Sourcefire VRT Rules Update

Date: 2013-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25552 <-> ENABLED <-> SERVER-OTHER Rails JSON to YAML parsing deserialization attempt (server-other.rules)
 * 1:25551 <-> DISABLED <-> MALWARE-CNC WIN.Worm.Dipasik variant outbound connection (malware-cnc.rules)
 * 1:25550 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perflog variant outbound connection (malware-cnc.rules)
 * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25546 <-> DISABLED <-> MALWARE-CNC Win.Proxy.Agent variant outbound connection (malware-cnc.rules)
 * 1:25545 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Printlove variant outbound connection (malware-cnc.rules)
 * 1:25544 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ctwopop (blacklist.rules)
 * 1:25543 <-> DISABLED <-> MALWARE-CNC Win.Downloader.VB variant outbound connection (malware-cnc.rules)
 * 1:25542 <-> DISABLED <-> RPC EMC NetWorker nsrindexd service buffer overflow attempt (rpc.rules)
 * 1:25541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sigly variant outbound connection (malware-cnc.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:25539 <-> ENABLED <-> EXPLOIT-KIT Red Dot java retrieval attempt (exploit-kit.rules)
 * 1:25538 <-> ENABLED <-> EXPLOIT-KIT Red Dot landing page (exploit-kit.rules)
 * 1:25537 <-> DISABLED <-> FILE-PDF Adobe Reader TTF parsing bad cmap format attempt (file-pdf.rules)
 * 1:25536 <-> DISABLED <-> FILE-PDF Adobe Reader TTF parsing bad cmap format attempt (file-pdf.rules)
 * 1:25535 <-> DISABLED <-> PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt (protocol-services.rules)
 * 1:25534 <-> DISABLED <-> SERVER-WEBAPP Sonicwall Global Management System authentication bypass attempt (server-webapp.rules)
 * 1:25533 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent - al (blacklist.rules)
 * 1:25532 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25531 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25529 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:25528 <-> ENABLED <-> SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt (server-webapp.rules)
 * 1:25527 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint unbound memcpy and remote code execution attempt (file-office.rules)

Modified Rules:


