Sourcefire VRT Rules Update

Date: 2012-10-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24325 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24326 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24331 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24332 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24339 <-> DISABLED <-> WEB-MISC Zend Framework Zend_XmlRpc information disclosure attempt (web-misc.rules)
 * 1:24338 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:24337 <-> DISABLED <-> DOS Novell Remote Manager off-by-one denial of service attempt (dos.rules)
 * 1:24336 <-> DISABLED <-> NETBIOS SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (netbios.rules)
 * 1:24335 <-> DISABLED <-> WEB-ACTIVEX Citrix Access Gateway plug-in buffer overflow attempt (web-activex.rules)
 * 1:24334 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - IE9 (blacklist.rules)
 * 1:24333 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24323 <-> DISABLED <-> WEB-ACTIVEX EMC ApplicationXtender Desktop ActiveX function call attempt (web-activex.rules)
 * 1:24320 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24321 <-> DISABLED <-> EXPLOIT HP StorageWorks File Migration Agent buffer overflow attempt (exploit.rules)
 * 1:24322 <-> DISABLED <-> WEB-ACTIVEX EMC ApplicationXtender Desktop ActiveX function call attempt (web-activex.rules)
 * 1:24315 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24319 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24317 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24318 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24314 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24316 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:24307 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Workir variant outbound connection (malware-cnc.rules)
 * 1:24306 <-> DISABLED <-> WEB-MISC HP Operations Dashboard Apache Tomcat default admin account access attempt (web-misc.rules)
 * 1:24308 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Workir variant outbound connection (malware-cnc.rules)
 * 1:24309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader outbound connection (malware-cnc.rules)
 * 1:24310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader outbound connection (malware-cnc.rules)
 * 1:24311 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Downloader download attempt (malware-other.rules)
 * 1:24329 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24312 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Downloader download attempt (malware-other.rules)
 * 1:24313 <-> ENABLED <-> WEB-MISC HP OpenView Operations Agent request (web-misc.rules)
 * 1:24340 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bredolab initial CNC connection attempt (malware-cnc.rules)
 * 1:24330 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24328 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24327 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24324 <-> ENABLED <-> EXPLOIT EMC AutoStart ftAgent.exe integer overflow attempt (exploit.rules)
 * 1:24341 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spy variant outbound communication (malware-cnc.rules)
 * 1:24342 <-> DISABLED <-> WEB-MISC JBoss web console access attempt (web-misc.rules)
 * 1:24343 <-> DISABLED <-> WEB-MISC JBoss JMXInvokerServlet access attempt (web-misc.rules)
 * 1:24344 <-> ENABLED <-> EXPLOIT-KIT Unknown exploit kit redirection page (exploit-kit.rules)
 * 1:24345 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Drexonin variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24346 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Zbot variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24348 <-> DISABLED <-> WEB-MISC Apache mod_rpaf x-forwarded-for header denial of service attempt (web-misc.rules)
 * 1:24347 <-> DISABLED <-> MALWARE-CNC WIN.Downloader.Bloropac variant connect to cnc-server attempt (malware-cnc.rules)

Modified Rules:


 * 1:12027 <-> ENABLED <-> SQL Ingres Database uuid_from_char buffer overflow attempt (sql.rules)
 * 1:16686 <-> ENABLED <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules)
 * 1:16692 <-> DISABLED <-> FILE-MULTIMEDIA BlazeVideo BlazeDVD PLF playlist file name buffer overflow attempt (file-multimedia.rules)
 * 1:21516 <-> DISABLED <-> WEB-MISC JBoss JMX console access attempt (web-misc.rules)
 * 1:23360 <-> DISABLED <-> WEB-IIS tilde character file name discovery attempt (web-iis.rules)
 * 1:23462 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23465 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML Style attribute overflow attempt (file-other.rules)
 * 1:23958 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23959 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23960 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23961 <-> ENABLED <-> WEB-MISC HP Operations Agent stack buffer overflow attempt (web-misc.rules)
 * 1:23963 <-> DISABLED <-> MALWARE-CNC Win32.Runagry variant outbound connection (malware-cnc.rules)
 * 1:23968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crisis outbound connection (malware-cnc.rules)
 * 1:24082 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra runtime detection (malware-cnc.rules)
 * 1:24092 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clisbot outbound connection attempt (malware-cnc.rules)
 * 1:24128 <-> DISABLED <-> WEB-MISC Microsoft SCCM ReportChart xss attempt (web-misc.rules)
 * 1:24191 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raven variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:24216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Biloky variant outbound connection attempt (malware-cnc.rules)
 * 1:24217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spy variant outbound connection attempt (malware-cnc.rules)
 * 1:24232 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24234 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24253 <-> DISABLED <-> INDICATOR-COMPROMISE IP only webpage redirect attempt (indicator-compromise.rules)
 * 1:24254 <-> DISABLED <-> INDICATOR-COMPROMISE IP only webpage redirect attempt (indicator-compromise.rules)
 * 1:24271 <-> DISABLED <-> MALWARE-CNC Win.Spy.Bancos variant outbound connection (malware-cnc.rules)
 * 1:24285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection attempt (malware-cnc.rules)
 * 1:24287 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection attempt (malware-cnc.rules)
 * 1:24288 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Flexty outbound connection attempt (malware-cnc.rules)
 * 3:15449 <-> ENABLED <-> BAD-TRAFFIC Conficker A/B DNS traffic detected (bad-traffic.rules)
 * 3:15450 <-> ENABLED <-> BAD-TRAFFIC Conficker C/D DNS traffic detected (bad-traffic.rules)
 * 3:16728 <-> ENABLED <-> NETBIOS Samba SMB1 chain_reply function memory corruption attempt (netbios.rules)
 * 3:7196 <-> ENABLED <-> EXPLOIT Microsoft DHCP option overflow attempt (exploit.rules)