Sourcefire VRT Rules Update

Date: 2012-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23490 <-> DISABLED <-> WEB-CLIENT Java MixerSequencer RMF MIDI structure handling exploit attempt (web-client.rules)
 * 1:23493 <-> ENABLED <-> BOTNET-CNC Trojan.ZeroAccess outbound communication (botnet-cnc.rules)
 * 1:23491 <-> DISABLED <-> BOTNET-CNC Trojan.Kura connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23492 <-> ENABLED <-> BOTNET-CNC Trojan.ZeroAccess outbound communication (botnet-cnc.rules)
 * 1:23494 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Onitab.A outbound connection attempt (botnet-cnc.rules)
 * 1:23495 <-> DISABLED <-> BACKDOOR Trojan.Kugdifod.A outbound connection attempt (backdoor.rules)
 * 1:23496 <-> ENABLED <-> FILE-IDENTIFY CUR file download request (file-identify.rules)
 * 1:23497 <-> ENABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23498 <-> ENABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23499 <-> DISABLED <-> WEB-CLIENT Microsoft Windows CUR file parsing overflow attempt (web-client.rules)
 * 1:23500 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader spell.customDictionaryOpen exploit attempt (file-pdf.rules)
 * 1:23501 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader javascript getIcon method buffer overflow attempt (file-pdf.rules)
 * 1:23556 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:23557 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:23553 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules)
 * 1:23555 <-> ENABLED <-> FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access (file-office.rules)
 * 1:23552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:23551 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:23548 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules)
 * 1:23550 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23547 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla (file-office.rules)
 * 1:23545 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro (file-office.rules)
 * 1:23546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla (file-office.rules)
 * 1:23543 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file SxView record exploit attempt (file-office.rules)
 * 1:23541 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt (file-office.rules)
 * 1:23542 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt (file-office.rules)
 * 1:23538 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint 95 converter CString in ExEmbed container buffer overflow attempt (file-office.rules)
 * 1:23540 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt (file-office.rules)
 * 1:23537 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt (file-office.rules)
 * 1:23535 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file (file-office.rules)
 * 1:23536 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt (file-office.rules)
 * 1:23533 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record (file-office.rules)
 * 1:23531 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record (file-office.rules)
 * 1:23532 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record (file-office.rules)
 * 1:23530 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23528 <-> DISABLED <-> FILE-OFFICE Microsoft Office PICT graphics converter memory corruption attempt (file-office.rules)
 * 1:23526 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:23527 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:23523 <-> ENABLED <-> FILE-PDF Adobe Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:23525 <-> DISABLED <-> FILE-OFFICE Microsoft Office BMP header biClrUsed integer overflow attempt (file-office.rules)
 * 1:23522 <-> DISABLED <-> FILE-PDF Adobe Reader and Acrobat malicious TIFF remote code execution attempt (file-pdf.rules)
 * 1:23520 <-> DISABLED <-> FILE-PDF Possible unknown malicious PDF (file-pdf.rules)
 * 1:23521 <-> ENABLED <-> FILE-PDF Possible unknown malicious PDF (file-pdf.rules)
 * 1:23518 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt (file-pdf.rules)
 * 1:23517 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt (file-pdf.rules)
 * 1:23514 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23515 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23513 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23511 <-> ENABLED <-> FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt (file-pdf.rules)
 * 1:23512 <-> ENABLED <-> FILE-PDF Adobe flash player newfunction memory corruption attempt (file-pdf.rules)
