Sourcefire VRT Rules Update

Date: 2013-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26652 <-> ENABLED <-> FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26650 <-> DISABLED <-> FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt (file-pdf.rules)
 * 1:26651 <-> ENABLED <-> FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26648 <-> DISABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:26649 <-> DISABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:26646 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26647 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26644 <-> ENABLED <-> SERVER-OTHER SSL TLS DEFLATE compression detected (server-other.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:26643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:26636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:25358 <-> DISABLED <-> APP-DETECT Acunetix web vulnerability scan attempt (app-detect.rules)
 * 1:26618 <-> DISABLED <-> SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site (server-webapp.rules)
 * 1:24264 <-> ENABLED <-> FILE-PDF Overly large CreationDate within a pdf - likely malicious (file-pdf.rules)
 * 1:17669 <-> ENABLED <-> SERVER-ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:20666 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt (browser-firefox.rules)
 * 1:19595 <-> ENABLED <-> BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card (blacklist.rules)
 * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:13421 <-> ENABLED <-> BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access (browser-plugins.rules)
 * 1:17256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows uniscribe fonts parsing memory corruption attempt (os-windows.rules)
 * 1:13419 <-> ENABLED <-> BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access (browser-plugins.rules)
 * 1:13300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt (file-flash.rules)
 * 1:18952 <-> DISABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:20667 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt (browser-firefox.rules)
 * 1:26637 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26641 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt (browser-ie.rules)
 * 1:9420 <-> ENABLED <-> MALWARE-OTHER korgo attempt (malware-other.rules)
 * 1:24908 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL user enumeration attempt (server-mysql.rules)
 * 1:26642 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt (browser-ie.rules)
 * 1:15930 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)