Sourcefire VRT Rules Update

Date: 2012-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23955 <-> DISABLED <-> BOTNET-CNC Xhuna.A runtime detection - initial contact (botnet-cnc.rules)
 * 1:23966 <-> DISABLED <-> VOIP-SIP-UDP Asterisk invite malformed SDP denial of service attempt (voip.rules)
 * 1:23968 <-> ENABLED <-> BOTNET-CNC WIN.Trojan.Crisis outbound connection attempt (botnet-cnc.rules)
 * 1:23969 <-> ENABLED <-> SPYWARE-PUT Android SMSZombie APK file download (spyware-put.rules)
 * 1:23965 <-> DISABLED <-> SCADA BroadWin WebAccess Client arbitrary memory corruption attempt (scada.rules)
 * 1:23967 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash OpenType font memory corruption attempt - compressed (specific-threats.rules)
 * 1:23964 <-> DISABLED <-> SCADA BroadWin WebAccess Client format string exploit attempt (scada.rules)
 * 1:23961 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23962 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - fewbgazr catch (specific-threats.rules)
 * 1:23963 <-> DISABLED <-> BOTNET-CNC BACKDOOR.WIN32.RUNAGRY.ABT connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:23960 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23958 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23959 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:23954 <-> ENABLED <-> SPYWARE-PUT Android SMSZombie APK file download (spyware-put.rules)

Modified Rules:


 * 1:23861 <-> DISABLED <-> WEB-CLIENT heapspray characters detected - binary (web-client.rules)
 * 1:10050 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 ASDBLoginToComputer overflow attempt (netbios.rules)
 * 1:10117 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules)
 * 1:23858 <-> DISABLED <-> SMTP heapspray characters detected - binary (smtp.rules)
 * 1:23946 <-> ENABLED <-> BOTNET-CNC Trojan.Backdoor file download attempt (botnet-cnc.rules)
 * 1:12922 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt (netbios.rules)
 * 1:4755 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
 * 1:4826 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt (netbios.rules)
 * 1:4918 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList dos attempt (netbios.rules)
 * 1:5485 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 1:6419 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid uuid size attempt (netbios.rules)
 * 1:6420 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid uuid size attempt (netbios.rules)
 * 1:6584 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt (netbios.rules)
 * 1:6714 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt (netbios.rules)
 * 1:9441 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath overflow attempt (netbios.rules)
 * 1:9769 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt (netbios.rules)
 * 1:16239 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 1:15702 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules)
 * 1:16167 <-> DISABLED <-> DOS Microsoft LSASS integer wrap denial of service attempt (dos.rules)
 * 1:16238 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt (netbios.rules)
 * 1:14725 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt (netbios.rules)
 * 1:14988 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:15508 <-> DISABLED <-> SPECIFIC-THREATS DCERPC NCADG-IP-UDP lsarpc LsarLookupSids translated_names overflow attempt (specific-threats.rules)
 * 1:14710 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt (netbios.rules)
 * 1:14900 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt (netbios.rules)
 * 1:12978 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt (netbios.rules)
 * 1:13210 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt (netbios.rules)
 * 1:13211 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt (netbios.rules)
 * 1:12916 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt (netbios.rules)
 * 1:12934 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt (netbios.rules)
 * 1:12977 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt (netbios.rules)
 * 1:12928 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt (netbios.rules)
 * 1:12910 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt (netbios.rules)
 * 1:11443 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:12100 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23 overflow attempt (netbios.rules)
 * 1:12808 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss OpenPrinter overflow attempt (netbios.rules)
 * 1:11442 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt (netbios.rules)
 * 1:10030 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt (netbios.rules)
 * 1:13162 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt (netbios.rules)
 * 1:14726 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt (netbios.rules)
 * 1:2936 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt (netbios.rules)
 * 1:4754 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
 * 1:15881 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters Name Field attempt (netbios.rules)
 * 1:3409 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (netbios.rules)
 * 1:20582 <-> DISABLED <-> SCADA BroadWin WebAccess Client arbitrary memory corruption attempt (scada.rules)
 * 1:23842 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:20061 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23,40, and 41 overflow attempt (netbios.rules)
 * 1:20581 <-> DISABLED <-> SCADA BroadWin WebAccess Client format string exploit attempt (scada.rules)
 * 1:17652 <-> DISABLED <-> WEB-MISC Microsoft Windows IIS source code disclosure attempt (web-misc.rules)
 * 1:17702 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (netbios.rules)
 * 1:17640 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opnum 43 overflow attempt (netbios.rules)
 * 1:3218 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt (netbios.rules)
 * 1:10285 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP svcctl ChangeServiceConfig2A attempt (netbios.rules)
 * 1:16737 <-> DISABLED <-> SPECIFIC-THREATS Xenorate Media Player XPL file handling overflow attempt - 1 (specific-threats.rules)
 * 1:17151 <-> DISABLED <-> NETBIOS SMB negotiate protocol request - ascii strings (netbios.rules)
 * 1:17152 <-> DISABLED <-> DOS Samba smbd flags2 header parsing denial of service attempt (dos.rules)
 * 1:17321 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters name overflow attempt (netbios.rules)
 * 1:3171 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt (netbios.rules)
 * 1:23843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file text overflow attempt (file-office.rules)
 * 1:23853 <-> ENABLED <-> FILE-OTHER Adobe Flash OpenType font memory corruption attempt (file-other.rules)
 * 1:10036 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt (netbios.rules)
 * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
 * 1:9806 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt (netbios.rules)
 * 1:2511 <-> ENABLED <-> NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (netbios.rules)
 * 1:2508 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt (netbios.rules)
 * 1:23945 <-> ENABLED <-> BOTNET-CNC Trojan.Backdoor outbound connection attempt (botnet-cnc.rules)
 * 1:3114 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt (netbios.rules)
 * 1:9772 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt (netbios.rules)
 * 1:23854 <-> ENABLED <-> FILE-OTHER Adobe Flash OpenType font memory corruption attempt (file-other.rules)