Sourcefire VRT Rules Update

Date: 2013-02-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25588 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader FlateDecode integer overflow attempt (file-pdf.rules)
 * 1:25602 <-> ENABLED <-> SERVER-OTHER Sybase Open Server TDS login request (server-other.rules)
 * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules)
 * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules)
 * 1:25581 <-> DISABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25584 <-> DISABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> DISABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25586 <-> DISABLED <-> SERVER-WEBAPP Nagios Core get_history buffer overflow attempt (server-webapp.rules)
 * 1:25585 <-> DISABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command (indicator-obfuscation.rules)
 * 1:25587 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:25593 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25594 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25582 <-> DISABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25595 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules)
 * 1:25596 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25603 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules)
 * 1:25601 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules)
 * 1:25589 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25597 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25598 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25600 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Dilavtor variant outbound connection (malware-cnc.rules)
 * 1:25590 <-> ENABLED <-> EXPLOIT-KIT Blackhole v2 landing page - specific structure (exploit-kit.rules)
 * 1:25591 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page - specific structure (exploit-kit.rules)

Modified Rules:


 * 1:20638 <-> DISABLED <-> SCADA Progea Movicon/PowerHMI EIDP over HTTP memory corruption attempt (scada.rules)
 * 1:13963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling vulnerability (browser-ie.rules)
 * 1:13916 <-> ENABLED <-> SERVER-OTHER Alt-N SecurityGateway username buffer overflow attempt (server-other.rules)
 * 1:10015 <-> DISABLED <-> BROWSER-PLUGINS Oracle ORADC ActiveX clsid access (browser-plugins.rules)
 * 1:10189 <-> DISABLED <-> BROWSER-PLUGINS DivXBrowserPlugin ActiveX clsid access (browser-plugins.rules)
 * 1:25328 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:25505 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25508 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:9795 <-> DISABLED <-> BROWSER-PLUGINS Panda ActiveScan ActiveScan.1 ActiveX clsid access (browser-plugins.rules)
 * 1:9793 <-> DISABLED <-> BROWSER-PLUGINS YMMAPI.YMailAttach ActiveX clsid access (browser-plugins.rules)
 * 1:7866 <-> DISABLED <-> BROWSER-PLUGINS ADODB.Connection ActiveX clsid access (browser-plugins.rules)
 * 1:17296 <-> ENABLED <-> SERVER-WEBAPP Microsoft Office Outlook Web Access XSRF attempt (server-webapp.rules)
 * 1:25284 <-> DISABLED <-> MALWARE-BACKDOOR possible Htran setup command - tran (malware-backdoor.rules)
 * 1:19812 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS getDBConfigSettings credential information disclosure attempt (server-other.rules)
 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:25322 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:10128 <-> DISABLED <-> BROWSER-PLUGINS Aliplay ActiveX clsid access (browser-plugins.rules)
 * 1:9798 <-> DISABLED <-> BROWSER-PLUGINS Panda ActiveScan PAVPZ.SOS.1 ActiveX clsid access (browser-plugins.rules)
 * 1:10390 <-> DISABLED <-> BROWSER-PLUGINS Symantec Support Controls SmartIssue ActiveX clsid access (browser-plugins.rules)
 * 1:13572 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:13960 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer static text range overflow attempt (browser-ie.rules)
 * 1:15709 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Acrobat Reader FlateDecode integer overflow attempt (file-pdf.rules)
 * 1:9814 <-> DISABLED <-> BROWSER-PLUGINS ICQPhone.SipxPhoneManager ActiveX clsid access (browser-plugins.rules)
 * 1:25282 <-> DISABLED <-> MALWARE-BACKDOOR possible Htran setup command - listen (malware-backdoor.rules)
 * 1:25283 <-> DISABLED <-> MALWARE-BACKDOOR possible Htran setup command - slave (malware-backdoor.rules)
 * 1:10404 <-> DISABLED <-> BROWSER-PLUGINS SignKorea SKCommAX ActiveX clsid access (browser-plugins.rules)
 * 1:25323 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25326 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)