Sourcefire VRT Rules Update

Date: 2013-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27855 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt (file-office.rules)
 * 1:27854 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt (file-office.rules)
 * 1:27853 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word invalid number of cells memory corruption attempt (file-office.rules)
 * 1:27852 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word invalid number of cells memory corruption attempt (file-office.rules)
 * 1:27851 <-> ENABLED <-> FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt (file-office.rules)
 * 1:27850 <-> ENABLED <-> FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt (file-office.rules)
 * 1:27849 <-> DISABLED <-> DELETED OS-WINDOWS something something dark side (deleted.rules)
 * 1:27848 <-> DISABLED <-> DELETED OS-WINDOWS uyghggdsf (deleted.rules)
 * 1:27847 <-> DISABLED <-> DELETED OS-WINDOWS sd (deleted.rules)
 * 1:27846 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt (browser-ie.rules)
 * 1:27845 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt (browser-ie.rules)
 * 1:27844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:27843 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:27842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSegment object use after free attempt (browser-ie.rules)
 * 1:27841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 MutationEvent user after free attempt (browser-ie.rules)
 * 1:27840 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt (browser-ie.rules)
 * 1:27839 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt (browser-ie.rules)
 * 1:27838 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt (browser-ie.rules)
 * 1:27837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt (browser-ie.rules)
 * 1:27836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt (browser-ie.rules)
 * 1:27863 <-> ENABLED <-> SERVER-WEBAPP Ektron CMS XSLT transform remote code execution attempt (server-webapp.rules)
 * 1:27862 <-> ENABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:27861 <-> DISABLED <-> SERVER-ORACLE Oracle Enterprise Manager Database Control directory traversal attempt (server-oracle.rules)
 * 1:27860 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Active Directory LDAP denial of service attempt (os-windows.rules)
 * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:27857 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt (file-office.rules)
 * 1:27856 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document invalid cell count memory corruption attempt (file-office.rules)
 * 1:27835 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt (browser-ie.rules)
 * 1:27834 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt (browser-ie.rules)
 * 1:27833 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt (browser-ie.rules)
 * 1:27832 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt (browser-ie.rules)
 * 1:27831 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt (browser-ie.rules)
 * 1:27830 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt (browser-ie.rules)
 * 1:27829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt (browser-ie.rules)
 * 1:27828 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt (server-webapp.rules)
 * 1:27827 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt (server-webapp.rules)
 * 1:27826 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt (server-webapp.rules)
 * 1:27825 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid external defined names read AV attempt (file-office.rules)
 * 1:27824 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid external defined names read AV attempt (file-office.rules)
 * 1:27823 <-> ENABLED <-> SERVER-WEBAPP Microsoft Office SharePoint malicious serialized viewstate evaluation attempt (server-webapp.rules)
 * 1:27822 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules)
 * 1:27821 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt (file-office.rules)
 * 1:27820 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt (file-office.rules)
 * 1:27819 <-> ENABLED <-> SERVER-OTHER Microsoft SharePoint denial of service attempt (server-other.rules)
 * 1:27818 <-> ENABLED <-> SERVER-OTHER Microsoft SharePoint denial of service attempt (server-other.rules)
 * 1:27817 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenavt connection attempt (malware-cnc.rules)
 * 1:27816 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file download attempt (exploit-kit.rules)
 * 1:27815 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit malicious redirection attempt (exploit-kit.rules)
 * 1:27814 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:27813 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page with payload (exploit-kit.rules)
 * 1:27812 <-> DISABLED <-> BLACKLIST DNS request for known malware domain rr.nu (blacklist.rules)
 * 1:27811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mindweq variant connection attempt (malware-cnc.rules)
 * 1:27810 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit redirection (exploit-kit.rules)
 * 1:27809 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page attempt (deleted.rules)
 * 1:27808 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit java exploit retrieval attempt (exploit-kit.rules)
 * 1:27807 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit flash exploit retrieval attempt (exploit-kit.rules)
 * 1:27806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retruse variant connection attempt (malware-cnc.rules)
 * 1:27805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bisonha variant outbound connection (malware-cnc.rules)
 * 1:27804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PRISM outbound connection attempt (malware-cnc.rules)
 * 1:27803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PRISM outbound connection attempt (malware-cnc.rules)
 * 1:27802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PRISM outbound connection attempt (malware-cnc.rules)
 * 1:27801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sectempus.biz - Win.Trojan.PRISM (blacklist.rules)

Modified Rules:


 * 1:27708 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection attempt (malware-cnc.rules)
 * 1:27785 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:27042 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jovf (exploit-kit.rules)
 * 1:27706 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit possible jar download (exploit-kit.rules)
 * 1:27041 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp (exploit-kit.rules)
 * 1:26626 <-> ENABLED <-> FILE-OFFICE Microsoft Office XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:27040 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection jorg (exploit-kit.rules)
 * 1:25907 <-> ENABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules)
 * 1:26530 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt (indicator-compromise.rules)
 * 1:25476 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent (blacklist.rules)
 * 1:24766 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter SRS request arbitrary file download attempt (server-webapp.rules)
 * 1:24767 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter FSFUI request directory traversal attempt (server-webapp.rules)
 * 1:24765 <-> ENABLED <-> SERVER-WEBAPP Novell File Reporter SRS request heap overflow attempt (server-webapp.rules)
 * 1:24537 <-> ENABLED <-> SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt (server-other.rules)
 * 1:24538 <-> ENABLED <-> SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt (server-other.rules)
 * 1:24520 <-> ENABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:24536 <-> ENABLED <-> SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt (server-other.rules)
 * 1:23940 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules)
 * 1:24446 <-> ENABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules)
 * 1:23939 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules)
 * 1:21849 <-> DISABLED <-> MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS (malware-other.rules)
 * 1:22948 <-> DISABLED <-> PROTOCOL-VOIP Avaya WinPDM header buffer overflow attempt (protocol-voip.rules)
 * 1:21846 <-> DISABLED <-> MALWARE-CNC TDS Sutra - request in.cgi (malware-cnc.rules)
 * 1:21848 <-> DISABLED <-> MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS (malware-other.rules)
 * 1:17373 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt (file-multimedia.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:13293 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt (file-multimedia.rules)