Sourcefire VRT Rules Update

Date: 2013-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27620 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer merged stylesheet array use after free attempt (browser-ie.rules)
 * 1:27616 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules)
 * 1:27611 <-> DISABLED <-> PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt (protocol-icmp.rules)
 * 1:27607 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer content generation use after free attempt (browser-ie.rules)
 * 1:27600 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nawpers variant connection attempt (malware-cnc.rules)
 * 1:27612 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupPointer with SVG use-after-free attempt (browser-ie.rules)
 * 1:27613 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt (browser-ie.rules)
 * 1:27609 <-> ENABLED <-> POLICY-OTHER Microsoft ADFS endpoint information disclosure attempt (policy-other.rules)
 * 1:27608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode object CSS text overflow attempt (browser-ie.rules)
 * 1:27605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeNode use after free attempt (browser-ie.rules)
 * 1:27604 <-> ENABLED <-> POLICY-SPAM FedEX spam campaign outbound connection (policy-spam.rules)
 * 1:27598 <-> ENABLED <-> SERVER-WEBAPP Oracle Secure Backup Admin Server command injection attempt (server-webapp.rules)
 * 1:27599 <-> ENABLED <-> MALWARE-CNC Fort Disco Registration outbound connection (malware-cnc.rules)
 * 1:27594 <-> ENABLED <-> MALWARE-OTHER Fake Adobe Flash Player update warning enticing clicks to malware payload (malware-other.rules)
 * 1:27602 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:27624 <-> DISABLED <-> DOS Microsoft ICMPv6 mismatched prefix length and length field denial of service attempt (dos.rules)
 * 1:27597 <-> DISABLED <-> BROWSER-PLUGINS Morovia Barcode ActiveX Professional arbitrary file overwrite attempt (browser-plugins.rules)
 * 1:27595 <-> ENABLED <-> MALWARE-OTHER Fake Adobe Flash Player malware binary requested (malware-other.rules)
 * 1:27596 <-> ENABLED <-> MALWARE-CNC Win.Redyms outbound connection (malware-cnc.rules)
 * 1:27603 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:27606 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSelectionManager use after free attempt (browser-ie.rules)
 * 1:27610 <-> DISABLED <-> PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt (protocol-icmp.rules)
 * 1:27623 <-> ENABLED <-> SERVER-OTHER Joomla media.php arbitrary file upload vulnerability (server-other.rules)
 * 1:27615 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules)
 * 1:27618 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt (browser-ie.rules)
 * 1:27617 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 264 buffer overflow attempt (server-other.rules)
 * 1:27601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection attempt (malware-cnc.rules)
 * 1:27622 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27619 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt (browser-ie.rules)
 * 1:27614 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt (browser-ie.rules)
 * 1:27621 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)

Modified Rules:


 * 1:3007 <-> DISABLED <-> PROTOCOL-IMAP command overflow attempt (protocol-imap.rules)
 * 1:23358 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:27140 <-> DISABLED <-> EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload (exploit-kit.rules)
 * 1:27113 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules)
 * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:15542 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt (file-office.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules)