Sourcefire VRT Rules Update

Date: 2013-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25332 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file tkrm stack buffer overflow attempt (file-other.rules)
 * 1:25331 <-> DISABLED <-> FILE-OFFICE Microsoft Excel conditional code execution attempt (file-office.rules)
 * 1:25330 <-> DISABLED <-> FILE-OFFICE Microsoft Excel conditional code execution attempt (file-office.rules)
 * 1:25329 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt (browser-ie.rules)
 * 1:25328 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25327 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25326 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25325 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25324 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page detected (exploit-kit.rules)
 * 1:25323 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25322 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25321 <-> DISABLED <-> SERVER-ORACLE Oracle Database tablefunc_asown buffer overflow attempt (server-oracle.rules)
 * 1:25320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:25317 <-> DISABLED <-> POLICY-OTHER RedHat JBOSS JNDI service naming (policy-other.rules)
 * 1:25316 <-> DISABLED <-> BROWSER-PLUGINS InduSoft ISSymbol InternationalSeparator heap overflow attempt (browser-plugins.rules)
 * 1:25315 <-> DISABLED <-> SERVER-ORACLE Oracle TNS listener service registration (server-oracle.rules)
 * 1:25314 <-> DISABLED <-> DOS Linux kernel IGMP queries denial of service attempt (dos.rules)
 * 1:25313 <-> DISABLED <-> SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt (server-other.rules)
 * 1:25312 <-> DISABLED <-> SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt (server-other.rules)
 * 1:25311 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:25308 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:25307 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:25306 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file download request (file-identify.rules)
 * 1:25305 <-> ENABLED <-> FILE-IDENTIFY Adobe Audition Session file magic detected (file-identify.rules)
 * 1:25304 <-> DISABLED <-> FILE-OTHER Cisco WebEx WRF memory corruption attempt (file-other.rules)
 * 1:25303 <-> DISABLED <-> FILE-OTHER Cisco WebEx WRF memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:24796 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24797 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24794 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24795 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:20734 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player digital video recording buffer overflow attempt (file-multimedia.rules)
 * 1:23838 <-> DISABLED <-> OS-WINDOWS SMB NetServerEnum response host format string exploit attempt (os-windows.rules)
 * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:18066 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:19873 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt (browser-ie.rules)
 * 1:17429 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:17428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ASP.NET information disclosure attempt (os-windows.rules)
 * 1:16008 <-> ENABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules)
 * 1:15910 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules)