Sourcefire VRT Rules Update

Date: 2013-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25386 <-> ENABLED <-> EXPLOIT-KIT Blackhole Payload detection - about.exe (exploit-kit.rules)
 * 1:25370 <-> ENABLED <-> SERVER-OTHER CakePHP unserialize method vulnerability exploitation attempt (server-other.rules)
 * 1:25387 <-> ENABLED <-> EXPLOIT-KIT Blackhole Payload detection - readme.exe (exploit-kit.rules)
 * 1:25365 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner XSS attempt (app-detect.rules)
 * 1:25360 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner authentication attempt (app-detect.rules)
 * 1:25355 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtBlipDIB record exploit attempt (file-office.rules)
 * 1:25347 <-> DISABLED <-> FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt (file-image.rules)
 * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange Exploit Kit obfuscated payload download (exploit-kit.rules)
 * 1:25338 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25339 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25383 <-> ENABLED <-> EXPLOIT-KIT Blackhole Payload detection - info.exe (exploit-kit.rules)
 * 1:25341 <-> ENABLED <-> FILE-OTHER Cisco WebEx player remote code execution attempt (file-other.rules)
 * 1:25337 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25340 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25336 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25342 <-> DISABLED <-> DOS ISC dhcpd bootp request missing options field DOS attempt (dos.rules)
 * 1:25334 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25343 <-> DISABLED <-> BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt (browser-plugins.rules)
 * 1:25390 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25389 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:25388 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 redirection successful (exploit-kit.rules)
 * 1:25335 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25333 <-> DISABLED <-> DNS Exim DKIM decoding buffer overflow attempt (dns.rules)
 * 1:25344 <-> DISABLED <-> BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt (browser-plugins.rules)
 * 1:25345 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager Web interface arbitrary command execution attempt (server-webapp.rules)
 * 1:25350 <-> DISABLED <-> DELETED FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt (deleted.rules)
 * 1:25352 <-> DISABLED <-> SERVER-OTHER HP HP Intelligent Management Center syslog remote code execution attempt (server-other.rules)
 * 1:25354 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:25353 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules)
 * 1:25358 <-> ENABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:25357 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:25359 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner probe attempt (app-detect.rules)
 * 1:25361 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner RFI attempt (app-detect.rules)
 * 1:25363 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner URI injection attempt (app-detect.rules)
 * 1:25362 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt (app-detect.rules)
 * 1:25364 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt (app-detect.rules)
 * 1:25366 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:25367 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:25368 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Kuloz variant outbound connection (malware-cnc.rules)
 * 1:25369 <-> ENABLED <-> OS-WINDOWS NVIDIA graphics driver nvsr named pipe buffer overflow attempt (os-windows.rules)
 * 1:25371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ruskill variant outbound connection (malware-cnc.rules)
 * 1:25372 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - wh (blacklist.rules)
 * 1:25373 <-> ENABLED <-> FILE-IDENTIFY Apple Quicktime Targa Image file download request (file-identify.rules)
 * 1:25374 <-> ENABLED <-> FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected (file-identify.rules)
 * 1:25375 <-> ENABLED <-> FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected (file-identify.rules)
 * 1:25376 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25377 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25381 <-> ENABLED <-> SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt (server-other.rules)
 * 1:25379 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25378 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25380 <-> DISABLED <-> SERVER-OTHER EMC AutoStart domain name logging stack buffer overflow attempt (server-other.rules)
 * 1:25382 <-> ENABLED <-> EXPLOIT-KIT Blackhole v2 malicious jar file dropped (exploit-kit.rules)
 * 1:25384 <-> ENABLED <-> EXPLOIT-KIT Blackhole Payload detection - contacts.exe (exploit-kit.rules)
 * 1:25385 <-> ENABLED <-> EXPLOIT-KIT Blackhole Payload detection - calc.exe (exploit-kit.rules)

Modified Rules:


 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:25107 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:25317 <-> DISABLED <-> POLICY-OTHER RedHat JBOSS JNDI service naming (policy-other.rules)
 * 1:23556 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:25109 <-> DISABLED <-> MALWARE-CNC Autoit.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:23557 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:25108 <-> DISABLED <-> MALWARE-CNC Win.Proxy.Agent variant outbound connection (malware-cnc.rules)
 * 1:23356 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:20046 <-> DISABLED <-> SQL PHPSESSID SQL injection attempt (sql.rules)
 * 1:20619 <-> DISABLED <-> SERVER-WEBAPP CoreHTTP Long buffer overflow attempt (server-webapp.rules)
 * 1:15469 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:15997 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt (browser-firefox.rules)
 * 1:15116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows search protocol remote command injection attempt (os-windows.rules)
 * 1:11257 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt (browser-ie.rules)