Sourcefire VRT Rules Update

Date: 2013-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25299 <-> DISABLED <-> BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt (browser-plugins.rules)
 * 1:25297 <-> ENABLED <-> FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt (file-multimedia.rules)
 * 1:25298 <-> ENABLED <-> FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt (file-multimedia.rules)
 * 1:25295 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25291 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt (browser-firefox.rules)
 * 1:25292 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt (browser-firefox.rules)
 * 1:25290 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt (browser-firefox.rules)
 * 1:25277 <-> ENABLED <-> MALWARE-OTHER Request for a non-legit postal receipt (malware-other.rules)
 * 1:25278 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - listen (malware-backdoor.rules)
 * 1:25279 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - slave (malware-backdoor.rules)
 * 1:25280 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - tran (malware-backdoor.rules)
 * 1:25281 <-> ENABLED <-> MALWARE-BACKDOOR Htran banner (malware-backdoor.rules)
 * 1:25283 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - slave (malware-backdoor.rules)
 * 1:25282 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - listen (malware-backdoor.rules)
 * 1:25284 <-> ENABLED <-> MALWARE-BACKDOOR possible Htran setup command - tran (malware-backdoor.rules)
 * 1:25286 <-> ENABLED <-> SERVER-WEBAPP MoinMoin arbitrary file upload attempt (server-webapp.rules)
 * 1:25287 <-> DISABLED <-> SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt (server-other.rules)
 * 1:25288 <-> DISABLED <-> SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt (server-other.rules)
 * 1:25289 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt (browser-firefox.rules)
 * 1:25293 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25285 <-> DISABLED <-> SERVER-OTHER Ruby on Rails authlogic session cookie SQL injection attempt (server-other.rules)
 * 1:25302 <-> ENABLED <-> FILE-OTHER jar archive exploit kit download attempt (file-other.rules)
 * 1:25301 <-> ENABLED <-> EXPLOIT-KIT redirect to malicious java archive attempt (exploit-kit.rules)
 * 1:25300 <-> DISABLED <-> BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt (browser-plugins.rules)

Modified Rules:


 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:24139 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24140 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24138 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:18809 <-> DISABLED <-> BROWSER-FIREFOX Mozilla EnsureCachedAttrPraramArrays integer overflow attempt (browser-firefox.rules)
 * 1:19580 <-> DISABLED <-> MALWARE-CNC Worm Win.Trojan.Basun.wsc inbound connection (malware-cnc.rules)
 * 1:15699 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt (browser-firefox.rules)
 * 1:17148 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 1 (file-multimedia.rules)
 * 1:13583 <-> ENABLED <-> FILE-IDENTIFY Microsoft SYmbolic LinK file download request (file-identify.rules)
 * 1:13585 <-> ENABLED <-> FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected (file-identify.rules)
 * 1:13363 <-> DISABLED <-> SERVER-OTHER Cisco Unified Communications Manager heap overflow attempt (server-other.rules)