 * 1:24104 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPEG file (malware-other.rules)
 * 1:24103 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPG file (malware-other.rules)
 * 1:2396 <-> DISABLED <-> SERVER-WEBAPP CCBill whereami.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2386 <-> DISABLED <-> SERVER-IIS NTLM ASN1 vulnerability scan attempt (server-iis.rules)
 * 1:23732 <-> DISABLED <-> FILE-IDENTIFY Microsoft Media Player .asf file magic detected (file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23323 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23318 <-> ENABLED <-> FILE-OTHER ELF multiple antivirus evasion attempts (file-other.rules)
 * 1:21753 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt (protocol-voip.rules)
 * 1:21481 <-> DISABLED <-> FILE-OTHER Oracle Java Web Start arbitrary command execution attempt (file-other.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21162 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:20872 <-> DISABLED <-> SERVER-WEBAPP Worldweaver DX Studio Player shell.execute command execution attempt (server-webapp.rules)
 * 1:20824 <-> DISABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 1:20737 <-> DISABLED <-> SPECIFIC-THREATS 427BB cookie-based authentication bypass attempt (specific-threats.rules)
 * 1:5707 <-> DISABLED <-> POLICY-SOCIAL Namazu outbound namazu.cgi access (policy-social.rules)
 * 1:5706 <-> DISABLED <-> POLICY-SOCIAL Namazu incoming namazu.cgi access (policy-social.rules)
 * 1:494 <-> ENABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:25470 <-> DISABLED <-> MALWARE-CNC Win.Trojan.LoDo variant outbound connection (malware-cnc.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Reader JP2K image object handling heap overflow attempt (file-pdf.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Reader malformed JP2K image object heap overflow attempt (file-pdf.rules)
 * 1:25072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dulom variant outbound connection (malware-cnc.rules)
 * 1:24110 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to an MP3 file (malware-other.rules)
 * 1:24109 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a ZIP file (malware-other.rules)
 * 1:24108 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a RAR file (malware-other.rules)
 * 1:24107 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a BMP file (malware-other.rules)
 * 1:24106 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a PNG file (malware-other.rules)
 * 1:24105 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a GIF file (malware-other.rules)
 * 1:20659 <-> DISABLED <-> FILE-PDF Adobe Reader malformed shading modifier heap corruption attempt (file-pdf.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20245 <-> DISABLED <-> POLICY-OTHER remote privoxy config access (policy-other.rules)
 * 1:20244 <-> DISABLED <-> POLICY-OTHER possible forced privoxy disabling (policy-other.rules)
 * 1:20243 <-> DISABLED <-> POLICY-OTHER Privoxy disabling of x-filter (policy-other.rules)
 * 1:20136 <-> DISABLED <-> POLICY-OTHER Glype proxy usage detected (policy-other.rules)
 * 1:19933 <-> DISABLED <-> SCAN DirBuster brute forcing tool detected (scan.rules)
 * 1:19894 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint unbound memcpy and remote code execution attempt (file-office.rules)
 * 1:19779 <-> ENABLED <-> SCAN sqlmap SQL injection scan attempt (scan.rules)
 * 1:19735 <-> DISABLED <-> POLICY-OTHER Filesonic file-sharing site contacted (policy-other.rules)
 * 1:19071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:18770 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt (browser-webkit.rules)
 * 1:18751 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT HTTP Authentication overflow attempt (server-webapp.rules)
 * 1:18548 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment (file-office.rules)
 * 1:17569 <-> DISABLED <-> SERVER-OTHER BEA Weblogic Admin Console Cross Site Scripting Vulnerability attempt (server-other.rules)
 * 1:17562 <-> ENABLED <-> FILE-OTHER Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt (file-other.rules)
 * 1:17434 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Unicode sequence handling stack corruption attempt (browser-firefox.rules)
 * 1:1742 <-> DISABLED <-> SERVER-WEBAPP Blahz-DNS dostuff.php modify user attempt (server-webapp.rules)
 * 1:17309 <-> DISABLED <-> SPECIFIC-THREATS CoolPlayer Playlist File Handling Buffer Overflow (specific-threats.rules)
 * 1:17278 <-> DISABLED <-> FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (file-other.rules)
 * 1:17277 <-> DISABLED <-> FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (file-other.rules)
 * 1:17276 <-> DISABLED <-> FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (file-other.rules)
 * 1:16692 <-> DISABLED <-> FILE-MULTIMEDIA BlazeVideo BlazeDVD PLF playlist file name buffer overflow attempt (file-multimedia.rules)
 * 1:16560 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint XSS attempt (file-office.rules)
 * 1:1655 <-> DISABLED <-> SERVER-WEBAPP pfdispaly.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:16198 <-> DISABLED <-> SERVER-APACHE Apache mod_auth_pgsql module logging facility format string exploit attempt (server-apache.rules)
 * 1:1614 <-> DISABLED <-> SERVER-WEBAPP Novell Groupwise gwweb.exe attempt (server-webapp.rules)
 * 1:1612 <-> DISABLED <-> SERVER-WEBAPP ftp.pl attempt (server-webapp.rules)
 * 1:16033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer compressed content attempt (browser-ie.rules)
 * 1:15996 <-> DISABLED <-> OS-WINDOWS Microsoft Negotiate SSP buffer overflow attempt (os-windows.rules)
 * 1:1590 <-> DISABLED <-> SERVER-WEBAPP faqmanager.cgi arbitrary file access attempt (server-webapp.rules)
 * 1:1573 <-> DISABLED <-> SERVER-WEBAPP cgiforum.pl attempt (server-webapp.rules)
 * 1:1567 <-> DISABLED <-> SERVER-IIS /exchange/root.asp attempt (server-iis.rules)
 * 1:1565 <-> DISABLED <-> SERVER-WEBAPP eshop.pl arbitrary command execution attempt (server-webapp.rules)
 * 1:1563 <-> DISABLED <-> SERVER-WEBAPP login.htm attempt (server-webapp.rules)
 * 1:15579 <-> DISABLED <-> SERVER-OTHER Squid NTLM fakeauth_auth Helper denial of service attempt (server-other.rules)
 * 1:1534 <-> DISABLED <-> SERVER-WEBAPP agora.cgi attempt (server-webapp.rules)
 * 1:1536 <-> DISABLED <-> SERVER-WEBAPP calendar_admin.pl arbitrary command execution attempt (server-webapp.rules)
 * 1:1532 <-> DISABLED <-> SERVER-WEBAPP bb-hostscv.sh attempt (server-webapp.rules)
 * 1:1531 <-> DISABLED <-> SERVER-WEBAPP bb-hist.sh attempt (server-webapp.rules)
 * 1:15256 <-> ENABLED <-> SERVER-ORACLE BPEL process manager XSS injection attempt (server-oracle.rules)
 * 1:1501 <-> DISABLED <-> SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt (server-webapp.rules)
 * 1:1522 <-> DISABLED <-> SERVER-WEBAPP ans.pl attempt (server-webapp.rules)
 * 1:14656 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt (browser-ie.rules)
 * 1:1258 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Manager DOS (server-webapp.rules)
 * 1:1440 <-> DISABLED <-> POLICY-MULTIMEDIA Icecast playlist redirection (policy-multimedia.rules)
 * 1:1439 <-> DISABLED <-> POLICY-MULTIMEDIA Shoutcast playlist redirection (policy-multimedia.rules)
 * 1:14041 <-> ENABLED <-> EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt - 2 (exploit.rules)
 * 1:14040 <-> ENABLED <-> EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt (exploit.rules)
 * 1:13656 <-> ENABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt (server-webapp.rules)
 * 1:12972 <-> DISABLED <-> FILE-IDENTIFY Microsoft Media Player .asf file magic detected (file-identify.rules)
 * 1:12595 <-> DISABLED <-> SERVER-IIS malicious ASP file upload attempt (server-iis.rules)
 * 1:12277 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption exploit (browser-ie.rules)
 * 1:12221 <-> DISABLED <-> SERVER-WEBAPP file upload GLOBAL variable overwrite attempt (server-webapp.rules)
 * 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:1194 <-> DISABLED <-> SERVER-WEBAPP sojourn.cgi File attempt (server-webapp.rules)
 * 1:1105 <-> DISABLED <-> SERVER-WEBAPP BigBrother access (server-webapp.rules)
 * 1:1101 <-> DISABLED <-> SCAN Webtrends HTTP probe (scan.rules)
 * 1:1100 <-> DISABLED <-> SCAN L3retriever HTTP Probe (scan.rules)
 * 1:1097 <-> DISABLED <-> SERVER-WEBAPP Talentsoft Web+ exploit attempt (server-webapp.rules)
 * 1:1096 <-> DISABLED <-> SERVER-WEBAPP Talentsoft Web+ internal IP Address access (server-webapp.rules)
 * 1:1095 <-> DISABLED <-> SERVER-WEBAPP Talentsoft Web+ Source Code view access (server-webapp.rules)
 * 1:1092 <-> DISABLED <-> SERVER-WEBAPP Armada Style Master Index directory traversal (server-webapp.rules)