 * 1:23509 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader malformed Richmedia annotation exploit attempt (file-pdf.rules)
 * 1:23510 <-> ENABLED <-> FILE-PDF Adobe PDF File containing Flash use-after-free attack attempt (file-pdf.rules)
 * 1:23488 <-> ENABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:23508 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:23486 <-> ENABLED <-> FILE-IDENTIFY JOB file download request (file-identify.rules)
 * 1:23487 <-> ENABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:23484 <-> DISABLED <-> POLICY Wordpress Invit0r plugin non-image file upload attempt (policy.rules)
 * 1:23485 <-> ENABLED <-> WEB-PHP Wordpress Invit0r plugin php upload attempt (web-php.rules)
 * 1:23483 <-> DISABLED <-> BOTNET-CNC Backdoor.Georbot file download attempt (botnet-cnc.rules)
 * 1:23502 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt (file-pdf.rules)
 * 1:23503 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt (file-pdf.rules)
 * 1:23504 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:23505 <-> DISABLED <-> FILE-PDF Adobe Reader compressed media.newPlayer memory corruption attempt (file-pdf.rules)
 * 1:23506 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt (file-pdf.rules)
 * 1:23507 <-> ENABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:23489 <-> DISABLED <-> FILE-OTHER Microsoft Windows Task Scheduler buffer overflow attempt (file-other.rules)
 * 1:23516 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23519 <-> ENABLED <-> FILE-PDF Possible malicious pdf cve-2010-0188 string (file-pdf.rules)
 * 1:23524 <-> ENABLED <-> FILE-PDF Adobe Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:23529 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23534 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt (file-office.rules)
 * 1:23539 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt (file-office.rules)
 * 1:23544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt (file-office.rules)
 * 1:23549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules)
 * 1:23554 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules)
 * 1:23558 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:23559 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:23560 <-> ENABLED <-> FILE-OTHER Java Zip file directory record overflow attempt (file-other.rules)
 * 1:23561 <-> DISABLED <-> FILE-OTHER Microsoft Kodak Imaging large offset malformed tiff - big-endian (file-other.rules)
 * 1:23562 <-> DISABLED <-> FILE-OTHER Microsoft MHTML XSS attempt (file-other.rules)
 * 1:23563 <-> DISABLED <-> FILE-OTHER Microsoft Windows MHTML XSS attempt (file-other.rules)
 * 1:23564 <-> DISABLED <-> FILE-OTHER Adobe Illustrator DSC comment overflow attempt (file-other.rules)
 * 1:23565 <-> DISABLED <-> FILE-OTHER Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt (file-other.rules)
 * 1:23592 <-> ENABLED <-> FILE-OTHER Adobe flash player newfunction memory corruption exploit attempt (file-other.rules)
 * 1:23591 <-> DISABLED <-> FILE-OTHER Adobe flash player newfunction memory corruption attempt (file-other.rules)
 * 1:23590 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-other.rules)
 * 1:23589 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-other.rules)
 * 1:23588 <-> DISABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23587 <-> DISABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23586 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23585 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:23584 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML sampleData attribute overflow attempt (file-other.rules)
 * 1:23583 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23582 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Transform attribute overflow attempt (file-other.rules)
 * 1:23581 <-> DISABLED <-> FILE-OTHER Apple Quicktime MPEG stream padding buffer overflow attempt (file-other.rules)
 * 1:23580 <-> DISABLED <-> FILE-OTHER Novell Groupwise Addressbook buffer overflow attempt (file-other.rules)
 * 1:23579 <-> ENABLED <-> FILE-OTHER Adobe Flash use-after-free attack attempt (file-other.rules)
 * 1:23578 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed ASF voice codec memory corruption attempt (file-other.rules)
 * 1:23577 <-> DISABLED <-> FILE-OTHER VLC mms hostname buffer overflow attempt (file-other.rules)
 * 1:23576 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media encryption sample ID header RCE attempt (file-other.rules)
 * 1:23575 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media encryption sample ID header RCE attempt (file-other.rules)
