Sourcefire VRT Rules Update

Date: 2013-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27236 <-> ENABLED <-> SERVER-OTHER Citrix XenApp password buffer overflow attempt (server-other.rules)
 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:27235 <-> ENABLED <-> EXPLOIT-KIT Redkit initial redirection embedded into a webpage (exploit-kit.rules)
 * 1:27232 <-> DISABLED <-> FILE-PDF Adobe Reader and Acrobat util.printf buffer overflow attempt (file-pdf.rules)
 * 1:27233 <-> DISABLED <-> FILE-PDF Adobe Reader and Acrobat util.printf buffer overflow attempt (file-pdf.rules)
 * 1:27231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:27230 <-> DISABLED <-> SERVER-WEBAPP Pragyan CMS form.lib.php remove file include attempt (server-webapp.rules)
 * 1:27228 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:27229 <-> ENABLED <-> MALWARE-OTHER Cookiebomb code injection attack (malware-other.rules)
 * 1:27226 <-> ENABLED <-> SERVER-WEBAPP DokuWiki PHP file inclusion attempt (server-webapp.rules)
 * 1:27227 <-> DISABLED <-> SERVER-WEBAPP txtSQL startup.php remote file include attempt (server-webapp.rules)
 * 1:27224 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion websocket invoke method access (server-other.rules)
 * 1:27225 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JRun error page getWriter denial of service attempt (server-other.rules)
 * 1:27222 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt (browser-ie.rules)
 * 1:27223 <-> DISABLED <-> BROWSER-PLUGINS Oracle document capture Actbar2.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt (browser-ie.rules)
 * 1:27221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:27137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:3002 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules)
 * 1:3001 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules)
 * 1:27173 <-> DISABLED <-> BROWSER-PLUGINS Cisco AnyConnect mobility client activex clsid access attempt (browser-plugins.rules)
 * 1:3004 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt (os-windows.rules)
 * 1:27138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:2383 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules)
 * 1:21234 <-> DISABLED <-> SERVER-WEBAPP MKCOL Webdav Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:2382 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTLMSSP asn1 overflow attempt (os-windows.rules)
 * 1:19269 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded Flash (file-pdf.rules)
 * 1:19436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)
 * 1:18535 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:19268 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded Flash (file-pdf.rules)
 * 1:16506 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt (browser-ie.rules)
 * 1:17485 <-> DISABLED <-> PROTOCOL-DNS Symantec Gateway products DNS cache poisoning attempt (protocol-dns.rules)
 * 1:3000 <-> DISABLED <-> OS-WINDOWS SMB Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules)
 * 1:15727 <-> DISABLED <-> FILE-PDF attempted download of a PDF with embedded Flash (file-pdf.rules)
 * 1:3003 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt (os-windows.rules)
 * 1:3005 <-> DISABLED <-> OS-WINDOWS SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt (os-windows.rules)
 * 1:26922 <-> ENABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:25550 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)