Sourcefire VRT Rules Update

Date: 2013-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27161 <-> DISABLED <-> SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability (server-webapp.rules)
 * 1:27160 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:27162 <-> DISABLED <-> SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability (server-webapp.rules)
 * 1:27163 <-> DISABLED <-> SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability (server-webapp.rules)
 * 1:27159 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pesut variant outbound connection attempt (malware-cnc.rules)
 * 1:27164 <-> DISABLED <-> SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability (server-webapp.rules)
 * 1:27158 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Eliseantry variant outbound connection attempt (malware-cnc.rules)
 * 1:27166 <-> ENABLED <-> FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt (file-other.rules)
 * 1:27167 <-> ENABLED <-> FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt (file-other.rules)
 * 1:27168 <-> ENABLED <-> FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt (file-other.rules)
 * 1:27169 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atezag variant outbound connection (malware-cnc.rules)
 * 1:27170 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 buffer overflow attempt (server-other.rules)
 * 1:27171 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27173 <-> DISABLED <-> BROWSER-PLUGINS Cisco AnyConnect mobility client activex clsid access attempt (browser-plugins.rules)
 * 1:27172 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:27174 <-> DISABLED <-> BROWSER-PLUGINS Chilkat Socket ActiveX clsid access (browser-plugins.rules)
 * 1:27175 <-> DISABLED <-> BROWSER-PLUGINS Chilkat Socket ActiveX clsid access (browser-plugins.rules)
 * 1:27176 <-> DISABLED <-> BROWSER-PLUGINS Chilkat Socket ActiveX clsid access (browser-plugins.rules)
 * 1:27165 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Windows help file magic (deleted.rules)
 * 1:27179 <-> DISABLED <-> BROWSER-PLUGINS Oracle document capture EMPOP3Lib ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27178 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wergimog variant outbound connection attempt (malware-cnc.rules)
 * 1:27177 <-> DISABLED <-> BROWSER-PLUGINS Chilkat Socket ActiveX clsid access (browser-plugins.rules)

Modified Rules:


 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access (browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Transform Effects ActiveX clsid access (browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access (browser-plugins.rules)
 * 1:14635 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RSClientPrint ActiveX clsid access (browser-plugins.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)