Sourcefire VRT Rules Update

Date: 2013-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26638 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML array element with negative length memory corruption attempt (browser-ie.rules)
 * 1:26640 <-> DISABLED <-> POLICY-OTHER XML digital signature transformation of digest value (policy-other.rules)
 * 1:26618 <-> DISABLED <-> SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site (server-webapp.rules)
 * 1:26619 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules)
 * 1:26620 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious (indicator-obfuscation.rules)
 * 1:26621 <-> ENABLED <-> SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt (server-other.rules)
 * 1:26622 <-> ENABLED <-> BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt (browser-ie.rules)
 * 1:26623 <-> ENABLED <-> BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt (browser-ie.rules)
 * 1:26624 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt (browser-ie.rules)
 * 1:26625 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt (browser-ie.rules)
 * 1:26639 <-> DISABLED <-> POLICY-OTHER XML digital signature transformation of digest value (policy-other.rules)
 * 1:26642 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt (browser-ie.rules)
 * 1:26637 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26626 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:26627 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt (file-office.rules)
 * 1:26628 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt (file-office.rules)
 * 1:26629 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt (browser-ie.rules)
 * 1:26630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt (browser-ie.rules)
 * 1:26631 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt (browser-ie.rules)
 * 1:26632 <-> ENABLED <-> SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt (server-webapp.rules)
 * 1:26633 <-> DISABLED <-> BROWSER-OTHER html reload loop attempt (browser-other.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26641 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt (browser-ie.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:21874 <-> ENABLED <-> EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse (exploit-kit.rules)
 * 1:21875 <-> ENABLED <-> EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill (exploit-kit.rules)
 * 1:24957 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24958 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:26536 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit landing page (exploit-kit.rules)
 * 1:24959 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24960 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24961 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:26572 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26569 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:24962 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24963 <-> DISABLED <-> BROWSER-PLUGINS Microsoft DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:26294 <-> DISABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26295 <-> DISABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26335 <-> ENABLED <-> MALWARE-CNC FBI Ransom Trojan variant outbound connection (malware-cnc.rules)
 * 1:26341 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:26571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26570 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26342 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26547 <-> ENABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt (server-webapp.rules)
 * 1:26343 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:26506 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit jar file redirection (exploit-kit.rules)