Sourcefire VRT Rules Update

Date: 2013-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt (browser-ie.rules)
 * 1:26866 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt (deleted.rules)
 * 1:26865 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (deleted.rules)
 * 1:26864 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt (deleted.rules)
 * 1:26863 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt (deleted.rules)
 * 1:26862 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (deleted.rules)
 * 1:26861 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt (deleted.rules)
 * 1:26860 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt (deleted.rules)
 * 1:26859 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt (deleted.rules)
 * 1:26858 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt (deleted.rules)
 * 1:26857 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt (deleted.rules)
 * 1:26856 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt (deleted.rules)
 * 1:26855 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt (deleted.rules)
 * 1:26854 <-> DISABLED <-> DELETED FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt (deleted.rules)
 * 1:26853 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:26852 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:26851 <-> ENABLED <-> BROWSER-IE IE5 compatibility mode user after free attempt (browser-ie.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:26849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer superscript use after free attempt (browser-ie.rules)
 * 1:26848 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 emulation via meta tag (browser-ie.rules)
 * 1:26847 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules)
 * 1:26904 <-> ENABLED <-> FILE-IDENTIFY Android APK download file attachment detected (file-identify.rules)
 * 1:26903 <-> ENABLED <-> FILE-IDENTIFY Android APK download file attachment detected (file-identify.rules)
 * 1:26902 <-> ENABLED <-> FILE-IDENTIFY Android APK download request (file-identify.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26900 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26899 <-> ENABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26898 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt (browser-plugins.rules)
 * 1:26897 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit malware download (exploit-kit.rules)
 * 1:26896 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Plugin detection response (exploit-kit.rules)
 * 1:26895 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V7 exploit download (exploit-kit.rules)
 * 1:26894 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V6 exploit download (exploit-kit.rules)
 * 1:26893 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page (exploit-kit.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download (exploit-kit.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download (exploit-kit.rules)
 * 1:26890 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt (browser-ie.rules)
 * 1:26889 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:26888 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:26887 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26886 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26885 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26884 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26883 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26882 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26881 <-> DISABLED <-> MALWARE-OTHER HTML.Dropper.Agent uri scheme detected (malware-other.rules)
 * 1:26880 <-> DISABLED <-> MALWARE-CNC Win.Zotob.E gc.exe download attempt (malware-cnc.rules)
 * 1:26879 <-> DISABLED <-> BROWSER-OTHER local loopback address in html (browser-other.rules)
 * 1:26878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt (browser-ie.rules)
 * 1:26876 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt (browser-ie.rules)
 * 1:26875 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt (browser-ie.rules)
 * 1:26874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt (browser-ie.rules)
 * 1:26873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt (browser-ie.rules)
 * 1:26872 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:26871 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:26870 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:26869 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt (browser-ie.rules)
 * 1:26868 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt (browser-ie.rules)
 * 1:26846 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt (browser-ie.rules)
 * 1:26845 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt (browser-ie.rules)
 * 1:26844 <-> ENABLED <-> BROWSER-IE IE9 layout engine memory corruption attempt (browser-ie.rules)
 * 1:26843 <-> DISABLED <-> BROWSER-IE IE9 array element property user after free attempt (browser-ie.rules)
 * 1:26842 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin (malware-backdoor.rules)
 * 1:26841 <-> ENABLED <-> MALWARE-CNC Win.Spy.Agent variant outbound connection (malware-cnc.rules)
 * 1:26840 <-> ENABLED <-> MALWARE-CNC Win.Spy.Agent variant outbound connection (malware-cnc.rules)
 * 1:26839 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command (malware-cnc.rules)
 * 1:26838 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign (exploit-kit.rules)
 * 1:26837 <-> ENABLED <-> MALWARE-CNC BitBot Idle C2 response (malware-cnc.rules)
 * 1:26836 <-> DISABLED <-> MALWARE-CNC RDN Banker Strange Google Traffic (malware-cnc.rules)
 * 1:26835 <-> DISABLED <-> MALWARE-CNC RDN Banker POST outbound connection (malware-cnc.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page in.php base64 uri (exploit-kit.rules)
 * 1:26833 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt (file-office.rules)
 * 1:26832 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt (file-office.rules)
 * 1:26831 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules)
 * 1:26830 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules)
 * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:26828 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Uperti variant outbound connection (malware-cnc.rules)
 * 1:26827 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.Opfake device information disclosure attempt (malware-cnc.rules)
 * 1:26826 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.Opfake credential theft attempt (malware-cnc.rules)
 * 1:26825 <-> ENABLED <-> SERVER-OTHER Apache Struts2 remote code execution attempt (server-other.rules)
 * 1:26824 <-> ENABLED <-> SERVER-OTHER Apache Struts2 remote code execution attempt (server-other.rules)
 * 1:26823 <-> DISABLED <-> MALWARE-BACKDOOR Backdoor.Win32.Neshgai.A runtime detection (malware-backdoor.rules)
 * 1:26822 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbound connection (malware-cnc.rules)
 * 3:26877 <-> ENABLED <-> DOS Microsoft Windows TCPRecomputeMss denial of service attempt (dos.rules)

Modified Rules:


 * 1:15876 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:15913 <-> ENABLED <-> OS-WINDOWS Microsoft Windows javascript arguments keyword override rce attempt (os-windows.rules)
 * 1:16309 <-> ENABLED <-> SERVER-ORACLE auth_sesskey buffer overflow attempt (server-oracle.rules)
 * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules)
 * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules)
 * 1:21965 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent VB WININET (blacklist.rules)
 * 1:23329 <-> ENABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:2338 <-> DISABLED <-> PROTOCOL-FTP LIST buffer overflow attempt (protocol-ftp.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection (exploit-kit.rules)
 * 1:25512 <-> DISABLED <-> MALWARE-CNC Android ANDR.Trojan.SMSsend variant outbound connection (malware-cnc.rules)
 * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules)
 * 1:26783 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.Opfake APK file download (malware-other.rules)
 * 1:26808 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit short jar request (exploit-kit.rules)
 * 1:3079 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt (browser-ie.rules)
 * 1:5997 <-> DISABLED <-> SERVER-WEBAPP WinProxy host header port buffer overflow attempt (server-webapp.rules)
 * 1:6700 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt (file-image.rules)
 * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules)