Sourcefire VRT Rules Update

Date: 2012-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24242 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:24240 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:24241 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:24238 <-> DISABLED <-> FILE-OTHER ClamAV UPX File Handling Heap overflow attempt (file-other.rules)
 * 1:24239 <-> DISABLED <-> WEB-MISC Novell GroupWise Internet Agent content-length integer overflow attempt (web-misc.rules)
 * 1:24235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wuwo initial infection outbound connection (malware-cnc.rules)
 * 1:24236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wuwo post infection outbound connection (malware-cnc.rules)
 * 1:24233 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24234 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24231 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit redirection attempt (exploit-kit.rules)
 * 1:24249 <-> DISABLED <-> WEB-ACTIVEX AdminStudio and InstallShield ActiveX function call access attempt (web-activex.rules)
 * 1:24248 <-> DISABLED <-> WEB-ACTIVEX AdminStudio and InstallShield ActiveX function call access attempt (web-activex.rules)
 * 1:24250 <-> DISABLED <-> MISC telephone URI to USSD code for factory reset (misc.rules)
 * 1:24232 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit outbound connection (exploit-kit.rules)
 * 1:24237 <-> DISABLED <-> FILE-OTHER ClamAV UPX File Handling Heap overflow attempt (file-other.rules)
 * 1:24243 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules)
 * 1:24244 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt (file-flash.rules)
 * 1:24245 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt (file-flash.rules)
 * 1:24246 <-> DISABLED <-> WEB-ACTIVEX AdminStudio and InstallShield ActiveX clsid access attempt (web-activex.rules)
 * 1:24247 <-> DISABLED <-> WEB-ACTIVEX AdminStudio and InstallShield ActiveX clsid access attempt (web-activex.rules)

Modified Rules:


 * 1:23208 <-> ENABLED <-> VOIP Digium Asterisk Manager Interface initial banner (voip.rules)
 * 1:23209 <-> DISABLED <-> VOIP Digium Asterisk Manager command shell execution attempt (voip.rules)
 * 1:21753 <-> DISABLED <-> VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt (voip.rules)
 * 1:22947 <-> DISABLED <-> FILE-OTHER Novell Groupwise Addressbook buffer overflow attempt (file-other.rules)
 * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules)
 * 1:16445 <-> ENABLED <-> VOIP Digium Asterisk IAX2 ack response denial of service attempt (voip.rules)
 * 1:16819 <-> DISABLED <-> MALWARE-CNC known command and control channel traffic (malware-cnc.rules)
 * 1:18638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:19167 <-> DISABLED <-> VOIP Digium Asterisk UDPTL processing overflow attempt (voip.rules)
 * 1:21191 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt (browser-firefox.rules)
 * 1:19813 <-> DISABLED <-> WEB-MISC Novell File Reporter Agent XMLK parsing stack bugger overflow attempt (web-misc.rules)
 * 1:24212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt (browser-ie.rules)
 * 1:24227 <-> DISABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:6513 <-> DISABLED <-> VOIP Asterisk IAX2 truncated video mini-frame packet overflow attempt (voip.rules)
 * 1:6514 <-> DISABLED <-> VOIP Asterisk IAX2 truncated full-frame packet overflow attempt (voip.rules)
 * 1:6515 <-> DISABLED <-> VOIP Asterisk IAX2 truncated mini-frame packet overflow attempt (voip.rules)
 * 1:21190 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt (browser-firefox.rules)
 * 1:20670 <-> DISABLED <-> VOIP Asterisk data length field overflow attempt (voip.rules)
 * 1:24105 <-> ENABLED <-> MALWARE-OTHER HTTP POST request to a GIF file (malware-other.rules)
 * 1:23210 <-> DISABLED <-> VOIP Digium Asterisk Manager command shell execution attempt (voip.rules)
 * 1:24171 <-> ENABLED <-> EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder (exploit-kit.rules)