Sourcefire VRT Rules Update

Date: 2013-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26205 <-> ENABLED <-> MALWARE-CNC Android Fakenetflix email password uplaod (malware-cnc.rules)
 * 1:26204 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules)
 * 1:26203 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupd variant outbound connection (malware-cnc.rules)
 * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26201 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lobparck variant outbound connection (malware-cnc.rules)
 * 1:26200 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt (file-other.rules)
 * 1:26199 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib LookupOp integer overflow attempt (file-other.rules)
 * 1:26198 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt (file-other.rules)
 * 1:26197 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt (file-other.rules)
 * 1:26196 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib LookupOp integer overflow attempt (file-other.rules)
 * 1:26195 <-> ENABLED <-> FILE-OTHER Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt (file-other.rules)
 * 1:26194 <-> ENABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26193 <-> ENABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26192 <-> ENABLED <-> MALWARE-CNC Android CruseWind imei leakage (malware-cnc.rules)
 * 1:26191 <-> DISABLED <-> SERVER-WEBAPP MobileCartly arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:26190 <-> ENABLED <-> MALWARE-CNC Android YZHC device registration (malware-cnc.rules)
 * 1:26189 <-> ENABLED <-> MALWARE-CNC Android YZHC device registration (malware-cnc.rules)
 * 1:26188 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt (browser-firefox.rules)
 * 1:26187 <-> DISABLED <-> BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid attempt (browser-plugins.rules)
 * 1:26186 <-> ENABLED <-> FILE-OTHER Oracle Java Gmbal package sandbox breach attempt (file-other.rules)
 * 1:26185 <-> ENABLED <-> FILE-OTHER Oracle Java Gmbal package sandbox breach attempt (file-other.rules)
 * 1:26184 <-> DISABLED <-> BROWSER-PLUGINS TRENDNet SecurView internet camera UltraMJCam ActiveX function call access attempt (browser-plugins.rules)
 * 1:26183 <-> DISABLED <-> BROWSER-PLUGINS TRENDNet SecurView internet camera UltraMJCam ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules)
 * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26180 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Configuration Management Preboot service code overflow attempt (server-other.rules)
 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (server-webapp.rules)
 * 1:26178 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Hiloti outbound connection (malware-cnc.rules)
 * 1:26177 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules)
 * 1:26175 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (file-office.rules)
 * 1:26174 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt (file-office.rules)
 * 1:26173 <-> DISABLED <-> FILE-FLASH Adobe Flashplayer sortOn heap overflow attempt (file-flash.rules)
 * 1:26172 <-> DISABLED <-> FILE-FLASH Adobe Flashplayer sortOn heap overflow attempt (file-flash.rules)

Modified Rules:


 * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules)
 * 1:12666 <-> DISABLED <-> SERVER-OTHER HP OpenView OVTrace buffer overflow attempt (server-other.rules)
 * 1:13539 <-> DISABLED <-> BROWSER-PLUGINS Symantec Backup Exec ActiveX clsid access (browser-plugins.rules)
 * 1:14641 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (file-office.rules)
 * 1:15699 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt (browser-firefox.rules)
 * 1:15997 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt (browser-firefox.rules)
 * 1:16599 <-> ENABLED <-> BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt (browser-plugins.rules)
 * 1:17298 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Monitoring Express Universal Agent Buffer Overflow (server-other.rules)
 * 1:18204 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (os-windows.rules)
 * 1:19335 <-> DISABLED <-> PROTOCOL-VOIP Content-Type header invalid format missing slash (protocol-voip.rules)
 * 1:19336 <-> DISABLED <-> PROTOCOL-VOIP Content-Type header invalid format missing slash (protocol-voip.rules)
 * 1:19943 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:20080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi.A outbound connection (malware-cnc.rules)
 * 1:20432 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Hiloti outbound connection (malware-cnc.rules)
 * 1:20763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyeye-206 outbound connection (malware-cnc.rules)
 * 1:20814 <-> DISABLED <-> BROWSER-FIREFOX Mozilla favicon href javascript execution attempt (browser-firefox.rules)
 * 1:23048 <-> DISABLED <-> BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid attempt (browser-plugins.rules)
 * 1:23049 <-> DISABLED <-> BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX function call attempt (browser-plugins.rules)
 * 1:23050 <-> DISABLED <-> BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX function call attempt (browser-plugins.rules)
 * 1:23621 <-> ENABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:24432 <-> ENABLED <-> BROWSER-OTHER HTML5 canvas element heap spray attempt (browser-other.rules)
 * 1:24524 <-> DISABLED <-> SERVER-MAIL Novell GroupWise internet agent iCalendar parsing denial of service attempt (server-mail.rules)
 * 1:26164 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSheet code execution attempt (file-office.rules)
 * 1:26163 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSheet code execution attempt (file-office.rules)
 * 1:25036 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit form elements virtual function DoS attempt (browser-webkit.rules)
 * 1:25969 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules)