Sourcefire VRT Rules Update

Date: 2013-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25770 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt (browser-ie.rules)
 * 1:25774 <-> DISABLED <-> OS-WINDOWS TCP FIN handshake resource exhaustion attempt (os-windows.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:25776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt (browser-ie.rules)
 * 1:25777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt (browser-ie.rules)
 * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules)
 * 1:25779 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:25781 <-> DISABLED <-> DELETED SERVER-OTHER MiniUPnPd ExecuteSoapAction null pointer dereference attempt (deleted.rules)
 * 1:25782 <-> DISABLED <-> MALWARE-OTHER WIN.Trojan.Nap Malicious executable file download from webroot (malware-other.rules)
 * 1:25783 <-> ENABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules)
 * 1:25784 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt (browser-ie.rules)
 * 1:25785 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt (browser-ie.rules)
 * 1:25786 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt (browser-ie.rules)
 * 1:25787 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt (browser-ie.rules)
 * 1:25788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe use after free attempt (browser-ie.rules)
 * 1:25789 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe use after free attempt (browser-ie.rules)
 * 1:25790 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt (browser-ie.rules)
 * 1:25791 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt (browser-ie.rules)
 * 1:25792 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt (browser-ie.rules)
 * 1:25793 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt (browser-ie.rules)
 * 1:25794 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt (browser-ie.rules)
 * 1:25795 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt (file-multimedia.rules)
 * 1:25796 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt (file-multimedia.rules)
 * 1:25797 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt (file-multimedia.rules)
 * 1:25798 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit 32-alpha jar request (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit pdf request (exploit-kit.rules)
 * 1:25800 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit Javascript request (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit jar file request (exploit-kit.rules)
 * 1:25802 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit encoded portable executable request (exploit-kit.rules)
 * 1:25803 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit kit jar file dropped (exploit-kit.rules)
 * 1:25804 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit initial redirection successful (exploit-kit.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole Exploit Kit landing page (exploit-kit.rules)
 * 1:25766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:25771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer custom cursor file use after free attempt (browser-ie.rules)
 * 1:25768 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt (file-office.rules)
 * 1:25772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:25769 <-> ENABLED <-> BROWSER-IE CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:25773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt (browser-ie.rules)
 * 1:25767 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt (file-pdf.rules)

Modified Rules:


