Sourcefire VRT Rules Update

Date: 2013-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27575 <-> DISABLED <-> SERVER-APACHE Apache Struts arbitrary OGNL remote code execution attempt (server-apache.rules)
 * 1:27574 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (server-apache.rules)
 * 1:27573 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:27572 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:27571 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 235 buffer overflow attempt (server-other.rules)
 * 1:27570 <-> DISABLED <-> BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX function stringtoBinary access attempt (browser-plugins.rules)
 * 1:27569 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:27568 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules)
 * 1:27567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix malicious download request (malware-cnc.rules)
 * 1:27566 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:27565 <-> ENABLED <-> MALWARE-OTHER HideMeBetter spam injection variant (malware-other.rules)
 * 1:27564 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit (blacklist.rules)
 * 1:27563 <-> ENABLED <-> BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit (blacklist.rules)
 * 1:27562 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit (blacklist.rules)
 * 1:27561 <-> ENABLED <-> BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:27560 <-> ENABLED <-> BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:27559 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:27558 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bezigate variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:17458 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:20644 <-> DISABLED <-> SERVER-WEBAPP Lizard Cart CMS SQL injection in detail.php id attempt (server-webapp.rules)
 * 1:20645 <-> DISABLED <-> SERVER-WEBAPP Lizard Cart CMS SQL injection in pages.php id attempt (server-webapp.rules)
 * 1:26926 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:26989 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:2707 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:27257 <-> DISABLED <-> MALWARE-CNC Win.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language (malware-cnc.rules)
 * 1:8423 <-> DISABLED <-> BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX function call access (browser-plugins.rules)
 * 1:9817 <-> DISABLED <-> BROWSER-PLUGINS CEnroll.CEnroll.2 ActiveX clsid access (browser-plugins.rules)