Sourcefire VRT Rules Update

Date: 2013-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2955.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:28548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.chfx outbound communication attempt (malware-cnc.rules)
 * 1:28547 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Banker variant outbound connection attempt (malware-cnc.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:28540 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dkxszh.org (blacklist.rules)
 * 1:28539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lovesyr.sytes.net - Win.Worm Dunhihi (blacklist.rules)
 * 1:28538 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Asprox variant connection attempt (malware-cnc.rules)
 * 1:28537 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28536 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28535 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28534 <-> DISABLED <-> FILE-OTHER Apple Quicktime TeXML description attribute overflow attempt (file-other.rules)
 * 1:28533 <-> DISABLED <-> BLACKLIST DNS request for known malware domain x.dailyradio.su (blacklist.rules)
 * 1:28532 <-> DISABLED <-> MALWARE-TOOLS PyLoris http DoS tool (malware-tools.rules)
 * 1:28531 <-> DISABLED <-> PUA-ADWARE FreePDS installer outbound connection (pua-adware.rules)
 * 1:28530 <-> DISABLED <-> PUA-TOOLBARS Babylon toolbar installer outbound connection attempt (pua-toolbars.rules)

Modified Rules:


 * 1:18633 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:21925 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BOT/0.1 (blacklist.rules)
 * 1:23099 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Dispatcher DiagTraceHex denial of service attempt (server-other.rules)
 * 1:24789 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit PDF Exploit download attempt (exploit-kit.rules)
 * 1:25654 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:25655 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:25656 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:28416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pony outbound connection attempt (malware-cnc.rules)
 * 1:6027 <-> DISABLED <-> MALWARE-BACKDOOR WIN.Trojan.Netshadow runtime detection (malware-backdoor.rules)
 * 3:18630 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)
 * 3:18631 <-> ENABLED <-> WEB-CLIENT Microsoft Excel rtToolbarDef record integer overflow attempt (web-client.rules)