Sourcefire VRT Rules Update

Date: 2012-08-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23789 <-> DISABLED <-> WEB-CLIENT Mozilla Multiple Products table frames memory corruption attempt (web-client.rules)
 * 1:23784 <-> ENABLED <-> WEB-PHP Symantec Web Gateway blocked.php id parameter sql injection attempt (web-php.rules)
 * 1:23782 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Buzus.kych connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23785 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - Math.floor catch (specific-threats.rules)
 * 1:23781 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page (specific-threats.rules)
 * 1:23780 <-> DISABLED <-> BOTNET-CNC Trojan.Begfanit.A outbound communication attempt (botnet-cnc.rules)
 * 1:23779 <-> DISABLED <-> WEB-MISC Apache WebDAV mod_dav nested entity reference DoS attempt (web-misc.rules)
 * 1:23790 <-> DISABLED <-> WEB-CLIENT Mozilla Multiple Products table frames memory corruption attempt (web-client.rules)
 * 1:23783 <-> ENABLED <-> WEB-PHP Symantec Web Gateway pbcontrol.php filename parameter command injection attempt (web-php.rules)
 * 1:23787 <-> DISABLED <-> BOTNET-CNC Trojan.Locotout variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23788 <-> DISABLED <-> BOTNET-CNC Trojan.Locotout variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23778 <-> ENABLED <-> BOTNET-CNC Trojan.Bublik variant outbound connection (botnet-cnc.rules)
 * 1:23786 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - Math.round catch (specific-threats.rules)

Modified Rules:


 * 1:16541 <-> ENABLED <-> EXPLOIT Microsoft Windows Media Service stack overflow attempt (exploit.rules)
 * 1:17302 <-> DISABLED <-> DOS Linux kernel SCTP Unknown Chunk Types denial of service attempt (dos.rules)
 * 1:17689 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt (web-client.rules)
 * 1:23111 <-> DISABLED <-> POLICY-OTHER PHP uri tag injection attempt (policy-other.rules)
 * 1:23443 <-> DISABLED <-> WEB-PHP php-shell failed remote command injection attempt (web-php.rules)
 * 1:23172 <-> DISABLED <-> WEB-CLIENT Microsoft ASP.NET improper comment handling XSS attempt (web-client.rules)
 * 1:23222 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Received - applet and 5digit jar attempt (specific-threats.rules)
 * 1:23237 <-> DISABLED <-> NETBIOS SMB2 client NetBufferList NULL entry remote code execution attempt (netbios.rules)
 * 1:3590 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt (netbios.rules)
 * 1:23262 <-> ENABLED <-> BOTNET-CNC Trojan.Banker outbound connection attempt (botnet-cnc.rules)
 * 1:23405 <-> DISABLED <-> WEB-PHP PHP-Nuke index.php SQL injection attempt (web-php.rules)
 * 1:23406 <-> DISABLED <-> WEB-PHP PHP-Nuke index.php SQL injection attempt (web-php.rules)