Sourcefire VRT Rules Update

Date: 2012-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23372 <-> ENABLED <-> WEB-ACTIVEX Teechart Professional ActiveX clsid access (web-activex.rules)
 * 1:23373 <-> ENABLED <-> WEB-ACTIVEX Teechart Professional ActiveX clsid access (web-activex.rules)
 * 1:23370 <-> DISABLED <-> FILE-OFFICE Microsoft Office Drawing object code execution attempt (file-office.rules)
 * 1:23371 <-> ENABLED <-> WEB-CLIENT Adobe Director file file Shockwave 3D overflow attempt (web-client.rules)
 * 1:23368 <-> DISABLED <-> DOS Tftpd32 DNS server denial of service attempt (dos.rules)
 * 1:23369 <-> ENABLED <-> SPYWARE-PUT Adware.Phono post infection download attempt (spyware-put.rules)
 * 1:23366 <-> DISABLED <-> EXPLOIT Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (exploit.rules)
 * 1:23367 <-> DISABLED <-> EXPLOIT Novell Netware XNFS.NLM Stat notify heap buffer overflow attempt (exploit.rules)
 * 1:23364 <-> DISABLED <-> EXPLOIT Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (exploit.rules)
 * 1:23365 <-> DISABLED <-> EXPLOIT Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (exploit.rules)
 * 1:23362 <-> DISABLED <-> WEB-IIS tilde character file name discovery attempt (web-iis.rules)
 * 1:23363 <-> DISABLED <-> EXPLOIT Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt (exploit.rules)
 * 1:23360 <-> DISABLED <-> WEB-IIS tilde character file name discovery attempt (web-iis.rules)
 * 1:23361 <-> DISABLED <-> WEB-IIS tilde character file name discovery attempt (web-iis.rules)
 * 1:23358 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23359 <-> DISABLED <-> DOS Multiple Vendors SOAP large array parameter DoS attempt (dos.rules)
 * 1:23356 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:23357 <-> ENABLED <-> FILE-OTHER ELF multiple antivirus evasion attempts (file-other.rules)
 * 1:23354 <-> ENABLED <-> WEB-MISC Novell iManager buffer overflow attempt (web-misc.rules)
 * 1:23355 <-> DISABLED <-> EXPLOIT Trend Micro Control Manager AddTask stack buffer overflow attempt (exploit.rules)
 * 1:23352 <-> DISABLED <-> WEB-ACTIVEX Cisco Linksys PlayerPT ActiveX clsid access attempt (web-activex.rules)
 * 1:23353 <-> DISABLED <-> WEB-ACTIVEX Cisco Linksys PlayerPT ActiveX function call access attempt (web-activex.rules)
 * 1:23351 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23350 <-> DISABLED <-> POLICY potential clickjacking via css pointer-events attempt (policy.rules)
 * 1:23348 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules)
 * 1:23349 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules)
 * 1:23347 <-> ENABLED <-> FILE-IDENTIFY Lotus file download request (file-identify.rules)
 * 1:23344 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Harvso.A outbound connection attempt (botnet-cnc.rules)
 * 1:23339 <-> DISABLED <-> BACKDOOR Prier.A runtime detection - initial connection attempt (backdoor.rules)
 * 1:23334 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader initial C&C checkin attempt (botnet-cnc.rules)
 * 1:23329 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23323 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23317 <-> DISABLED <-> BOTNET-CNC Trojan.Dropper initial outbound connection attempt (botnet-cnc.rules)
 * 1:23320 <-> ENABLED <-> FILE-IDENTIFY TAR file attachment detected (file-identify.rules)
 * 1:23321 <-> ENABLED <-> FILE-IDENTIFY TAR file attachment detected (file-identify.rules)
 * 1:23322 <-> ENABLED <-> FILE-IDENTIFY TAR file download request (file-identify.rules)
 * 1:23324 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23325 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23326 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23327 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23328 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23330 <-> DISABLED <-> SCADA ScadaTec Procyon Core server password overflow attempt (scada.rules)
 * 1:23331 <-> DISABLED <-> BOTNET-CNC Trojan.Mybot outbound connection attempt (botnet-cnc.rules)
 * 1:23332 <-> ENABLED <-> BOTNET-CNC Trojan.Win32-Dishigy outbound connection attempt (botnet-cnc.rules)
 * 1:23333 <-> DISABLED <-> BOTNET-CNC Trojan.Banker initial C&C checkin attempt (botnet-cnc.rules)
 * 1:23335 <-> ENABLED <-> BOTNET-CNC Trojan.Swisyn outbound connection attempt (botnet-cnc.rules)
 * 1:23336 <-> DISABLED <-> BACKDOOR Linfo.A runtime detection - initial connection attempt (backdoor.rules)
 * 1:23337 <-> DISABLED <-> BACKDOOR Bluenet.A runtime detection - initial connection attempt (backdoor.rules)
 * 1:23338 <-> DISABLED <-> BACKDOOR Spindest.A runtime detection - initial connection attempt (backdoor.rules)
 * 1:23340 <-> DISABLED <-> SPYWARE-PUT Trojan.Win32.Nitol.B runtime detection (spyware-put.rules)
 * 1:23341 <-> ENABLED <-> BACKDOOR Backdoor.Win32.Tinrot.A runtime detection (backdoor.rules)
 * 1:23342 <-> ENABLED <-> BOTNET-CNC Trojan.Agent initial connection attempt (botnet-cnc.rules)
 * 1:23343 <-> DISABLED <-> BOTNET-CNC Trojan.Agent initial connection attempt (botnet-cnc.rules)
 * 1:23345 <-> DISABLED <-> BOTNET-CNC RunTime Trojan Win32.tchfro.A outbound connection attempt (botnet-cnc.rules)
 * 1:23346 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules)
 * 1:23391 <-> ENABLED <-> BACKDOOR Trojan.Win32.Hioles.C runtime detection (backdoor.rules)
 * 1:23390 <-> DISABLED <-> BOTNET-CNC Trojan Java.Arratomref variant outbound connection attempt (botnet-cnc.rules)
 * 1:23389 <-> DISABLED <-> BOTNET-CNC Trojan Java.Arratomref variant outbound connection attempt (botnet-cnc.rules)
 * 1:23388 <-> DISABLED <-> SPYWARE-PUT Trojan.Win32.FakeMSN.I runtime detection (spyware-put.rules)
 * 1:23387 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Banker outbound connection attempt (botnet-cnc.rules)
 * 1:23386 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23385 <-> DISABLED <-> WEB-MISC Novell Groupwise Messenger parameter memory corruption attempt (web-misc.rules)
 * 1:23384 <-> DISABLED <-> WEB-MISC Novell Groupwise Messenger parameter memory corruption attempt (web-misc.rules)
 * 1:23383 <-> DISABLED <-> BACKDOOR Trojan.Chaori.A runtime detection - initial connection attempt (backdoor.rules)
 * 1:23382 <-> ENABLED <-> BOTNET-CNC Trojan.SpyEye outbound connection attempt (botnet-cnc.rules)
 * 1:23381 <-> DISABLED <-> BACKDOOR Win32.Thoper.C runtime detection (backdoor.rules)
 * 1:23380 <-> DISABLED <-> BOTNET-CNC Trojan.Ventana initial outbound connection attempt (botnet-cnc.rules)
 * 1:23379 <-> DISABLED <-> BOTNET-CNC Trojan.Leepload variant outbound connection attempt (botnet-cnc.rules)
 * 1:23319 <-> ENABLED <-> FILE-IDENTIFY TAR file download request (file-identify.rules)
 * 1:23378 <-> DISABLED <-> SPYWARE-PUT Trojan.Sasfis runtime detection attempt (spyware-put.rules)
 * 1:23318 <-> ENABLED <-> FILE-OTHER ELF multiple antivirus evasion attempts (file-other.rules)
 * 1:23377 <-> DISABLED <-> BOTNET-CNC Trojan.Sasfis runtime detection attempt (botnet-cnc.rules)
 * 1:23376 <-> ENABLED <-> WEB-ACTIVEX Teechart Professional ActiveX clsid access (web-activex.rules)
 * 1:23375 <-> ENABLED <-> WEB-ACTIVEX Teechart Professional ActiveX clsid access (web-activex.rules)
 * 1:23374 <-> ENABLED <-> WEB-ACTIVEX Teechart Professional ActiveX clsid access (web-activex.rules)

