Sourcefire VRT Rules Update

Date: 2013-09-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27800 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access (browser-plugins.rules)
 * 1:27799 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:27798 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27797 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure SQL injection attempt (server-webapp.rules)
 * 1:27796 <-> DISABLED <-> SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure POST SQL injection attempt (server-webapp.rules)
 * 1:27795 <-> DISABLED <-> BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access (browser-plugins.rules)
 * 1:27794 <-> DISABLED <-> BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access (browser-plugins.rules)
 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:27787 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:27786 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:27785 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:27784 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:27783 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit plugin detection page (exploit-kit.rules)
 * 1:27782 <-> DISABLED <-> BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access (browser-plugins.rules)
 * 1:27781 <-> DISABLED <-> BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access (browser-plugins.rules)
 * 1:27780 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27779 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27778 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27777 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:27776 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit portable executable download on non-standard port (exploit-kit.rules)
 * 1:27775 <-> DISABLED <-> MALWARE-CNC Unknown Trojan Botnet Traffic - 164-byte Encrypted payload in GET Request (malware-cnc.rules)
 * 1:27774 <-> ENABLED <-> MALWARE-CNC RDN Banker Data Exfiltration (malware-cnc.rules)
 * 1:27773 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 265 buffer overflow attempt (server-other.rules)
 * 1:27772 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 243 buffer overflow attempt (server-other.rules)
 * 1:27771 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 236 buffer overflow attempt (server-other.rules)
 * 1:27770 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 210 buffer overflow attempt (server-other.rules)
 * 1:27769 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 207 buffer overflow attempt (server-other.rules)
 * 1:27768 <-> DISABLED <-> BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access (browser-plugins.rules)
 * 1:27767 <-> DISABLED <-> BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access (browser-plugins.rules)
 * 1:27766 <-> ENABLED <-> BROWSER-PLUGINS Oracle Java Security Slider feature bypass attempt (browser-plugins.rules)

Modified Rules:


 * 1:11192 <-> DISABLED <-> FILE-EXECUTABLE download of executable content (file-executable.rules)
 * 1:13523 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX clsid access (browser-plugins.rules)
 * 1:13525 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX function call access (browser-plugins.rules)
 * 1:13819 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt (server-webapp.rules)
 * 1:13902 <-> DISABLED <-> SERVER-OTHER IBM Lotus Sametime multiplexer stack buffer overflow attempt (server-other.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:13927 <-> DISABLED <-> PROTOCOL-TFTP Open TFTP Server log generation buffer overflow attempt (protocol-tftp.rules)
 * 1:14013 <-> DISABLED <-> BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access (browser-plugins.rules)
 * 1:14015 <-> DISABLED <-> BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access (browser-plugins.rules)
 * 1:14037 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX clsid access (browser-plugins.rules)
 * 1:14038 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX function call access (browser-plugins.rules)
 * 1:14255 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access (browser-plugins.rules)
 * 1:14257 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access (browser-plugins.rules)
 * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA CitectSCADA ODBC buffer overflow attempt (protocol-scada.rules)
 * 1:19998 <-> DISABLED <-> POLICY-OTHER IP address discosure to advertisement sites attempt (policy-other.rules)
 * 1:20285 <-> DISABLED <-> BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access (browser-plugins.rules)
 * 1:20286 <-> DISABLED <-> BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access (browser-plugins.rules)
 * 1:21522 <-> DISABLED <-> SERVER-APACHE Apache Struts parameters interceptor remote code execution attempt (server-apache.rules)
 * 1:24196 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24197 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:24524 <-> DISABLED <-> SERVER-MAIL Novell GroupWise internet agent iCalendar parsing denial of service attempt (server-mail.rules)
 * 1:26997 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Morcut outbound connection attempt (malware-cnc.rules)
 * 1:26998 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Morcut file download attempt (malware-cnc.rules)
 * 1:27618 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt (browser-ie.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:27667 <-> ENABLED <-> SERVER-WEBAPP Joomla media.php file.upload direct administrator access attempt (server-webapp.rules)
 * 1:27623 <-> ENABLED <-> SERVER-OTHER Joomla media.php arbitrary file upload attempt (server-other.rules)
 * 1:27619 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt (browser-ie.rules)