21601 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:21297 <-> ENABLED <-> WEB-MISC Microsoft Office SharePoint themeweb.aspx XSS attempt (web-misc.rules)
 * 1:21599 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (web-iis.rules)
 * 1:20116 <-> DISABLED <-> EXPLOIT Microsoft Office SharePoint Javascript XSS attempt (exploit.rules)
 * 1:21011 <-> ENABLED <-> FILE-IDENTIFY Microsoft PowerPoint file magic detected (file-identify.rules)
 * 1:20113 <-> DISABLED <-> EXPLOIT Microsoft Office SharePoint XSS vulnerability attempt (exploit.rules)
 * 1:20115 <-> DISABLED <-> EXPLOIT Microsoft Office SharePoint XML external entity exploit attempt (exploit.rules)
 * 1:20112 <-> DISABLED <-> EXPLOIT Microsoft Office SharePoint XSS vulnerability attempt (exploit.rules)
 * 1:12629 <-> DISABLED <-> WEB-MISC Microsoft Office SharePoint cross site scripting attempt (web-misc.rules)
 * 1:1283 <-> DISABLED <-> WEB-IIS Microsoft Office Outlook web dos (web-iis.rules)
 * 1:15108 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint Server elevation of privilege exploit attempt (file-office.rules)
 * 1:16560 <-> ENABLED <-> WEB-MISC Microsoft Office SharePoint XSS attempt (web-misc.rules)
 * 1:17275 <-> DISABLED <-> SPECIFIC-THREATS Symantec Brightmail AntiSpam nested Zip handling denial of service attempt (specific-threats.rules)
 * 1:18238 <-> ENABLED <-> EXPLOIT Microsoft Office SharePoint document conversion remote code excution attempt (exploit.rules)
 * 1:19322 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Internet Explorer and SharePoint toStaticHTML information disclosure attempt (specific-threats.rules)
 * 1:20111 <-> DISABLED <-> EXPLOIT Microsoft Office SharePoint XSS vulnerability attempt (exploit.rules)
 * 1:7029 <-> DISABLED <-> WEB-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (web-iis.rules)
 * 1:7028 <-> DISABLED <-> WEB-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (web-iis.rules)
 * 1:22083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules)
 * 1:22084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules)
 * 1:23118 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer console object use after free attempt (web-client.rules)
 * 1:22082 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file download request (file-identify.rules)
 * 1:7027 <-> DISABLED <-> WEB-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt (web-iis.rules)
 * 1:23166 <-> DISABLED <-> FILE-PDF Adobe PDF XDP encoded download attempt (file-pdf.rules)
 * 1:23172 <-> DISABLED <-> WEB-IIS Microsoft Windows .NET improper comment handling XSS attempt (web-iis.rules)