Sourcefire VRT Rules Update

Date: 2013-10-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2953.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28214 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28213 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection received (exploit-kit.rules)
 * 1:28211 <-> ENABLED <-> MALWARE-CNC WIN.Worm.IRCbot outbound communication attempt (malware-cnc.rules)
 * 1:28209 <-> ENABLED <-> MALWARE-CNC WIN.Worm.IRCbot outbound communication attempt (malware-cnc.rules)
 * 1:28210 <-> ENABLED <-> MALWARE-CNC WIN.Worm.IRCbot outbound communication attempt (malware-cnc.rules)
 * 1:28212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bitsto variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:27740 <-> ENABLED <-> EXPLOIT-KIT Oracle Java jar file downloaded by Java when zip was defined (exploit-kit.rules)
 * 1:27945 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:26292 <-> ENABLED <-> EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined (exploit-kit.rules)
 * 1:27943 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:22077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:28208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:28207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:27944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit landing page - specific structure (exploit-kit.rules)