Sourcefire VRT Rules Update

Date: 2012-12-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24899 <-> ENABLED <-> MALWARE-OTHER Compromised Website response - leads to Exploit Kit (malware-other.rules)
 * 1:24900 <-> ENABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:24901 <-> ENABLED <-> FILE-IDENTIFY JNLP file download request (file-identify.rules)
 * 1:24902 <-> ENABLED <-> FILE-IDENTIFY JNLP file attachment detected (file-identify.rules)
 * 1:24903 <-> ENABLED <-> FILE-IDENTIFY JNLP file attachment detected (file-identify.rules)
 * 1:24904 <-> ENABLED <-> FILE-OTHER Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-other.rules)
 * 1:24905 <-> ENABLED <-> FILE-OTHER Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-other.rules)
 * 1:24906 <-> ENABLED <-> FILE-OTHER Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-other.rules)
 * 1:24907 <-> ENABLED <-> SERVER-ORACLE Oracle Secure Backup exec_qr command injection attempt (server-oracle.rules)
 * 1:24915 <-> ENABLED <-> FILE-OTHER Oracle Java Runtime true type font idef opcode heap buffer overflow attempt (file-other.rules)
 * 1:24914 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:24908 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL user enumeration attempt (server-mysql.rules)
 * 1:24909 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL select UpdateXML nested xml elements denial of service attempt (server-mysql.rules)
 * 1:24910 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)
 * 1:24911 <-> DISABLED <-> SERVER-ORACLE Oracle Outside In Excel file parsing integer overflow attempt (server-oracle.rules)
 * 1:24912 <-> DISABLED <-> SERVER-ORACLE Oracle Outside In Excel file parsing integer overflow attempt (server-oracle.rules)
 * 1:24913 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:24701 <-> ENABLED <-> FILE-OTHER Oracle Java Runtime true type font idef opcode heap buffer overflow attempt (file-other.rules)
 * 1:3656 <-> DISABLED <-> SERVER-MAIL MDaemon 6.5.1 and prior versions MAIL overflow attempt (server-mail.rules)
 * 1:24897 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL grant file long database name stack overflow attempt (server-mysql.rules)
 * 1:24888 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit landing page detected (exploit-kit.rules)
 * 1:24798 <-> ENABLED <-> EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure (exploit-kit.rules)
 * 1:21101 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt (protocol-voip.rules)
 * 1:23310 <-> DISABLED <-> FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt (file-executable.rules)
 * 1:21667 <-> DISABLED <-> FILE-OTHER Oracle Java JRE sandbox Atomic breach attempt (file-other.rules)
 * 1:17631 <-> ENABLED <-> FILE-OTHER Oracle Java Web Start JNLP j2se key value buffer overflow attempt (file-other.rules)
 * 1:17298 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Monitoring Express Universal Agent Buffer Overflow (server-other.rules)
 * 1:17317 <-> DISABLED <-> SERVER-OTHER OpenSSH sshd identical blocks DoS attempt (server-other.rules)
 * 1:19873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt (browser-ie.rules)
 * 1:17521 <-> DISABLED <-> SERVER-OTHER GoodTech SSH Server SFTP processing buffer overflow attempt (server-other.rules)
 * 1:16351 <-> DISABLED <-> PROTOCOL-VOIP CSeq buffer overflow attempt (protocol-voip.rules)
 * 1:13693 <-> DISABLED <-> PROTOCOL-VOIP Attribute header rtpmap field invalid payload type (protocol-voip.rules)
 * 1:11970 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (protocol-voip.rules)
 * 1:23325 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23358 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:23311 <-> DISABLED <-> FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt (file-executable.rules)