Sourcefire VRT Rules Update

Date: 2013-10-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2950.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28410 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.CoinMiner attempted connection (malware-cnc.rules)
 * 1:28412 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt (exploit-kit.rules)
 * 1:28392 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:28388 <-> DISABLED <-> FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt (file-pdf.rules)
 * 1:28401 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules)
 * 1:28397 <-> DISABLED <-> SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt (server-other.rules)
 * 1:28408 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules)
 * 1:28394 <-> DISABLED <-> SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt (server-other.rules)
 * 1:28391 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:28414 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:28413 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt (exploit-kit.rules)
 * 1:28411 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.CoinMiner attempted connection (malware-cnc.rules)
 * 1:28395 <-> DISABLED <-> SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt (server-other.rules)
 * 1:28396 <-> DISABLED <-> SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt (server-other.rules)
 * 1:28398 <-> DISABLED <-> SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt (server-other.rules)
 * 1:28399 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Tsunami outbound connection attempt (malware-cnc.rules)
 * 1:28400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tx.com.cn (blacklist.rules)
 * 1:28402 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt (os-mobile.rules)
 * 1:28393 <-> ENABLED <-> SERVER-OTHER EMC Replication Manager irccd remote command execution attempt (server-other.rules)
 * 1:28403 <-> DISABLED <-> OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt (os-mobile.rules)
 * 1:28404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain goobzo.com - Kazy Trojan (blacklist.rules)
 * 1:28405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:28406 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:28407 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center BIMS UploadServlet arbitrary file upload attempt (server-webapp.rules)
 * 1:28389 <-> DISABLED <-> FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt (file-pdf.rules)
 * 1:28390 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:28409 <-> DISABLED <-> SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:28111 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt (exploit-kit.rules)
 * 1:19621 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:28039 <-> ENABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:26077 <-> DISABLED <-> FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript object detected (file-pdf.rules)
 * 1:25450 <-> ENABLED <-> FILE-PDF Javascript openDoc UNC network request attempt (file-pdf.rules)
 * 1:25449 <-> ENABLED <-> FILE-PDF Javascript openDoc UNC network request attempt (file-pdf.rules)
 * 1:18681 <-> DISABLED <-> FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript object detected (file-pdf.rules)