Sourcefire VRT Rules Update

Date: 2013-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27748 <-> DISABLED <-> SERVER-WEBAPP Outfront Spooky Login register.asp SQL injection attempt (server-webapp.rules)
 * 1:27749 <-> DISABLED <-> SERVER-WEBAPP Outfront Spooky Login a_register.asp SQL injection attempt (server-webapp.rules)
 * 1:27765 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:27764 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:27763 <-> DISABLED <-> BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access (browser-plugins.rules)
 * 1:27762 <-> DISABLED <-> BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access (browser-plugins.rules)
 * 1:27761 <-> DISABLED <-> BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access (browser-plugins.rules)
 * 1:27760 <-> DISABLED <-> BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access (browser-plugins.rules)
 * 1:27759 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Treizt variant connection attempt (malware-cnc.rules)
 * 1:27758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access (browser-plugins.rules)
 * 1:27746 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Hanthie outbound connection (malware-cnc.rules)
 * 1:27745 <-> ENABLED <-> BROWSER-PLUGINS BaoFeng Storm ActiveX control SetAttributeValue method buffer overflow attempt (browser-plugins.rules)
 * 1:27744 <-> ENABLED <-> BROWSER-PLUGINS BaoFeng Storm ActiveX control OnBeforeVideoDownload method buffer overflow attempt (browser-plugins.rules)
 * 1:27741 <-> ENABLED <-> EXPLOIT-KIT Zip file downloaded by Java (exploit-kit.rules)
 * 1:27742 <-> DISABLED <-> BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt (browser-plugins.rules)
 * 1:27743 <-> DISABLED <-> BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt (browser-plugins.rules)
 * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in Cookiebomb attack (indicator-obfuscation.rules)
 * 1:27740 <-> ENABLED <-> EXPLOIT-KIT Oracle Java jar file downloaded by Java when zip was defined (exploit-kit.rules)
 * 1:27738 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit landing page (exploit-kit.rules)
 * 1:27739 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit redirection page (exploit-kit.rules)
 * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in Cookiebomb attack (indicator-obfuscation.rules)
 * 1:27737 <-> DISABLED <-> BLACKLIST Suspicious .c0m.li dns query (blacklist.rules)
 * 1:27734 <-> ENABLED <-> EXPLOIT-KIT Cookiebomb embedded javascript attack method - specific structure (exploit-kit.rules)
 * 1:27731 <-> ENABLED <-> INDICATOR-COMPROMISE request for potential web shell - /inback.jsp (indicator-compromise.rules)
 * 1:27732 <-> ENABLED <-> INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp (indicator-compromise.rules)
 * 1:27733 <-> DISABLED <-> EXPLOIT-KIT Cookiebomb embedded javascript attack method - generic structure (exploit-kit.rules)
 * 1:27726 <-> ENABLED <-> MALWARE-CNC Orbit Downloader denial of service update attempt (malware-cnc.rules)
 * 1:27730 <-> ENABLED <-> INDICATOR-COMPROMISE request for potential web shell - /css3.jsp (indicator-compromise.rules)
 * 1:27729 <-> ENABLED <-> INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp (indicator-compromise.rules)
 * 1:27727 <-> ENABLED <-> MALWARE-CNC Orbit Downloader denial of service update attempt (malware-cnc.rules)
 * 1:27728 <-> ENABLED <-> MALWARE-CNC Orbit Downloader denial of service update attempt (malware-cnc.rules)
 * 1:27721 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .su dns query (indicator-compromise.rules)
 * 1:27725 <-> DISABLED <-> OS-MOBILE Android SMSAgent.C outbound SMTP communication (os-mobile.rules)
 * 1:27724 <-> DISABLED <-> SQL McAfee ePolicy Orchestrator timing based SQL injection attempt (sql.rules)
 * 1:27722 <-> DISABLED <-> DELETED BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (deleted.rules)
 * 1:27723 <-> DISABLED <-> SQL McAfee ePolicy Orchestrator timing based SQL injection attempt (sql.rules)
 * 1:27750 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27751 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27752 <-> DISABLED <-> SERVER-WEBAPP Neocrome Land Down Under profile.inc.php SQL injection attempt (server-webapp.rules)
 * 1:27753 <-> ENABLED <-> SERVER-WEBAPP Click N Print Coupons coupon_detail.asp SQL injection attempt (server-webapp.rules)
 * 1:27754 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:27755 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:27756 <-> DISABLED <-> SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt (server-webapp.rules)
 * 1:27757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access (browser-plugins.rules)
 * 1:27747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banechant outbound variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:13916 <-> DISABLED <-> SERVER-WEBAPP Alt-N SecurityGateway username buffer overflow attempt (server-webapp.rules)
 * 1:13948 <-> DISABLED <-> PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning (protocol-dns.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:14021 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access (browser-plugins.rules)
 * 1:14023 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access (browser-plugins.rules)
 * 1:14631 <-> DISABLED <-> BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access (browser-plugins.rules)
 * 1:14641 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (file-office.rules)
 * 1:14771 <-> DISABLED <-> SERVER-APACHE BEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt (server-apache.rules)
 * 1:15562 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPX malformed code-block width memory corruption attempt (file-pdf.rules)
 * 1:16565 <-> DISABLED <-> BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access (browser-plugins.rules)
 * 1:17139 <-> DISABLED <-> SERVER-OTHER Symantec Alert Management System HNDLRSVC arbitrary command execution attempt (server-other.rules)
 * 1:17333 <-> DISABLED <-> SERVER-MAIL Lotus Notes Attachment Viewer UUE file buffer overflow attempt (server-mail.rules)
 * 1:18526 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader shell metacharacter code execution attempt (file-pdf.rules)
 * 1:18527 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader shell metacharacter code execution attempt (file-pdf.rules)
 * 1:20752 <-> ENABLED <-> PUA-ADWARE Win32.GameVance outbound connection (pua-adware.rules)
 * 1:24889 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24890 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24891 <-> DISABLED <-> FILE-FLASH Adobe Flash Player action InitArray stack overflow attempt (file-flash.rules)
 * 1:24894 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt (file-flash.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules)
 * 1:25767 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPX malformed code-block width memory corruption attempt (file-pdf.rules)
 * 1:26292 <-> ENABLED <-> EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined (exploit-kit.rules)
 * 1:26985 <-> ENABLED <-> EXPLOIT-KIT Rawin exploit kit outbound java retrieval (exploit-kit.rules)
 * 1:26997 <-> DISABLED <-> MALWARE-CNC OSX.Trojan.Morcut outbound connection attempt (malware-cnc.rules)
 * 1:27612 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkupPointer with SVG use-after-free attempt (browser-ie.rules)
 * 1:27621 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27622 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27672 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27673 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27674 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27675 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27691 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27692 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:27693 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)
 * 1:8448 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel colinfo XF record overflow attempt (file-office.rules)
 * 1:27694 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt (file-java.rules)