CVE-2014-8967: Microsoft Internet Explorer suffers from a programming error that may lead to remote code execution.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32777 through 32778.
The VRT has also added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-multimedia, file-office, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other, server-iis, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32778 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32776 <-> ENABLED <-> MALWARE-CNC FIN4 VBA Macro credentials upload attempt (malware-cnc.rules) * 1:32777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32773 <-> ENABLED <-> SERVER-WEBAPP Symantec messaging gateway management console cross-site scripting attempt (server-webapp.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32768 <-> DISABLED <-> SQL PK-CMS SQL injection attempt (sql.rules) * 1:32766 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32765 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC on non-standard HTTP Ports (malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules) * 1:32726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ilscnu.org.FindHere.org - Win.Backdoor.Uclinu variant (blacklist.rules) * 1:32727 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Uclinu variant outbound connection (malware-cnc.rules) * 1:32728 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Olegb variant outbound connection (malware-cnc.rules) * 1:32729 <-> DISABLED <-> POLICY-OTHER HP Network Node Manager ovopi.dll command 685 insecure pointer dereference attempt (policy-other.rules) * 1:32730 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules) * 1:32731 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32732 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32733 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fabernext.roma1.infn.it - Win.Backdoor.Typideg variant (blacklist.rules) * 1:32734 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Typideg variant outbound connection (malware-cnc.rules) * 1:32735 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32736 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32737 <-> DISABLED <-> SERVER-OTHER Lianja SQL Server db_netserver Buffer Overflow attempt (server-other.rules) * 1:32738 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32739 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32742 <-> ENABLED <-> SERVER-WEBAPP Arris VAP2500 tools_command.php command execution attempt (server-webapp.rules) * 1:32743 <-> ENABLED <-> MALWARE-CNC VGABot IRC communication attempt (malware-cnc.rules) * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules) * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules) * 1:32746 <-> DISABLED <-> SERVER-WEBAPP Wordpress OptimizePress plugin theme upload attempt (server-webapp.rules) * 1:32747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragebot variant outbound connection (malware-cnc.rules) * 1:32748 <-> DISABLED <-> SERVER-OTHER Ecava IntegraXor HMI /res buffer overflow attempt (server-other.rules) * 1:32749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32751 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32752 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules) * 1:32754 <-> DISABLED <-> BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access (browser-plugins.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32767 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32764 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules)
* 1:32171 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules) * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32710 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt (browser-ie.rules) * 1:11838 <-> DISABLED <-> OS-WINDOWS Microsoft Windows API res buffer overflow attempt (os-windows.rules) * 1:15728 <-> DISABLED <-> FILE-PDF Possible Adobe Acrobat Reader ActionScript byte_array heap spray attempt (file-pdf.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules) * 1:17526 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:19250 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D file include overflow attempt (file-pdf.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:28303 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:28585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28597 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28598 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28601 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28602 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28603 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:28626 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta Buffer Overflow (file-pdf.rules) * 1:28716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:28717 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:29062 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29063 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:29669 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules) * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29904 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29905 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:31008 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31009 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31011 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:31021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:32337 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules) * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules) * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules) * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:32070 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:31613 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32765 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC on non-standard HTTP Ports (malware-cnc.rules) * 1:32768 <-> DISABLED <-> SQL PK-CMS SQL injection attempt (sql.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32773 <-> ENABLED <-> SERVER-WEBAPP Symantec messaging gateway management console cross-site scripting attempt (server-webapp.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32776 <-> ENABLED <-> MALWARE-CNC FIN4 VBA Macro credentials upload attempt (malware-cnc.rules) * 1:32777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32778 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ilscnu.org.FindHere.org - Win.Backdoor.Uclinu variant (blacklist.rules) * 1:32727 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Uclinu variant outbound connection (malware-cnc.rules) * 1:32728 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Olegb variant outbound connection (malware-cnc.rules) * 1:32729 <-> DISABLED <-> POLICY-OTHER HP Network Node Manager ovopi.dll command 685 insecure pointer dereference attempt (policy-other.rules) * 1:32730 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules) * 1:32731 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32732 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32733 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fabernext.roma1.infn.it - Win.Backdoor.Typideg variant (blacklist.rules) * 1:32734 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Typideg variant outbound connection (malware-cnc.rules) * 1:32735 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32736 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32737 <-> DISABLED <-> SERVER-OTHER Lianja SQL Server db_netserver Buffer Overflow attempt (server-other.rules) * 1:32738 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32739 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32742 <-> ENABLED <-> SERVER-WEBAPP Arris VAP2500 tools_command.php command execution attempt (server-webapp.rules) * 1:32743 <-> ENABLED <-> MALWARE-CNC VGABot IRC communication attempt (malware-cnc.rules) * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules) * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules) * 1:32746 <-> DISABLED <-> SERVER-WEBAPP Wordpress OptimizePress plugin theme upload attempt (server-webapp.rules) * 1:32747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragebot variant outbound connection (malware-cnc.rules) * 1:32748 <-> DISABLED <-> SERVER-OTHER Ecava IntegraXor HMI /res buffer overflow attempt (server-other.rules) * 1:32749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32751 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32752 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32767 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules) * 1:32754 <-> DISABLED <-> BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access (browser-plugins.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32766 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32764 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules)