 * 1:23574 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media pixel aspect ratio header RCE attempt (file-other.rules)
 * 1:23573 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media content type header RCE attempt (file-other.rules)
 * 1:23572 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media file name header RCE attempt (file-other.rules)
 * 1:23571 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Timecode header RCE attempt (file-other.rules)
 * 1:23568 <-> ENABLED <-> FILE-OTHER Microsoft Windows AVIFile media file processing memory corruption attempt (file-other.rules)
 * 1:23569 <-> ENABLED <-> FILE-OTHER Microsoft Windows AVIFile truncated media file processing memory corruption attempt (file-other.rules)
 * 1:23570 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media sample duration header RCE attempt (file-other.rules)
 * 1:23567 <-> DISABLED <-> FILE-OTHER Microsoft Windows AVI Header insufficient data corruption attempt (file-other.rules)
 * 1:23566 <-> ENABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt (file-other.rules)

Modified Rules:


 * 1:14989 <-> DISABLED <-> WEB-MISC Novell eDirectory SOAP Accept Language header overflow attempt (web-misc.rules)
 * 1:14990 <-> DISABLED <-> WEB-MISC Novell eDirectory SOAP Accept Charset header overflow attempt (web-misc.rules)
 * 1:15154 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server gif Authentication bypass attempt (chat.rules)
 * 1:2417 <-> DISABLED <-> FTP format string attempt (ftp.rules)
 * 1:23446 <-> DISABLED <-> BOTNET-CNC Trojan.Sojax.A runtime detection attempt (botnet-cnc.rules)
 * 1:23442 <-> DISABLED <-> WEB-PHP php-shell remote command injection attempt (web-php.rules)
 * 1:23443 <-> DISABLED <-> WEB-PHP php-shell failed remote command injection attempt (web-php.rules)
 * 1:23440 <-> DISABLED <-> WEB-PHP php-shell remote command shell upload attempt (web-php.rules)
 * 1:23441 <-> DISABLED <-> WEB-PHP php-shell remote command shell upload attempt (web-php.rules)
 * 1:23439 <-> DISABLED <-> WEB-PHP php-shell remote command shell upload attempt (web-php.rules)
 * 1:23438 <-> DISABLED <-> WEB-PHP php-shell remote command shell initialization attempt (web-php.rules)
 * 1:23436 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX IDirectPlay4 denial of service attempt (exploit.rules)
 * 1:23437 <-> DISABLED <-> EXPLOIT Microsoft Windows DirectX IDirectPlay4 denial of service attempt (exploit.rules)
 * 1:23388 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.FakeMSN.I runtime detection (botnet-cnc.rules)
 * 1:23340 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Nitol.B runtime detection (botnet-cnc.rules)
 * 1:23378 <-> DISABLED <-> BOTNET-CNC Trojan.Sasfis runtime detection attempt (botnet-cnc.rules)
 * 1:23255 <-> DISABLED <-> BOTNET-CNC Trojan.Duojeen runtime detection attempt (botnet-cnc.rules)
 * 1:23230 <-> DISABLED <-> DOS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (dos.rules)
 * 1:23244 <-> ENABLED <-> BOTNET-CNC Trojan.Kuluoz variant outbound connection attempt (botnet-cnc.rules)
 * 1:21610 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Refroso.azyg runtime detection (botnet-cnc.rules)
 * 1:2179 <-> DISABLED <-> FTP PASS format string attempt (ftp.rules)
 * 1:20057 <-> DISABLED <-> BOTNET-CNC BitCoin Miner IP query (botnet-cnc.rules)
 * 1:19408 <-> ENABLED <-> SPECIFIC-THREATS Adobe flash player newfunction memory corruption exploit attempt (specific-threats.rules)
 * 1:19552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel format record code execution attempt (file-office.rules)
 * 1:19180 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:18768 <-> ENABLED <-> SMTP Novell GroupWise internet agent RRULE parsing buffer overflow attempt (smtp.rules)
 * 1:18997 <-> DISABLED <-> DOS Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt (dos.rules)
 * 1:17134 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:16634 <-> ENABLED <-> WEB-CLIENT Adobe Flash use-after-free attack attempt (web-client.rules)
 * 1:15517 <-> DISABLED <-> WEB-CLIENT Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt (web-client.rules)
 * 1:16157 <-> ENABLED <-> WEB-CLIENT Microsoft Windows malformed ASF voice codec memory corruption attempt (web-client.rules)
 * 1:15155 <-> ENABLED <-> CHAT Jive Software Openfire Jabber Server png Authentication bypass attempt (chat.rules)
 * 1:15446 <-> DISABLED <-> WEB-MISC Novell eDirectory management console Accept-Language buffer overflow attempt (web-misc.rules)
 * 3:13582 <-> ENABLED <-> WEB-CLIENT Microsoft Excel sst record arbitrary code execution attempt (web-client.rules)