 * 1:17114 <-> DISABLED <-> OS-WINDOWS Microsoft SilverLight ImageSource remote code execution attempt (os-windows.rules)
 * 1:17730 <-> ENABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:17572 <-> ENABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)
 * 1:24356 <-> ENABLED <-> SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt (server-mssql.rules)
 * 1:9433 <-> DISABLED <-> OS-WINDOWS Microsoft Agent buffer overflow attempt (os-windows.rules)
 * 1:5800 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyWay (blacklist.rules)
 * 1:9432 <-> DISABLED <-> OS-WINDOWS Microsoft Agent buffer overflow attempt (os-windows.rules)
 * 1:16752 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (file-multimedia.rules)
 * 1:4196 <-> DISABLED <-> FILE-IDENTIFY CBO CBL CBM file transfer attempt (file-identify.rules)
 * 1:24200 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes URI handler command execution attempt (server-mail.rules)
 * 1:24199 <-> DISABLED <-> SERVER-MAIL IBM Lotus Notes URI handler command execution attempt (server-mail.rules)
 * 1:24087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)
 * 1:24088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)
 * 1:23862 <-> DISABLED <-> INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding (indicator-shellcode.rules)
 * 1:23860 <-> DISABLED <-> INDICATOR-SHELLCODE heapspray characters detected - ASCII (indicator-shellcode.rules)
 * 1:23832 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules)
 * 1:23844 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:23805 <-> DISABLED <-> BROWSER-WEBKIT WebKit button column memory corruption attempt (browser-webkit.rules)
 * 1:23516 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23624 <-> ENABLED <-> SERVER-OTHER Ubisoft Uplay browser plugin backdoor attempt (server-other.rules)
 * 1:23172 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET improper comment handling XSS attempt (server-webapp.rules)
 * 1:23241 <-> DISABLED <-> SERVER-OTHER HP DPNECentral RequestCopy type SQL injection attempt (server-other.rules)
 * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
 * 1:23137 <-> DISABLED <-> BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt (browser-ie.rules)
 * 1:23090 <-> DISABLED <-> SERVER-OTHER known malicious SSL certificate derived from Microsoft CA detected (server-other.rules)
 * 1:21525 <-> ENABLED <-> MALWARE-CNC Trojan.Downloader variant outbound connection (malware-cnc.rules)
 * 1:21567 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design wintab32.dll dll-load exploit attempt (os-windows.rules)
 * 1:21290 <-> DISABLED <-> OS-WINDOWS Microsoft Color Control Panel STI.dll dll-load exploit attempt (os-windows.rules)
 * 1:21405 <-> DISABLED <-> OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt (os-windows.rules)
 * 1:20884 <-> DISABLED <-> OS-WINDOWS Microsoft Anti-Cross Site Scripting library bypass attempt (os-windows.rules)
 * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules)
 * 1:19674 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules)
 * 1:19818 <-> DISABLED <-> OS-WINDOWS Microsoft XML core services cross-domain information disclosure attempt (os-windows.rules)
 * 1:19461 <-> ENABLED <-> OS-WINDOWS Microsoft CSRSS NULL Fontface pointer attempt (os-windows.rules)
 * 1:19315 <-> DISABLED <-> OS-WINDOWS Microsoft Groove GroovePerfmon.dll dll-load exploit attempt (os-windows.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:19234 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio information disclosure attempt (os-windows.rules)
 * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules)
 * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules)
 * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules)
 * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules)
 * 1:18499 <-> DISABLED <-> OS-WINDOWS Microsoft Groove mso.dll dll-load exploit attempt (os-windows.rules)
 * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18443 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18441 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin bibutils.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18440 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin agm.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18439 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin ace.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18432 <-> DISABLED <-> FILE-PDF Acrobat Reader d3dref9.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18431 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin sqlite.dll dll-load exploit attempt (file-pdf.rules)
 * 1:18309 <-> DISABLED <-> OS-WINDOWS Microsoft Vector Markup Language fill method overflow attempt (os-windows.rules)
 * 1:18210 <-> ENABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt (os-windows.rules)
 * 1:18196 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt (browser-ie.rules)
 * 1:16004 <-> DISABLED <-> FILE-OTHER Apple Mac OS X installer package filename format string vulnerability (file-other.rules)
 * 1:15562 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt (file-pdf.rules)
 * 1:16003 <-> DISABLED <-> FILE-OTHER Apple Mac OS X installer package filename format string vulnerability (file-other.rules)
 * 1:13989 <-> ENABLED <-> INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation (indicator-obfuscation.rules)
 * 1:13474 <-> ENABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:15157 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt (file-multimedia.rules)
 * 1:25357 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:25677 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:25476 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent (blacklist.rules)
 * 1:16753 <-> ENABLED <-> SERVER-WEBAPP VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (server-webapp.rules)
 * 1:12618 <-> DISABLED <-> FILE-OTHER Microsoft Visual Basic VBP file reference overflow attempt (file-other.rules)
 * 1:15430 <-> ENABLED <-> FILE-OTHER Microsoft EMF+ GpFont.SetData buffer overflow attempt (file-other.rules)
 * 1:16002 <-> DISABLED <-> FILE-OTHER Apple Mac OS X installer package filename format string vulnerability (file-other.rules)
 * 1:18442 <-> DISABLED <-> FILE-PDF Acrobat Reader plugin cooltype.dll dll-load exploit attempt (file-pdf.rules)
 * 1:19240 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7/8 reload stylesheet attempt (browser-ie.rules)
 * 1:19681 <-> ENABLED <-> OS-WINDOWS Microsoft Report Viewer reflect XSS attempt (os-windows.rules)
 * 1:21310 <-> DISABLED <-> OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt (os-windows.rules)
 * 1:12279 <-> DISABLED <-> OS-WINDOWS Microsoft XML substringData integer overflow attempt (os-windows.rules)
 * 1:23136 <-> DISABLED <-> BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt (browser-ie.rules)
 * 1:8443 <-> DISABLED <-> BROWSER-FIREFOX Mozilla regular expression heap corruption attempt (browser-firefox.rules)
 * 1:23239 <-> DISABLED <-> SERVER-OTHER Wireshark console.lua file load exploit attempt (server-other.rules)
 * 1:17113 <-> ENABLED <-> OS-WINDOWS Microsoft SilverLight ImageSource redefine flowbit (os-windows.rules)
 * 1:17421 <-> ENABLED <-> FILE-OFFICE Microsoft OLE automation string manipulation overflow attempt (file-office.rules)
 * 1:17145 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 ASL file processing buffer overflow attempt (file-image.rules)
 * 1:17143 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 1 (file-image.rules)
 * 1:17144 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 2 (file-image.rules)
 * 1:25679 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:16523 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:23831 <-> DISABLED <-> INDICATOR-OBFUSCATION non-alphanumeric javascript detected (indicator-obfuscation.rules)
 * 1:25258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rombrast outbound connection (malware-cnc.rules)
 * 1:16208 <-> ENABLED <-> SERVER-MSSQL Microsoft SQL Server Distributed Management Objects overflow attempt (server-mssql.rules)
 * 1:17146 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 GRD file processing buffer overflow attempt (file-image.rules)
 * 1:17150 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 3 (file-multimedia.rules)
 * 1:2705 <-> DISABLED <-> FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt (file-image.rules)
 * 1:18076 <-> ENABLED <-> OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt (os-windows.rules)
 * 1:16751 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (file-multimedia.rules)
 * 1:16048 <-> DISABLED <-> SERVER-OTHER Microsoft ASP.NET application folder info disclosure attempt (server-other.rules)
 * 1:24006 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:17755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt (file-office.rules)
 * 1:24290 <-> DISABLED <-> SERVER-OTHER Fortinet FortiOS appliedTags field cross site scripting attempt (server-other.rules)