* 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules) * 1:32710 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt (browser-ie.rules) * 1:11838 <-> DISABLED <-> OS-WINDOWS Microsoft Windows API res buffer overflow attempt (os-windows.rules) * 1:15728 <-> DISABLED <-> FILE-PDF Possible Adobe Acrobat Reader ActionScript byte_array heap spray attempt (file-pdf.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules) * 1:17526 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:19250 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D file include overflow attempt (file-pdf.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:28303 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:28585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28597 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28598 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28601 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28602 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28603 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:28626 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta Buffer Overflow (file-pdf.rules) * 1:28716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:28717 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:29062 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29063 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:29669 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules) * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29904 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29905 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:31008 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31009 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31011 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:32070 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32171 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:31021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31613 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules) * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules) * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:32337 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32778 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CheaderElement use after free attempt (browser-ie.rules) * 1:32776 <-> ENABLED <-> MALWARE-CNC FIN4 VBA Macro credentials upload attempt (malware-cnc.rules) * 1:32775 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump (server-other.rules) * 1:32774 <-> DISABLED <-> SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt (server-other.rules) * 1:32773 <-> ENABLED <-> SERVER-WEBAPP Symantec messaging gateway management console cross-site scripting attempt (server-webapp.rules) * 1:32772 <-> DISABLED <-> MALWARE-OTHER Adobe License Key email scam phishing attempt (malware-other.rules) * 1:32771 <-> DISABLED <-> MALWARE-OTHER Adobe Invoice email scam phishing attempt (malware-other.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC on non-standard HTTP Ports (malware-cnc.rules) * 1:32768 <-> DISABLED <-> SQL PK-CMS SQL injection attempt (sql.rules) * 1:32767 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32766 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32765 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32764 <-> ENABLED <-> FILE-FLASH Adobe ActionScript malformed pushwith opcode attempt (file-flash.rules) * 1:32763 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32762 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TextRange after free attempt (browser-ie.rules) * 1:32761 <-> DISABLED <-> SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt (server-webapp.rules) * 1:32760 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32759 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32758 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32757 <-> DISABLED <-> SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt (server-other.rules) * 1:32756 <-> DISABLED <-> SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt (server-other.rules) * 1:32755 <-> DISABLED <-> SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt (server-other.rules) * 1:32754 <-> DISABLED <-> BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access (browser-plugins.rules) * 1:32753 <-> ENABLED <-> SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt (server-webapp.rules) * 1:32752 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32751 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed pushcode type confusion remote code execution attempt (file-flash.rules) * 1:32748 <-> DISABLED <-> SERVER-OTHER Ecava IntegraXor HMI /res buffer overflow attempt (server-other.rules) * 1:32747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragebot variant outbound connection (malware-cnc.rules) * 1:32746 <-> DISABLED <-> SERVER-WEBAPP Wordpress OptimizePress plugin theme upload attempt (server-webapp.rules) * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules) * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules) * 1:32743 <-> ENABLED <-> MALWARE-CNC VGABot IRC communication attempt (malware-cnc.rules) * 1:32742 <-> ENABLED <-> SERVER-WEBAPP Arris VAP2500 tools_command.php command execution attempt (server-webapp.rules) * 1:32741 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32740 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules) * 1:32739 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32738 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt (file-multimedia.rules) * 1:32737 <-> DISABLED <-> SERVER-OTHER Lianja SQL Server db_netserver Buffer Overflow attempt (server-other.rules) * 1:32736 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32735 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection (malware-cnc.rules) * 1:32734 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Typideg variant outbound connection (malware-cnc.rules) * 1:32733 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fabernext.roma1.infn.it - Win.Backdoor.Typideg variant (blacklist.rules) * 1:32732 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32731 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32730 <-> ENABLED <-> FILE-OTHER Microsoft Windows XP .theme file remote code execution attempt (file-other.rules) * 1:32729 <-> DISABLED <-> POLICY-OTHER HP Network Node Manager ovopi.dll command 685 insecure pointer dereference attempt (policy-other.rules) * 1:32728 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Olegb variant outbound connection (malware-cnc.rules) * 1:32727 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Uclinu variant outbound connection (malware-cnc.rules) * 1:32726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ilscnu.org.FindHere.org - Win.Backdoor.Uclinu variant (blacklist.rules)
* 1:11838 <-> DISABLED <-> OS-WINDOWS Microsoft Windows API res buffer overflow attempt (os-windows.rules) * 1:15728 <-> DISABLED <-> FILE-PDF Possible Adobe Acrobat Reader ActionScript byte_array heap spray attempt (file-pdf.rules) * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt (server-iis.rules) * 1:17526 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:19250 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D file include overflow attempt (file-pdf.rules) * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry - potentially malicious (file-pdf.rules) * 1:28303 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules) * 1:28585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt (file-pdf.rules) * 1:28591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt (file-pdf.rules) * 1:28597 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28598 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt (file-pdf.rules) * 1:28600 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28601 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28602 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28603 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt (file-pdf.rules) * 1:28622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:28626 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta Buffer Overflow (file-pdf.rules) * 1:28716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:28717 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt (file-pdf.rules) * 1:29062 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29063 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules) * 1:29622 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:29669 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules) * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29904 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:29905 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules) * 1:31008 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31009 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt (file-pdf.rules) * 1:31011 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:31012 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt (file-pdf.rules) * 1:31021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:31022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt (file-pdf.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31613 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:32710 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt (browser-ie.rules) * 1:32625 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules) * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules) * 1:32435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:32434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:32433 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word fcPlfguidUim out-of-bounds attempt (file-office.rules) * 1:32432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word lcbPlcffndTxt out-of-bounds attempt (file-office.rules) * 1:32337 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt (file-pdf.rules) * 1:32171 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:32070 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32170 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt (file-pdf.rules) * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules) * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)