Sourcefire VRT Rules Update

Date: 2013-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26907 <-> ENABLED <-> SERVER-WEBAPP TWiki search function remote code execution attempt (server-webapp.rules)
 * 1:26908 <-> ENABLED <-> SERVER-WEBAPP TWiki search function remote code execution attempt (server-webapp.rules)
 * 1:26909 <-> DISABLED <-> FILE-IMAGE Microsoft Windows WMF FILE-IMAGE attempt (file-image.rules)
 * 1:26906 <-> DISABLED <-> SERVER-OTHER Foswiki/Twiki MAKETEXT command execution attempt (server-other.rules)
 * 1:26905 <-> ENABLED <-> SERVER-WEBAPP FosWiki and TWiki MAKETEXT macro memory consumption denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:6695 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:6691 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt (file-image.rules)
 * 1:6698 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt (file-image.rules)
 * 1:6699 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt (file-image.rules)
 * 1:6700 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:6701 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt (file-image.rules)
 * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:26257 <-> DISABLED <-> MALWARE-BACKDOOR Android ANDR-WIN.MSIL variant PC-USB Malicious executable file download (malware-backdoor.rules)
 * 1:26290 <-> ENABLED <-> MALWARE-CNC Android ANDR.Trojan.RootSmart outbound communication attempt (malware-cnc.rules)
 * 1:26633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html reload loop attempt (browser-ie.rules)
 * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules)
 * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules)
 * 1:26657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shiz outbound connection (malware-cnc.rules)
 * 1:26664 <-> DISABLED <-> FILE-IMAGE BMP extremely large xpos opcodes (file-image.rules)
 * 1:26665 <-> DISABLED <-> FILE-IMAGE BMP extremely large xpos opcodes (file-image.rules)
 * 1:26866 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt (file-image.rules)
 * 1:6689 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt (file-image.rules)
 * 1:26666 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt (browser-ie.rules)
 * 1:26684 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neshax variant outbound connection (malware-cnc.rules)
 * 1:26685 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string J13A (blacklist.rules)
 * 1:26694 <-> ENABLED <-> FILE-PDF Adobe Reader dll injection sandbox escape (file-pdf.rules)
 * 1:26695 <-> ENABLED <-> MALWARE-CNC Namihno Trojan CnC Request (malware-cnc.rules)
 * 1:26696 <-> ENABLED <-> MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers (malware-cnc.rules)
 * 1:26815 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent (malware-cnc.rules)
 * 1:26816 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.KitM outbound connection (malware-cnc.rules)
 * 1:17533 <-> ENABLED <-> SERVER-APACHE Apache Struts Information Disclosure Attempt (server-apache.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:26826 <-> ENABLED <-> MALWARE-CNC Android ANDR.Trojan.Opfake credential theft attempt (malware-cnc.rules)
 * 1:26827 <-> ENABLED <-> MALWARE-CNC Android ANDR.Trojan.Opfake device information disclosure attempt (malware-cnc.rules)
 * 1:6690 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt (file-image.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)
 * 1:26848 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 emulation via meta tag (browser-ie.rules)
 * 1:6697 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules)
 * 1:6696 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt (file-image.rules)
 * 1:26852 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:26853 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:26854 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt (file-image.rules)
 * 1:26855 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt (file-image.rules)
 * 1:26856 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt (file-image.rules)
 * 1:26857 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt (file-image.rules)
 * 1:26858 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt (file-image.rules)
 * 1:26859 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt (file-image.rules)
 * 1:26860 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:26861 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt (file-image.rules)
 * 1:26862 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules)
 * 1:6694 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt (file-image.rules)
 * 1:26863 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt (file-image.rules)
 * 1:26864 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt (file-image.rules)
 * 1:26865 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:6693 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt (file-image.rules)
 * 1:6692 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt (file-image.rules)