Sourcefire VRT Rules Update

Date: 2012-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24039 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX function call access (web-activex.rules)
 * 1:24040 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:24041 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:24042 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:24043 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:24044 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:24045 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wsz file download request (file-identify.rules)
 * 1:24046 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wsz file attachment detected (file-identify.rules)
 * 1:24053 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure (specific-threats.rules)
 * 1:24047 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wsz file attachment detected (file-identify.rules)
 * 1:24048 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wal file download request (file-identify.rules)
 * 1:24049 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wal file attachment detected (file-identify.rules)
 * 1:24050 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wal file attachment detected (file-identify.rules)
 * 1:24051 <-> DISABLED <-> FILE-OTHER Winamp skin file arbitrary code execution attempt (file-other.rules)
 * 1:24052 <-> DISABLED <-> FILE-OTHER Winamp skin file arbitrary code execution attempt (file-other.rules)
 * 1:24054 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure (specific-threats.rules)
 * 1:24055 <-> ENABLED <-> FILE-OTHER Oracle Java privileged protection domain exploitation attempt (file-other.rules)
 * 1:24058 <-> ENABLED <-> FILE-OTHER Oracle Java privileged protection domain exploitation attempt (file-other.rules)
 * 1:24056 <-> ENABLED <-> FILE-OTHER Oracle Java privileged protection domain exploitation attempt (file-other.rules)
 * 1:24057 <-> ENABLED <-> FILE-OTHER Oracle Java privileged protection domain exploitation attempt (file-other.rules)
 * 1:24059 <-> DISABLED <-> SMTP PHP 5.3.3 mt_rand integer overflow attempt (smtp.rules)
 * 1:24060 <-> DISABLED <-> WEB-PHP PHP 5.3.3 mt_rand integer overflow attempt (web-php.rules)
 * 1:24061 <-> DISABLED <-> WEB-PHP PHP 5.3.3 mt_rand integer overflow attempt (web-php.rules)
 * 1:24062 <-> DISABLED <-> BOTNET-CNC W32.Trojan.Hufysk variant connect to cnc-server attempt (botnet-cnc.rules)

Modified Rules:


 * 1:23969 <-> DISABLED <-> SPYWARE-PUT Android SMSZombie APK file download (spyware-put.rules)
 * 1:23954 <-> DISABLED <-> SPYWARE-PUT Android SMSZombie APK file download (spyware-put.rules)
 * 1:23832 <-> DISABLED <-> WEB-CLIENT non-alphanumeric javascript detected (web-client.rules)
 * 1:23863 <-> ENABLED <-> SPYWARE-PUT LiveSecurityPlatinum.A runtime detection - initial connection (spyware-put.rules)
 * 1:23831 <-> DISABLED <-> WEB-CLIENT non-alphanumeric javascript detected (web-client.rules)
 * 1:23272 <-> DISABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23171 <-> ENABLED <-> INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory (indicator-compromise.rules)
 * 1:23271 <-> DISABLED <-> FILE-OTHER Apple iTunes Extended M3U playlist record overflow attempt (file-other.rules)
 * 1:23136 <-> DISABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)
 * 1:23137 <-> DISABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)
 * 1:22047 <-> ENABLED <-> MALWARE-CNC Trojan.Jokbot variant outbound connection (malware-cnc.rules)
 * 1:20997 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit Display box rendering corruption attempt (browser-webkit.rules)
 * 1:21092 <-> ENABLED <-> MALWARE-TOOLS JavaScript LOIC attack (malware-tools.rules)
 * 1:21967 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip.A runtime detection (malware-backdoor.rules)
 * 1:21063 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX clsid access (web-activex.rules)
 * 1:21064 <-> DISABLED <-> WEB-ACTIVEX HP Easy Printer Care Software ActiveX function call access (web-activex.rules)
 * 1:21169 <-> DISABLED <-> SPYWARE-PUT Apperhand SDK advertising data request - Counterclank (spyware-put.rules)
 * 1:21176 <-> DISABLED <-> SPYWARE-PUT Win32.WindowsOptimizationAndSecurity outbound connection (spyware-put.rules)
 * 1:16316 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed getPropertyLate actioncode attempt (file-flash.rules)
 * 1:21292 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:16365 <-> ENABLED <-> SPYWARE-PUT OnlineGames download atttempt (spyware-put.rules)
 * 1:16667 <-> ENABLED <-> BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1 (browser-chrome.rules)
 * 1:17113 <-> DISABLED <-> WEB-CLIENT Microsoft SilverLight ImageSource redefine flowbit (web-client.rules)
 * 1:24004 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control access (file-office.rules)
 * 1:24010 <-> DISABLED <-> BOTNET-CNC runtime Trojan.Radil outbound connection attempt (botnet-cnc.rules)
 * 1:24028 <-> ENABLED <-> WEB-CLIENT Oracle Java privileged protection domain exploitation attempt (web-client.rules)
 * 1:21792 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt (file-executable.rules)
 * 1:17114 <-> DISABLED <-> WEB-CLIENT Microsoft SilverLight ImageSource remote code execution attempt (web-client.rules)
 * 1:17149 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 2 (file-multimedia.rules)
 * 1:17649 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word array data handling buffer overflow attempt (file-office.rules)
 * 1:21860 <-> ENABLED <-> EXPLOIT-KIT Phoenix exploit kit post-compromise behavior (exploit-kit.rules)
 * 1:19105 <-> DISABLED <-> EXPLOIT HP Data Protector Manager MMD service buffer overflow attempt (exploit.rules)
 * 1:17613 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:19130 <-> DISABLED <-> FILE-IMAGE Microsoft Windows MSPaint jpeg with malformed SOFx field exploit attempt (file-image.rules)
 * 1:19362 <-> DISABLED <-> MALWARE-OTHER generic IRC botnet connection (malware-other.rules)
 * 1:20433 <-> DISABLED <-> SPYWARE-PUT XP Guardian 2010 anutayadokalug host runtime traffic detection (spyware-put.rules)
 * 1:23385 <-> DISABLED <-> WEB-MISC Novell Groupwise Messenger parameter memory corruption attempt (web-misc.rules)
 * 1:24005 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control access (file-office.rules)
 * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules)
 * 1:23849 <-> ENABLED <-> SPECIFIC-THREATS Blackhole redirection attempt (specific-threats.rules)
 * 1:20535 <-> DISABLED <-> BROWSER-OTHER Opera Config File script access attempt (browser-other.rules)
 * 1:20434 <-> DISABLED <-> SPYWARE-PUT XP Guardian 2010 proantivirus21 host runtime traffic detection (spyware-put.rules)