Sourcefire VRT Rules Update

Date: 2012-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24349 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spy variant outbound communication (malware-cnc.rules)
 * 1:24350 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spy variant outbound communication (malware-cnc.rules)
 * 1:24351 <-> ENABLED <-> FILE-OFFICE Microsoft Works 9 use-after-free attempt (file-office.rules)
 * 1:24352 <-> ENABLED <-> FILE-OFFICE Microsoft Works 9 use-after-free attempt (file-office.rules)
 * 1:24353 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF malformed listid attempt (file-office.rules)
 * 1:24354 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF malformed listid attempt (file-office.rules)
 * 1:24355 <-> ENABLED <-> SQL Microsoft SQL Server Reporting Services cross site scripting attempt (sql.rules)
 * 1:24356 <-> ENABLED <-> SQL Microsoft SQL Server Reporting Services cross site scripting attempt (sql.rules)
 * 1:24357 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rgfc value overflow attempt (file-office.rules)
 * 1:24358 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rgfc value overflow attempt (file-office.rules)
 * 1:24359 <-> ENABLED <-> NETBIOS SMB NTLM NULL session attempt (netbios.rules)
 * 1:24360 <-> DISABLED <-> NETBIOS SMB Kerberos NULL session denial of service attempt (netbios.rules)

Modified Rules:


 * 1:24229 <-> DISABLED <-> FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt (file-other.rules)
 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:24226 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page received (exploit-kit.rules)
 * 1:23493 <-> ENABLED <-> MALWARE-CNC Trojan.ZeroAccess outbound communication (malware-cnc.rules)
 * 1:20991 <-> ENABLED <-> FILE-IDENTIFY TTF file magic detected (file-identify.rules)
 * 1:22087 <-> DISABLED <-> FILE-OTHER Microsoft Windows True Type Font maxComponentPoints overflow attempt (file-other.rules)
 * 1:18952 <-> DISABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:17378 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt (browser-firefox.rules)
 * 1:20735 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:17379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt (browser-firefox.rules)
 * 1:20496 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:24230 <-> DISABLED <-> FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt (file-other.rules)
 * 1:24286 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Lurk variant outbound connection (malware-cnc.rules)
 * 1:23137 <-> DISABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)
 * 1:23136 <-> DISABLED <-> WEB-CLIENT Microsoft multiple product toStaticHTML XSS attempt (web-client.rules)