Sourcefire VRT Rules Update

Date: 2013-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2955.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28471 <-> ENABLED <-> FILE-OFFICE Microsoft Office TIFF integer overflow attempt (file-office.rules)
 * 1:28470 <-> ENABLED <-> FILE-OFFICE Microsoft Office TIFF integer overflow attempt (file-office.rules)
 * 1:28469 <-> ENABLED <-> FILE-OFFICE Microsoft Office TIFF integer overflow attempt (file-office.rules)
 * 1:28468 <-> ENABLED <-> FILE-OFFICE Microsoft Office TIFF integer overflow attempt (file-office.rules)
 * 1:28467 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded TIFF integer overflow attempt (file-office.rules)
 * 1:28466 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded TIFF integer overflow attempt (file-office.rules)
 * 1:28465 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded TIFF integer overflow attempt (file-office.rules)
 * 1:28464 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded TIFF integer overflow attempt (file-office.rules)
 * 1:28463 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.AllAple Variant ICMP flood attempt (malware-cnc.rules)
 * 1:28462 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:28461 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:28460 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28459 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28458 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:28457 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28456 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28455 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28454 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt (file-pdf.rules)
 * 1:28453 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28451 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28450 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt (exploit-kit.rules)
 * 1:28449 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit outbound connection attempt (exploit-kit.rules)
 * 1:28448 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center BIMS bimsDownload directory traversal attempt (server-webapp.rules)
 * 1:28447 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:28446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant SQL check-in (malware-cnc.rules)
 * 1:28445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan (blacklist.rules)
 * 1:28444 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.CBgate outbound communication attempt (malware-cnc.rules)
 * 1:28443 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt (file-multimedia.rules)
 * 1:28442 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt (file-multimedia.rules)
 * 1:28441 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt (file-multimedia.rules)
 * 1:28440 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt (file-office.rules)
 * 1:28439 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Bspire variant connection attempt (malware-cnc.rules)
 * 1:28438 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access (browser-plugins.rules)
 * 1:28437 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access (browser-plugins.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules)
 * 1:28434 <-> DISABLED <-> DELETED SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (deleted.rules)
 * 1:28433 <-> DISABLED <-> DELETED SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (deleted.rules)
 * 1:28432 <-> DISABLED <-> DELETED SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (deleted.rules)
 * 1:28431 <-> DISABLED <-> DELETED SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (deleted.rules)
 * 1:28430 <-> ENABLED <-> EXPLOIT-KIT Glazunov exploit kit zip file download (exploit-kit.rules)
 * 1:28429 <-> ENABLED <-> EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt (exploit-kit.rules)
 * 1:28428 <-> ENABLED <-> EXPLOIT-KIT Glazunov exploit kit landing page (exploit-kit.rules)
 * 1:28427 <-> DISABLED <-> FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt (file-pdf.rules)
 * 1:28426 <-> ENABLED <-> FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt (file-pdf.rules)
 * 1:28425 <-> ENABLED <-> OS-WINDOWS SMB Microsoft Windows Remote Administration Protocol usage attempt (os-windows.rules)
 * 1:28424 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request (exploit-kit.rules)
 * 1:28423 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit single digit exe detection (exploit-kit.rules)
 * 1:28422 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28421 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28420 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch outbound communication attempt (malware-cnc.rules)
 * 1:28418 <-> ENABLED <-> MALWARE-TOOLS Win.Downloader.Dtcontx outbound connection attempt (malware-tools.rules)
 * 1:28417 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Molgomsg outbound communication attempt (malware-tools.rules)
 * 1:28416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pony outbound connection attempt (malware-cnc.rules)
 * 1:28415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:6695 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:6692 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt (file-image.rules)
 * 1:6689 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt (file-image.rules)
 * 1:11687 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting (server-apache.rules)
 * 1:13665 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt (file-office.rules)
 * 1:6414 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger Accept-Language header buffer overflow attempt (server-webapp.rules)
 * 1:13919 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt (file-multimedia.rules)
 * 1:16283 <-> DISABLED <-> SERVER-WEBAPP Borland StarTeam Multicast Service buffer overflow attempt (server-webapp.rules)
 * 1:16334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt (file-pdf.rules)
 * 1:17153 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 (browser-firefox.rules)
 * 1:28414 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:17154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 (browser-firefox.rules)
 * 1:17276 <-> DISABLED <-> FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (file-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:17609 <-> DISABLED <-> SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:28413 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt (exploit-kit.rules)
 * 1:18454 <-> ENABLED <-> FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt (file-pdf.rules)
 * 1:18611 <-> DISABLED <-> SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:18638 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:28412 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt (exploit-kit.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:22063 <-> DISABLED <-> SERVER-WEBAPP PHP-CGI remote file include attempt (server-webapp.rules)
 * 1:23361 <-> DISABLED <-> SERVER-IIS tilde character file name discovery attempt (server-iis.rules)
 * 1:23362 <-> DISABLED <-> SERVER-IIS tilde character file name discovery attempt (server-iis.rules)
 * 1:28411 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.CoinMiner attempted connection (malware-cnc.rules)
 * 1:23993 <-> DISABLED <-> SERVER-OTHER Dhcpcd packet size buffer overflow attempt (server-other.rules)
 * 1:24240 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:24241 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:28410 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.CoinMiner attempted connection (malware-cnc.rules)
 * 1:24242 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing layer use after free attempt (file-office.rules)
 * 1:24336 <-> ENABLED <-> OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules)
 * 1:24507 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:24508 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:24890 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:28304 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules)
 * 1:25804 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt (exploit-kit.rules)
 * 1:25805 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval (exploit-kit.rules)
 * 1:28298 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit landing page (exploit-kit.rules)
 * 1:26095 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26097 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Java archive transfer (exploit-kit.rules)
 * 1:26098 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Java archive transfer (exploit-kit.rules)
 * 1:28275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:26099 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26100 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit successful redirection (exploit-kit.rules)
 * 1:28274 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:28273 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28236 <-> ENABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:28214 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28111 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt (exploit-kit.rules)
 * 1:28109 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:28108 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt (exploit-kit.rules)
 * 1:28038 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit successful redirection (exploit-kit.rules)
 * 1:28032 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28031 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:27785 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28029 <-> ENABLED <-> EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request (exploit-kit.rules)
 * 1:27784 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:27755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:27775 <-> DISABLED <-> MALWARE-CNC Unknown Trojan Botnet Traffic - 164-byte Encrypted payload in GET Request (malware-cnc.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)