Sourcefire VRT Rules Update

Date: 2013-04-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26510 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit pdf payload detection (exploit-kit.rules)
 * 1:26506 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit jar file redirection (exploit-kit.rules)
 * 1:26502 <-> DISABLED <-> SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (scada.rules)
 * 1:26501 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DDNF request stack buffer overflow attempt (server-other.rules)
 * 1:26500 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26497 <-> ENABLED <-> BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt (browser-plugins.rules)
 * 1:26494 <-> DISABLED <-> FILE-IDENTIFY KingView KingMessage log file attachment detected (file-identify.rules)
 * 1:26498 <-> ENABLED <-> BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt (browser-plugins.rules)
 * 1:26488 <-> DISABLED <-> SCADA CODESYS Gateway-Server directory traversal attempt (scada.rules)
 * 1:26489 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:26490 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:26491 <-> DISABLED <-> SERVER-OTHER Nagios NRPE command execution attempt (server-other.rules)
 * 1:26492 <-> DISABLED <-> FILE-IDENTIFY KingView KingMessage log file download request (file-identify.rules)
 * 1:26493 <-> DISABLED <-> FILE-IDENTIFY KingView KingMessage log file attachment detected (file-identify.rules)
 * 1:26503 <-> DISABLED <-> SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (scada.rules)
 * 1:26504 <-> DISABLED <-> SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt (scada.rules)
 * 1:26505 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt (server-webapp.rules)
 * 1:26507 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26508 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.dll (exploit-kit.rules)
 * 1:26509 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit java payload detection (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit redirection structure (exploit-kit.rules)
 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26499 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26513 <-> DISABLED <-> FILE-PDF PDF with large embedded JavaScript - JS string attempt (file-pdf.rules)
 * 1:26512 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit java payload detection (exploit-kit.rules)

Modified Rules:


 * 1:23715 <-> DISABLED <-> FILE-IDENTIFY Microsoft Office Access file magic detected (file-identify.rules)
 * 1:24623 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jorik variant outbound connection (malware-cnc.rules)
 * 1:25302 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit malicious jar archive download (exploit-kit.rules)
 * 1:26206 <-> DISABLED <-> FILE-IDENTIFY CyberLink Power2Go file download request (file-identify.rules)
 * 1:26207 <-> DISABLED <-> FILE-IDENTIFY CyberLink Power2Go file attachment detected (file-identify.rules)
 * 1:26208 <-> DISABLED <-> FILE-IDENTIFY CyberLink Power2Go file attachment detected (file-identify.rules)
 * 1:26318 <-> ENABLED <-> FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt (file-multimedia.rules)
 * 1:26429 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt (file-flash.rules)
 * 1:26436 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center FaultDownloadServlet information disclosure attempt (server-webapp.rules)
 * 1:26474 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26476 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26478 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)