Sourcefire VRT Rules Update

Date: 2012-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24897 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL grant file long database name stack overflow attempt (server-mysql.rules)
 * 1:24869 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24892 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24889 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24891 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24888 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit landing page detected (exploit-kit.rules)
 * 1:24886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dorkbot outbound connection (malware-cnc.rules)
 * 1:24887 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot inbound positive response (deleted.rules)
 * 1:24884 <-> ENABLED <-> MALWARE-OTHER Compromised website response - leads to Exploit Kit (malware-other.rules)
 * 1:24883 <-> ENABLED <-> MALWARE-OTHER Compromised website response - leads to Exploit Kit (malware-other.rules)
 * 1:24881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid JPEG index (file-flash.rules)
 * 1:24882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid JPEG index (file-flash.rules)
 * 1:24879 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid JPEG index (file-flash.rules)
 * 1:24878 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG in flash file (file-flash.rules)
 * 1:24875 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt (file-flash.rules)
 * 1:24876 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt (file-flash.rules)
 * 1:24873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gnutler variant outbound connection (malware-cnc.rules)
 * 1:24874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt (file-flash.rules)
 * 1:24858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Quarian outbound connection - proxy connection (malware-cnc.rules)
 * 1:24859 <-> DISABLED <-> BLACKLIST DNS request for known malware domain sureshreddy1.dns05.com (blacklist.rules)
 * 1:24860 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24861 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:24862 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24864 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24863 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:24898 <-> DISABLED <-> SERVER-OTHER ABB Multiple Product RobNetScanHost.exe buffer overflow attempt (server-other.rules)
 * 1:24896 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt (file-flash.rules)
 * 1:24868 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt (file-office.rules)
 * 1:24870 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:24871 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:24867 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (server-iis.rules)
 * 1:24872 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:24865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:24877 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt (file-flash.rules)
 * 1:24880 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid JPEG index (file-flash.rules)
 * 1:24895 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt (file-flash.rules)
 * 1:24885 <-> ENABLED <-> MALWARE-CNC Potential Banking Trojan Config File Download (malware-cnc.rules)
 * 1:24890 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24866 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (server-iis.rules)
 * 1:24894 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)

Modified Rules:


 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost Exploit Kit outbound JAR download attempt (exploit-kit.rules)
 * 1:20664 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (server-iis.rules)
 * 1:24814 <-> ENABLED <-> SNMP Samsung printer default community string (snmp.rules)
 * 1:21940 <-> DISABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23766 <-> DISABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:20603 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RSH daemon buffer overflow attempt (os-windows.rules)
 * 1:20665 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt (server-iis.rules)
 * 1:19441 <-> ENABLED <-> SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt (server-webapp.rules)
 * 1:16377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:17638 <-> ENABLED <-> SERVER-ORACLE Secure Backup administration server login.php cookies command injection attempt (server-oracle.rules)
 * 1:18238 <-> ENABLED <-> FILE-OFFICE Microsoft Office SharePoint document conversion remote code excution attempt (file-office.rules)
 * 1:16188 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt (file-office.rules)
 * 1:15261 <-> ENABLED <-> SERVER-ORACLE Secure Backup exec_qr command injection attempt (server-oracle.rules)
 * 1:15262 <-> ENABLED <-> SERVER-ORACLE Secure Backup POST exec_qr command injection attempt (server-oracle.rules)
 * 1:13819 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt (server-webapp.rules)
 * 3:13954 <-> ENABLED <-> WEB-CLIENT Microsoft Color Management System EMF file processing overflow attempt (web-client.rules)