Modified Rules:


 * 1:23273 <-> ENABLED <-> WEB-CLIENT Oracle Java field bytecode verifier cache code execution attempt (web-client.rules)
 * 1:23218 <-> ENABLED <-> SPECIFIC-THREATS RedKit Repeated Exploit Request Pattern (specific-threats.rules)
 * 1:23219 <-> ENABLED <-> SPECIFIC-THREATS Redkit Java Exploit request to .class file (specific-threats.rules)
 * 1:22094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxErrBar sdtX memory corruption attempt (file-office.rules)
 * 1:22103 <-> ENABLED <-> BACKDOOR Win32.Coswid.klk runtime detection (backdoor.rules)
 * 1:21290 <-> DISABLED <-> WEB-CLIENT Microsoft Color Control Panel STI.dll dll-load exploit attempt (web-client.rules)
 * 1:22093 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxTrend sdtX memory corruption attempt (file-office.rules)
 * 1:18809 <-> DISABLED <-> WEB-CLIENT Mozilla EnsureCachedAttrPraramArrays integer overflow attempt (web-client.rules)
 * 1:21289 <-> DISABLED <-> NETBIOS Microsoft Color Control Panel STI.dll dll-load exploit attempt (netbios.rules)
 * 1:17202 <-> ENABLED <-> WEB-CLIENT Adobe Director file file Shockwave 3D overflow attempt (web-client.rules)
 * 1:18201 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:15469 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:15534 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer XML HttpRequest race condition exploit attempt (web-client.rules)
 * 1:11257 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt (web-client.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record (file-office.rules)