Sourcefire VRT Rules Update

Date: 2012-10-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24269 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:24270 <-> DISABLED <-> VOIP Digium Asterisk RTP comfort noise denial of service attempt (voip.rules)
 * 1:24267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:24268 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:24265 <-> ENABLED <-> MALWARE-OTHER Malicious UA detected on non-standard port (malware-other.rules)
 * 1:24266 <-> DISABLED <-> FILE-PDF xpdf ObjectStream integer overflow (file-pdf.rules)
 * 1:24263 <-> ENABLED <-> FILE-PDF Overly large CreationDate within a pdf - likely malicious (file-pdf.rules)
 * 1:24264 <-> ENABLED <-> FILE-PDF Overly large CreationDate within a pdf - likely malicious (file-pdf.rules)
 * 1:24271 <-> DISABLED <-> MALWARE-CNC WIN.Spy.Bancos variant outbound connection (malware-cnc.rules)
 * 1:24275 <-> ENABLED <-> WEB-IIS Microsoft Windows IIS stack exhaustion DoS attempt (web-iis.rules)
 * 1:24274 <-> ENABLED <-> WEB-IIS Microsoft Windows IIS stack exhaustion DoS attempt (web-iis.rules)
 * 1:24276 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS stack exhaustion DoS attempt (web-iis.rules)
 * 1:24277 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt (file-other.rules)
 * 1:24278 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt (file-other.rules)
 * 1:24279 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt (file-other.rules)
 * 1:24280 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt (file-other.rules)
 * 1:24281 <-> DISABLED <-> WEB-ACTIVEX Cisco Secure Desktop CSDWebInstaller ActiveX clsid access (web-activex.rules)
 * 1:24283 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt (file-multimedia.rules)
 * 1:24284 <-> ENABLED <-> FILE-OFFICE Microsoft Office Drawing object code execution attempt (file-office.rules)
 * 1:24285 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Nomno variant outbound connection attempt (malware-cnc.rules)
 * 1:24286 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lurk variant outbound connection attempt (malware-cnc.rules)
 * 1:24287 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Minitalviv variant outbound connection attempt (malware-cnc.rules)
 * 1:24282 <-> DISABLED <-> WEB-ACTIVEX Cisco Secure Desktop CSDWebInstaller ActiveX function call access (web-activex.rules)
 * 1:24288 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Flexty outbound connection attempt (malware-cnc.rules)
 * 1:24290 <-> DISABLED <-> WEB-CLIENT Fortinet FortiOS appliedTags field cross site scripting attempt (web-client.rules)
 * 1:24289 <-> DISABLED <-> WEB-MISC Fortinet FortiOS appliedTags field cross site scripting attempt (web-misc.rules)
 * 1:24291 <-> ENABLED <-> WEB-MISC HP SiteScope APISiteScopeImpl information disclosure attempt (web-misc.rules)
 * 1:24292 <-> ENABLED <-> WEB-MISC HP SiteScope APISiteScopeImpl information disclosure attempt (web-misc.rules)
 * 1:24293 <-> DISABLED <-> EXPLOIT EMC NetWorker SunRPC buffer overflow attempt (exploit.rules)
 * 1:24294 <-> DISABLED <-> ICMP IPv6 neighbor advertisement flood attempt (icmp.rules)
 * 1:24295 <-> DISABLED <-> ICMP suspicious IPv6 router advertisement attempt (icmp.rules)
 * 1:24296 <-> DISABLED <-> ICMP IPv6 router advertisement invalid prefix option attempt (icmp.rules)
 * 1:24297 <-> DISABLED <-> ICMP IPv6 oversized ICMP ping attempt (icmp.rules)
 * 1:24298 <-> DISABLED <-> ICMP IPv6 0xdeadbeef ICMP ping attempt (icmp.rules)
 * 1:24300 <-> DISABLED <-> ICMP IPv6 router advertisement flood attempt (icmp.rules)
 * 1:24299 <-> DISABLED <-> ICMP IPv6 invalid router advertisement attempt (icmp.rules)
 * 1:24273 <-> ENABLED <-> FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt (file-other.rules)
 * 1:24304 <-> DISABLED <-> DNS dead alive6 DNS attempt (dns.rules)
 * 1:24305 <-> DISABLED <-> ICMP invalid ICMPv6 header attempt (icmp.rules)
 * 1:24303 <-> DISABLED <-> ICMP IPv6 multicast neighbor add attempt (icmp.rules)
 * 1:24301 <-> DISABLED <-> ICMP IPv6 multicast neighbor query attempt (icmp.rules)
 * 1:24272 <-> ENABLED <-> FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt (file-other.rules)
 * 1:24302 <-> DISABLED <-> ICMP IPv6 multicast neighbor delete attempt (icmp.rules)

Modified Rules:


 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:24171 <-> DISABLED <-> EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder (exploit-kit.rules)
 * 1:23371 <-> ENABLED <-> FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt (file-other.rules)
 * 1:23370 <-> DISABLED <-> FILE-OFFICE Microsoft Office Drawing object code execution attempt (file-office.rules)
 * 1:3061 <-> DISABLED <-> APP-DETECT distccd remote command execution attempt (app-detect.rules)
 * 1:17488 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:17806 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt (file-other.rules)
 * 1:17807 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt (file-other.rules)
 * 1:18171 <-> DISABLED <-> EXPLOIT Multiple product mailto uri handling code execution attempt (exploit.rules)
 * 1:19183 <-> ENABLED <-> WEB-IIS Microsoft Windows IIS FastCGI heap overflow attempt (web-iis.rules)
 * 1:19192 <-> ENABLED <-> WEB-IIS Microsoft Windows IIS stack exhaustion DoS attempt (web-iis.rules)
 * 1:16335 <-> DISABLED <-> FILE-PDF XPDF ObjectStream integer overflow (file-pdf.rules)
 * 1:17202 <-> ENABLED <-> FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt (file-other.rules)
 * 1:16336 <-> DISABLED <-> FILE-PDF Blackberry Server PDF JBIG2 numnewsyms remote code execution attempt (file-pdf.rules)
 * 1:20227 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt (file-multimedia.rules)
 * 1:20999 <-> ENABLED <-> BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt (browser-webkit.rules)
 * 1:24228 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - Landing Page Received (exploit-kit.rules)
 * 1:17254 <-> ENABLED <-> WEB-IIS Microsoft Windows IIS stack exhaustion DoS attempt (web-iis.rules)