Sourcefire VRT Rules Update

Date: 2013-05-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26617 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26611 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection (malware-backdoor.rules)
 * 1:26605 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26606 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sosork variant outbound connection (malware-cnc.rules)
 * 1:26586 <-> ENABLED <-> SERVER-OTHER PostgreSQL database name command line injection attempt (server-other.rules)
 * 1:26604 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt (browser-ie.rules)
 * 1:26602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt (file-office.rules)
 * 1:26599 <-> ENABLED <-> EXPLOIT-KIT Impact/Stamp exploit kit landing page (exploit-kit.rules)
 * 1:26597 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:26594 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt (protocol-voip.rules)
 * 1:26590 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:26591 <-> ENABLED <-> EXPLOIT-KIT unknown exploit kit script injection attempt (exploit-kit.rules)
 * 1:26588 <-> DISABLED <-> FILE-OTHER Oracle Java runtime JMX findclass sandbox breach attempt (file-other.rules)
 * 1:26589 <-> ENABLED <-> BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm (blacklist.rules)
 * 1:26593 <-> ENABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules)
 * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules)
 * 1:26598 <-> DISABLED <-> FILE-OTHER .tar multiple antivirus evasion attempt (file-other.rules)
 * 1:26600 <-> ENABLED <-> EXPLOIT-KIT Impact/Stamp exploit kit landing page (exploit-kit.rules)
 * 1:26601 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:26603 <-> DISABLED <-> BLACKLIST DNS request for known malware domain microsoftUpdate.ns1.name (blacklist.rules)
 * 1:26607 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Korlia variant outbound connection (malware-cnc.rules)
 * 1:26608 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rocra variant outbound connection (malware-cnc.rules)
 * 1:26609 <-> DISABLED <-> MALWARE-CNC OSX.Trojan.Dockster variant outbound connection (malware-cnc.rules)
 * 1:26610 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection (malware-backdoor.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:26612 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ppcfeedadvertising.com (blacklist.rules)
 * 1:26614 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ppcfeedclick.com (blacklist.rules)
 * 1:26613 <-> ENABLED <-> MALWARE-CNC Medfos Trojan outbound connection (malware-cnc.rules)
 * 1:26592 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt (browser-webkit.rules)
 * 1:26585 <-> ENABLED <-> INDICATOR-COMPROMISE config.inc.php in iframe (indicator-compromise.rules)
 * 1:26587 <-> DISABLED <-> FILE-OTHER Oracle Java runtime JMX findclass sandbox breach attempt (file-other.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:26542 <-> DISABLED <-> SERVER-OTHER Autonomy Ultraseek cs.html url parameter with url - possible malicious redirection attempt (server-other.rules)
 * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules)
 * 1:19180 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:20246 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:20247 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:12780 <-> DISABLED <-> BROWSER-PLUGINS Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:20649 <-> DISABLED <-> SERVER-WEBAPP ADNForum SQL injection in index.php fid attempt (server-webapp.rules)
 * 1:12782 <-> DISABLED <-> BROWSER-PLUGINS Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call access attempt (browser-plugins.rules)
 * 1:26535 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit landing page - specific structure (exploit-kit.rules)
 * 1:13925 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager PASV stack overflow attempt (protocol-ftp.rules)
 * 1:13970 <-> ENABLED <-> FILE-OFFICE Microsoft Office eps filters memory corruption attempt (file-office.rules)
 * 1:21024 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt (browser-plugins.rules)
 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:19972 <-> DISABLED <-> OS-WINDOWS SMB client TRANS response paramcount overflow attempt (os-windows.rules)
 * 1:16008 <-> DISABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules)
 * 1:21025 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt (browser-plugins.rules)
 * 1:16614 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - search (indicator-compromise.rules)
 * 1:26451 <-> DISABLED <-> EXPLOIT-KIT g01pack Javascript substr function wrapper attempt (exploit-kit.rules)
 * 1:6414 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger Accept-Language header buffer overflow attempt (server-webapp.rules)
 * 1:21026 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16615 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - upload (indicator-compromise.rules)
 * 1:16621 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - security (indicator-compromise.rules)
 * 1:494 <-> ENABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:16674 <-> ENABLED <-> SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:16789 <-> ENABLED <-> BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt (browser-plugins.rules)
 * 1:16790 <-> ENABLED <-> BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21027 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt (browser-plugins.rules)
 * 1:17227 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt (file-office.rules)
 * 1:17297 <-> DISABLED <-> SERVER-OTHER McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt (server-other.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:21557 <-> DISABLED <-> FILE-OTHER Apple OSX ZIP archive shell script execution attempt (file-other.rules)
 * 1:17662 <-> DISABLED <-> SERVER-OTHER VMware Workstation DHCP service integer overflow attempt (server-other.rules)
 * 1:18575 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:21793 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt (browser-ie.rules)
 * 1:2183 <-> DISABLED <-> SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt (server-mail.rules)
 * 1:22925 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - security (indicator-compromise.rules)
 * 1:23484 <-> DISABLED <-> INDICATOR-COMPROMISE Wordpress Invit0r plugin non-image file upload attempt (indicator-compromise.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:23559 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel pivot item index boundary corruption attempt (file-office.rules)
 * 1:24491 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection (malware-cnc.rules)
 * 1:24628 <-> ENABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:25830 <-> ENABLED <-> FILE-OTHER Oracle Java malicious class download attempt (file-other.rules)
 * 1:24974 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:21753 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt (protocol-voip.rules)
 * 1:25123 <-> ENABLED <-> FILE-OTHER Oracle Java field bytecode verifier cache code execution attempt (file-other.rules)
 * 1:17669 <-> ENABLED <-> SERVER-ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:17746 <-> DISABLED <-> OS-WINDOWS SMB client TRANS response Find_First2 filename overflow attempt (os-windows.rules)
 * 1:24975 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:25535 <-> DISABLED <-> PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt (protocol-services.rules)
 * 1:26449 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:17768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 object event handler use after free exploit attempt (browser-ie.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 3:14772 <-> ENABLED <-> WEB-CLIENT libpng malformed chunk denial of service attempt (web-client.rules)