Sourcefire VRT Rules Update

Date: 2012-12-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25070 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:25080 <-> DISABLED <-> APP-DETECT Apple Messages push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25102 <-> DISABLED <-> SERVER-OTHER Zabbix Agent net.tcp.listen command injection attempt (server-other.rules)
 * 1:25079 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt (browser-ie.rules)
 * 1:25074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:25093 <-> ENABLED <-> MALWARE-CNC Win.Exploit.Hacktool variant outbound connection (malware-cnc.rules)
 * 1:25075 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Spy variant outbound connection attempt (malware-cnc.rules)
 * 1:25076 <-> ENABLED <-> MALWARE-CNC WIN.Worm.Joanap variant Runtime Detection (malware-cnc.rules)
 * 1:25077 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Halnine variant outbound connection (malware-cnc.rules)
 * 1:25078 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt (browser-ie.rules)
 * 1:25056 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit 32-bit font file download (exploit-kit.rules)
 * 1:25072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dulom variant outbound connection (malware-cnc.rules)
 * 1:25068 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Riler inbound connection (malware-cnc.rules)
 * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:25069 <-> DISABLED <-> BLACKLIST DNS request for known malware domain losang.dynamicdns.co.uk (blacklist.rules)
 * 1:25066 <-> ENABLED <-> FILE-IMAGE libpng chunk decompression integer overflow attempt (file-image.rules)
 * 1:25067 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Riler outbound connection (malware-cnc.rules)
 * 1:25065 <-> ENABLED <-> FILE-IMAGE libpng chunk decompression integer overflow attempt (file-image.rules)
 * 1:25059 <-> DISABLED <-> SERVER-OTHER SAP Business One License Manager buffer overflow attempt (server-other.rules)
 * 1:25118 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)
 * 1:25081 <-> DISABLED <-> APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt (app-detect.rules)
 * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules)
 * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:25058 <-> DISABLED <-> SERVER-OTHER IBM Director CIM server alert indication request dll injection attempt (server-other.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25057 <-> DISABLED <-> SCADA Tridium Niagara directory traversal config.bog access attempt (scada.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25084 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25086 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25087 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25088 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25089 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25085 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25090 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25091 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:25092 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection (malware-other.rules)
 * 1:25094 <-> ENABLED <-> MALWARE-OTHER PERL.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25095 <-> ENABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25096 <-> ENABLED <-> MALWARE-OTHER PHP.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25098 <-> DISABLED <-> MALWARE-CNC Win.Dropper.Daws variant outbound connection (malware-cnc.rules)
 * 1:25097 <-> ENABLED <-> MALWARE-OTHER PHP.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25099 <-> DISABLED <-> MALWARE-CNC Win.Dropper.Daws variant outbound connection (malware-cnc.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:25073 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lowzone variant outbound connection (malware-cnc.rules)
 * 1:25101 <-> DISABLED <-> DOS Cisco IOS syslog message flood denial of service attempt (dos.rules)
 * 1:25103 <-> DISABLED <-> SERVER-OTHER Zabbix Server arbitrary command execution attempt (server-other.rules)
 * 1:25104 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway directory traversal attempt (server-webapp.rules)
 * 1:25105 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway directory traversal attempt (server-webapp.rules)
 * 1:25106 <-> DISABLED <-> MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt (malware-backdoor.rules)
 * 1:25055 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit 64-bit font file download (exploit-kit.rules)
 * 1:25107 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:25108 <-> DISABLED <-> MALWARE-CNC Win.Proxy.Agent variant outbound connection (malware-cnc.rules)
 * 1:25109 <-> DISABLED <-> MALWARE-CNC Autoit.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25071 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Macnsed variant outbound connection (malware-cnc.rules)
 * 1:25114 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)
 * 1:25115 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25112 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)
 * 1:25110 <-> DISABLED <-> DELETED MALWARE-CNC ZeroAccess Clickserver Callback (deleted.rules)
 * 1:25116 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)
 * 1:25117 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)
 * 1:25111 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25113 <-> DISABLED <-> BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt (browser-plugins.rules)

Modified Rules:


 * 1:25016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IRCBot variant outbound connection (malware-cnc.rules)
 * 1:25045 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit requesting payload (exploit-kit.rules)
 * 1:22105 <-> ENABLED <-> FILE-IMAGE libpng chunk decompression integer overflow attempt (file-image.rules)
 * 1:23256 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:21975 <-> DISABLED <-> MALWARE-CNC Worm.Expichu variant inbound connection (malware-cnc.rules)
 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office invalid file upload attempt (server-webapp.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:20877 <-> DISABLED <-> MALWARE-CNC RunTime Worm.Win32.Warezov.gs outbound connection (malware-cnc.rules)
 * 1:21473 <-> DISABLED <-> MALWARE-CNC Trojan.GameThief variant outbound connection (malware-cnc.rules)
 * 1:21974 <-> DISABLED <-> MALWARE-CNC Worm.Expichu variant inbound connection (malware-cnc.rules)
 * 1:21463 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bibei variant inbound connection (malware-cnc.rules)
 * 1:20265 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer null attribute DoS attempt (browser-ie.rules)
 * 1:21477 <-> DISABLED <-> MALWARE-CNC Trojan.Noobot outbound connection (malware-cnc.rules)
 * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat record (file-office.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:20264 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer form selection reset attempt (browser-ie.rules)
 * 1:18974 <-> DISABLED <-> BROWSER-PLUGINS SAP Crystal Reports PrintControl.dll ActiveX function call attempt (browser-plugins.rules)
 * 1:20266 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Javascript negative option index attack attempt (browser-ie.rules)
 * 1:17639 <-> ENABLED <-> NETBIOS Samba Root File System access bypass attempt (netbios.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:19621 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:19966 <-> DISABLED <-> MALWARE-CNC Octopus 0.1 inbound connection (malware-cnc.rules)
 * 1:13814 <-> DISABLED <-> MALWARE-CNC passhax variant outbound connection (malware-cnc.rules)
 * 1:13894 <-> DISABLED <-> SERVER-MAIL Microsoft Office Outlook Web Access From field cross-site scripting attempt  (server-mail.rules)
 * 1:16093 <-> DISABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules)
 * 1:13878 <-> DISABLED <-> MALWARE-CNC Win.Trojan.delf.uv inbound connection (malware-cnc.rules)
 * 1:13953 <-> DISABLED <-> MALWARE-CNC Asprox trojan initial query (malware-cnc.rules)
 * 3:15117 <-> ENABLED <-> WEB-CLIENT Microsoft Excel malformed OBJ record arbitrary code execution attempt (web-client.rules)
 * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)
 * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules)