Sourcefire VRT Rules Update

Date: 2013-02-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25836 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Virtuallythere (indicator-compromise.rules)
 * 1:25843 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Server (indicator-compromise.rules)
 * 1:25851 <-> ENABLED <-> SCADA Schneider Electric IGSS integer underflow attempt (scada.rules)
 * 1:25849 <-> ENABLED <-> SCADA Schneider Electric IGSS integer underflow attempt (scada.rules)
 * 1:25850 <-> ENABLED <-> SCADA Schneider Electric IGSS integer underflow attempt (scada.rules)
 * 1:25848 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 No-Name (indicator-compromise.rules)
 * 1:25846 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Yahoo (indicator-compromise.rules)
 * 1:25845 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 AOL (indicator-compromise.rules)
 * 1:25844 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Sur (indicator-compromise.rules)
 * 1:25842 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 NS (indicator-compromise.rules)
 * 1:25841 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Lame (indicator-compromise.rules)
 * 1:25840 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Email (indicator-compromise.rules)
 * 1:25838 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Webmail (indicator-compromise.rules)
 * 1:25830 <-> ENABLED <-> FILE-OTHER Oracle Java malicious class download attempt (file-other.rules)
 * 1:25831 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25832 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25833 <-> ENABLED <-> FILE-OTHER Oracle Java malicious class download attempt (file-other.rules)
 * 1:25834 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25829 <-> ENABLED <-> MALWARE-CNC Trojan Banker FTC variant outbound connection (malware-cnc.rules)
 * 1:25839 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Alpha (indicator-compromise.rules)
 * 1:25847 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Moon-Night (indicator-compromise.rules)
 * 1:25835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:25837 <-> ENABLED <-> INDICATOR-COMPROMISE known malicious SSL certificate - APT1 IBM (indicator-compromise.rules)
 * 1:25854 <-> ENABLED <-> MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie (malware-cnc.rules)
 * 1:25853 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt (browser-ie.rules)
 * 1:25852 <-> ENABLED <-> SCADA Schneider Electric IGSS integer underflow attempt (scada.rules)

Modified Rules:


 * 1:15693 <-> ENABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt (file-other.rules)
 * 1:17639 <-> ENABLED <-> NETBIOS Samba Root File System access bypass attempt (netbios.rules)
 * 1:18996 <-> ENABLED <-> SERVER-ORACLE DBMS_JAVA.SET_OUTPUT_TO_JAVA privilege escalation attempt (server-oracle.rules)
 * 1:19682 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:21234 <-> ENABLED <-> SERVER-WEBAPP MKCOL Webdav Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:23102 <-> DISABLED <-> POLICY-OTHER Seagate BlackArmor administrator password reset attempt (policy-other.rules)
 * 1:23934 <-> ENABLED <-> SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt (server-webapp.rules)
 * 1:25472 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25774 <-> DISABLED <-> OS-WINDOWS TCP FIN handshake resource exhaustion attempt (os-windows.rules)
 * 1:25798 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit 32-alpha jar request (exploit-kit.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:2671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt (browser-ie.rules)
 * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules)