Sourcefire VRT Rules Update

Date: 2012-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23284 <-> DISABLED <-> WEB-ACTIVEX Oracle WebCenter Forms Recognition ActiveX function call attempt (web-activex.rules)
 * 1:23282 <-> ENABLED <-> WEB-MISC Microsoft Office SharePoint query.iqy XSS attempt (web-misc.rules)
 * 1:23283 <-> DISABLED <-> WEB-ACTIVEX Oracle WebCenter Forms Recognition ActiveX clsid attempt (web-activex.rules)
 * 1:23277 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23279 <-> DISABLED <-> WEB-MISC Microsoft SharePoint cross site scripting attempt (web-misc.rules)
 * 1:23276 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23280 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer corrupted HROW instance write access violation attempt (web-client.rules)
 * 1:23285 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer OnReadyStateChange use after free attempt (web-client.rules)
 * 1:23286 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23287 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23263 <-> ENABLED <-> FILE-PDF CANVAS Adobe flash player newfunction memory corruption attempt (file-pdf.rules)
 * 1:23264 <-> ENABLED <-> FILE-OTHER Adobe flash player newfunction memory corruption attempt (file-other.rules)
 * 1:23265 <-> ENABLED <-> FILE-OTHER Adobe flash player newfunction memory corruption attempt (file-other.rules)
 * 1:23288 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:23267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:23268 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:23269 <-> DISABLED <-> WEB-CLIENT Cisco WebEx recording integer overflow attempt (web-client.rules)
 * 1:23270 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules)
 * 1:23289 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23271 <-> ENABLED <-> FILE-OTHER Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23272 <-> ENABLED <-> FILE-OTHER Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23273 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23290 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23274 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23275 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23291 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23292 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23293 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23294 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23295 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23296 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23297 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23298 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23300 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23299 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23301 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23302 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23303 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23305 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:23304 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23306 <-> DISABLED <-> BOTNET-CNC Trojan.Stealer connect to server attempt (botnet-cnc.rules)
 * 1:23307 <-> ENABLED <-> BOTNET-CNC Trojan.Dropper connect to server attempt (botnet-cnc.rules)
 * 1:23308 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader.Bucriv outbound connection attempt (botnet-cnc.rules)
 * 1:23309 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)
 * 1:23310 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)
 * 1:23278 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer nested ul tags uninitalized memory access attempt (web-client.rules)
 * 1:23281 <-> ENABLED <-> WEB-MISC Micosoft SharePoint scriptresx.ashx XSS attempt (web-misc.rules)
 * 1:23316 <-> DISABLED <-> WEB-CLIENT Microsoft Office Word imeshare.dll dll-load exploit attempt (web-client.rules)
 * 1:23314 <-> DISABLED <-> NETBIOS SMB invalid character argument injection attempt (netbios.rules)
 * 1:23315 <-> DISABLED <-> NETBIOS Microsoft Office Word imeshare.dll dll-load exploit attempt (netbios.rules)
 * 1:23313 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)
 * 1:23312 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)
 * 1:23311 <-> ENABLED <-> FILE-OTHER Portable Executable multiple antivirus evasion attempt (file-other.rules)

Modified Rules:


 * 1:15492 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader spell.customDictionaryOpen exploit attempt (file-pdf.rules)
 * 1:16416 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules)
 * 1:16545 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader malformed Richmedia annotation exploit attempt (file-pdf.rules)
 * 1:16593 <-> ENABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:16633 <-> ENABLED <-> FILE-PDF Adobe PDF File containing Flash use-after-free attack attempt (file-pdf.rules)
 * 1:16634 <-> ENABLED <-> WEB-CLIENT Adobe Flash use-after-free attack attempt (web-client.rules)
 * 1:17591 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:17321 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters name overflow attempt (netbios.rules)
 * 1:17649 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word array data handling buffer overflow attempt (file-office.rules)
 * 1:18638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel OfficeArtSpContainer record exploit attempt (file-office.rules)
 * 1:19826 <-> ENABLED <-> WEB-MISC HP Power Manager remote code execution attempt (web-misc.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:21679 <-> ENABLED <-> SPECIFIC-THREATS Bleeding Life exploit module call attempt (specific-threats.rules)
 * 1:22954 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed SELECTION Record Code Execution attempt (file-office.rules)
 * 1:23136 <-> ENABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)
 * 1:23137 <-> ENABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)
 * 1:23143 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23142 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23144 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23145 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23146 <-> ENABLED <-> WEB-ACTIVEX Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (web-activex.rules)
 * 1:23218 <-> ENABLED <-> SPECIFIC-THREATS RedKit Repeated Exploit Request Pattern (specific-threats.rules)
 * 1:23230 <-> DISABLED <-> DOS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (dos.rules)
 * 1:23231 <-> DISABLED <-> DOS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (dos.rules)
 * 1:23232 <-> DISABLED <-> DOS Microsoft Windows NT DHCP DISCOVER client identifier overflow attempt (dos.rules)
 * 1:23233 <-> DISABLED <-> DOS Microsoft Windows NT DHCP DISCOVER hostname overflow attempt (dos.rules)