Sourcefire VRT Rules Update

Date: 2013-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27259 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules)
 * 1:27255 <-> DISABLED <-> INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download (indicator-compromise.rules)
 * 1:27257 <-> DISABLED <-> MALWARE-CNC Win.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language (malware-cnc.rules)
 * 1:27254 <-> DISABLED <-> MALWARE-CNC Yakes Trojan HTTP Header Structure (malware-cnc.rules)
 * 1:27252 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL outbound connection (malware-cnc.rules)
 * 1:27251 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table platform type 3 integer overflow attempt (file-other.rules)
 * 1:27249 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:27250 <-> DISABLED <-> BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash.9 ActiveX function overflow attempt (browser-plugins.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:27243 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirectAction (server-apache.rules)
 * 1:27242 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:27241 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page detected (exploit-kit.rules)
 * 1:27244 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirect (server-apache.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:27247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan (blacklist.rules)
 * 1:27246 <-> ENABLED <-> MALWARE-OTHER Mac OSX FBI ransomware (malware-other.rules)
 * 1:27248 <-> ENABLED <-> MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent (malware-cnc.rules)
 * 1:27253 <-> DISABLED <-> MALWARE-CNC Win.Cridex Encrypted POST w/ URL Pattern (malware-cnc.rules)
 * 1:27256 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware (malware-cnc.rules)
 * 1:27258 <-> DISABLED <-> INDICATOR-OBFUSCATION eval large block of fromCharCode (indicator-obfuscation.rules)
 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)

Modified Rules:


 * 1:23530 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23386 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23529 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt (file-office.rules)
 * 1:26831 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules)
 * 1:26429 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt (file-flash.rules)
 * 1:26317 <-> DISABLED <-> FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt (file-multimedia.rules)
 * 1:25270 <-> ENABLED <-> FILE-OTHER overly large XML file MSXML heap overflow attempt (file-other.rules)
 * 1:25558 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection (exploit-kit.rules)
 * 1:24904 <-> DISABLED <-> FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-java.rules)
 * 1:24905 <-> DISABLED <-> FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-java.rules)
 * 1:24889 <-> DISABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24892 <-> DISABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24557 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:24558 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:23561 <-> DISABLED <-> FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian (file-image.rules)
 * 1:13515 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime user agent (file-multimedia.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:7980 <-> DISABLED <-> BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash.9 ActiveX function call access (browser-plugins.rules)
 * 1:26830 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules)
 * 1:15504 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint Download of version 4.0 file (file-office.rules)
 * 1:15534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML HttpRequest race condition exploit attempt (browser-ie.rules)
 * 1:15694 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table integer overflow attempt (file-other.rules)
 * 1:15695 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table platform type 3 integer overflow attempt (file-other.rules)
 * 1:16638 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt (file-office.rules)
 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:22078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:24535 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table integer overflow attempt (file-other.rules)
 * 1:17231 <-> DISABLED <-> FILE-IMAGE Microsoft Kodak Imaging small offset malformed tiff - little-endian (file-image.rules)
 * 1:24553 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:17232 <-> DISABLED <-> FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian (file-image.rules)
 * 1:24556 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:17631 <-> DISABLED <-> FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-java.rules)
 * 1:18201 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:24906 <-> DISABLED <-> FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-java.rules)
 * 1:26318 <-> DISABLED <-> FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt (file-multimedia.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit kit successful redirection - jnlp bypass (exploit-kit.rules)
 * 1:20295 <-> DISABLED <-> FILE-IMAGE Public LibTiff Exploit (file-image.rules)
 * 1:22076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)
 * 3:16662 <-> ENABLED <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)