Sourcefire VRT Rules Update

Date: 2013-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27679 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:27680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection (malware-cnc.rules)
 * 1:27681 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27682 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27684 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27683 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27685 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27686 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27687 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27689 <-> DISABLED <-> FILE-PDF Foxit PDF Reader authentication bypass attempt (file-pdf.rules)
 * 1:27688 <-> ENABLED <-> SERVER-WEBAPP mxBB MX Faq module_root_path file inclusion attempt (server-webapp.rules)
 * 1:27690 <-> DISABLED <-> FILE-PDF Foxit PDF Reader authentication bypass attempt (file-pdf.rules)
 * 1:27691 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27692 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27694 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:27693 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:27695 <-> ENABLED <-> EXPLOIT-KIT Kore exploit kit landing page (exploit-kit.rules)
 * 1:27696 <-> ENABLED <-> EXPLOIT-KIT Kore exploit kit landing page (exploit-kit.rules)
 * 1:27697 <-> ENABLED <-> EXPLOIT-KIT Kore exploit kit successful Java exploit (exploit-kit.rules)

Modified Rules:


 * 1:22081 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 1:23157 <-> ENABLED <-> EXPLOIT-KIT Nuclear Pack exploit kit binary download (exploit-kit.rules)
 * 1:23156 <-> ENABLED <-> EXPLOIT-KIT Nuclear Pack exploit kit landing page (exploit-kit.rules)
 * 1:23059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:21347 <-> ENABLED <-> EXPLOIT-KIT possible Blackhole URL - .php?page= (exploit-kit.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:21302 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_OLEChunk code execution attempt (file-office.rules)
 * 1:21042 <-> DISABLED <-> EXPLOIT-KIT possible Blackhole post-compromise download attempt - .php?f= (exploit-kit.rules)
 * 1:21291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio invalid row option attempt (file-office.rules)
 * 1:21041 <-> ENABLED <-> EXPLOIT-KIT possible Blackhole URL - main.php?page= (exploit-kit.rules)
 * 1:18216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt (browser-ie.rules)
 * 1:18682 <-> DISABLED <-> FILE-PDF transfer of a PDF with OpenAction object attempt (file-pdf.rules)
 * 1:17732 <-> DISABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:18212 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt (file-office.rules)
 * 1:17737 <-> DISABLED <-> SERVER-MAIL Microsoft collaboration data objects buffer overflow attempt (server-mail.rules)
 * 1:17701 <-> ENABLED <-> BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt (browser-plugins.rules)
 * 1:16589 <-> DISABLED <-> BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access (browser-plugins.rules)
 * 1:17230 <-> DISABLED <-> FILE-IDENTIFY Tiff big endian file magic detected (file-identify.rules)
 * 1:16465 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ContinueFRT12 and MDXSet heap overflow attempt (file-office.rules)
 * 1:16588 <-> DISABLED <-> BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access (browser-plugins.rules)
 * 1:15863 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access (browser-plugins.rules)
 * 1:15230 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access (browser-plugins.rules)
 * 1:14760 <-> DISABLED <-> BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access (browser-plugins.rules)
 * 1:26973 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:7760 <-> DISABLED <-> MALWARE-BACKDOOR netthief runtime detection (malware-backdoor.rules)
 * 1:26292 <-> ENABLED <-> FILE-JAVA Oracle Java Jar file downloaded when zip is defined (file-java.rules)
 * 1:24463 <-> DISABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:23227 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 1:14762 <-> DISABLED <-> BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access (browser-plugins.rules)
 * 1:15685 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:15687 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:15689 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:11176 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:11258 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Named Graph Information unicode overflow attempt (file-office.rules)
 * 1:15691 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:11187 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access (browser-plugins.rules)
 * 1:11290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed named graph information ascii overflow attempt (file-office.rules)
 * 1:13665 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt (file-office.rules)
 * 1:15861 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access (browser-plugins.rules)
 * 1:17488 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:18214 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher 97 conversion remote code execution attempt (file-office.rules)
 * 1:24154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24464 <-> DISABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:21043 <-> DISABLED <-> EXPLOIT-KIT possible Blackhole post-compromise download attempt - .php?e= (exploit-kit.rules)
 * 1:21348 <-> ENABLED <-> EXPLOIT-KIT possible Blackhole URL - search.php?page= (exploit-kit.rules)
 * 1:24267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Range Code Execution attempt (file-office.rules)
 * 1:23710 <-> DISABLED <-> FILE-IDENTIFY Tiff big endian file magic detected (file-identify.rules)
 * 1:14756 <-> ENABLED <-> BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access (browser-plugins.rules)
 * 1:14642 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded ActiveX control (file-office.rules)