Sourcefire VRT Rules Update

Date: 2013-10-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28251 <-> ENABLED <-> SERVER-WEBAPP Zabbix session id disclosure via sql injection attempt (server-webapp.rules)
 * 1:28243 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.aquirecosmeticos.com.br (blacklist.rules)
 * 1:28245 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt (app-detect.rules)
 * 1:28242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KanKan variant connection attempt (malware-cnc.rules)
 * 1:28241 <-> DISABLED <-> BLACKLIST DNS request for known malware domain kankan.com - Win.Trojan.KanKan (blacklist.rules)
 * 1:28244 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Phrovon outbound connection attempt (malware-cnc.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:28254 <-> ENABLED <-> MALWARE-CNC Trojan.Perl.Shellbot outbound communication attempt (malware-cnc.rules)
 * 1:28247 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Dropper outbound connection (malware-cnc.rules)
 * 1:28248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lenderspoker.in (blacklist.rules)
 * 1:28250 <-> ENABLED <-> MALWARE-CNC Security Cleaner Pro Install Confirmation (malware-cnc.rules)
 * 1:28249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wirejournal.biz (blacklist.rules)
 * 1:28252 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:28253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ircd.myz.info (blacklist.rules)

Modified Rules:


 * 1:26664 <-> ENABLED <-> FILE-IMAGE BMP extremely large xpos opcodes (file-image.rules)
 * 1:20262 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt (browser-ie.rules)
 * 1:20264 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer form selection reset attempt (browser-ie.rules)
 * 1:19241 <-> DISABLED <-> BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt (browser-ie.rules)
 * 1:8734 <-> DISABLED <-> SERVER-WEBAPP Pajax call_dispatcher className directory traversal attempt (server-webapp.rules)
 * 1:28216 <-> ENABLED <-> MALWARE-CNC known malware FTP login (malware-cnc.rules)
 * 1:16377 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt (browser-ie.rules)
 * 1:28236 <-> ENABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:9620 <-> DISABLED <-> SERVER-WEBAPP Pajax call_dispatcher remote code execution attempt (server-webapp.rules)
 * 1:17288 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:20268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:18451 <-> ENABLED <-> FILE-PDF Adobe Acrobat ICC color integer overflow attempt (file-pdf.rules)
 * 1:18457 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D rgba parsing overflow attempt (file-pdf.rules)
 * 1:18506 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CCITT stream compression filter invalid image size heap overflow attempt (file-pdf.rules)
 * 1:21392 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer writing-mode property memory corruption attempt (browser-ie.rules)
 * 1:24507 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:24508 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:25329 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt (browser-ie.rules)
 * 1:23507 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:26651 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:18507 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CCITT stream compression filter invalid image size heap overflow attempt (file-pdf.rules)
 * 1:26652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26927 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:25352 <-> DISABLED <-> SERVER-OTHER HP HP Intelligent Management Center syslog remote code execution attempt (server-other.rules)
 * 1:26928 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:27907 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt (exploit-kit.rules)
 * 1:19242 <-> DISABLED <-> BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt (browser-ie.rules)
 * 1:28230 <-> ENABLED <-> MALWARE-CNC Boot.Bootroot Variant data upload attempt (malware-cnc.rules)