VRT Rules 2014-10-08
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-plugins, file-office, file-other, protocol-dns, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

Modified Rules:


 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)