Sourcefire VRT Rules Update

Date: 2013-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25401 <-> DISABLED <-> BLACKLIST DNS request for known malware domain csrss-check-new.com (blacklist.rules)
 * 1:25403 <-> DISABLED <-> BLACKLIST DNS request for known malware domain csrss-upgrade-new.com (blacklist.rules)
 * 1:25407 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dll-host.com (blacklist.rules)
 * 1:25408 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dllupdate.info (blacklist.rules)
 * 1:25468 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt (file-pdf.rules)
 * 1:25399 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/win/wcx (blacklist.rules)
 * 1:25398 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/ms/flush (blacklist.rules)
 * 1:25397 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/ms/check (blacklist.rules)
 * 1:25396 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/dllhost/ac (blacklist.rules)
 * 1:25395 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/nt/sk (blacklist.rules)
 * 1:25394 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/nt/th (blacklist.rules)
 * 1:25393 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF malformed pfragments field (file-office.rules)
 * 1:25392 <-> ENABLED <-> FILE-OTHER Oracle Java Rhino script engine remote code execution attempt (file-other.rules)
 * 1:25461 <-> ENABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:25458 <-> DISABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Reader JP2K image object handling heap overflow attempt (file-pdf.rules)
 * 1:25462 <-> DISABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:25476 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent (blacklist.rules)
 * 1:25406 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dll-host-update.com (blacklist.rules)
 * 1:25402 <-> DISABLED <-> BLACKLIST DNS request for known malware domain csrss-update-new.com (blacklist.rules)
 * 1:25400 <-> ENABLED <-> BLACKLIST URI request for /cgi-bin/win/cab (blacklist.rules)
 * 1:25467 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt (file-pdf.rules)
 * 1:25465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
 * 1:25466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt (file-pdf.rules)
 * 1:25463 <-> ENABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:25464 <-> DISABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JP2K image object heap overflow attempt (file-pdf.rules)
 * 1:25454 <-> DISABLED <-> INDICATOR-OBFUSCATION DOC header followed by PDF header (indicator-obfuscation.rules)
 * 1:25449 <-> DISABLED <-> FILE-PDF Javascript openDoc UNC network request attempt (file-pdf.rules)
 * 1:25444 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wins-driver-check.com (blacklist.rules)
 * 1:25439 <-> DISABLED <-> BLACKLIST DNS request for known malware domain win-driver-upgrade.com (blacklist.rules)
 * 1:25434 <-> DISABLED <-> BLACKLIST DNS request for known malware domain svchost-check.com (blacklist.rules)
 * 1:25429 <-> DISABLED <-> BLACKLIST DNS request for known malware domain nt-windows-online.com (blacklist.rules)
 * 1:25425 <-> DISABLED <-> BLACKLIST DNS request for known malware domain msonlineget.com (blacklist.rules)
 * 1:25404 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dll-host-check.com (blacklist.rules)
 * 1:25426 <-> DISABLED <-> BLACKLIST DNS request for known malware domain msonlineupdate.com (blacklist.rules)
 * 1:25427 <-> DISABLED <-> BLACKLIST DNS request for known malware domain new-driver-upgrade.com (blacklist.rules)
 * 1:25479 <-> DISABLED <-> POLICY-SOCIAL IRC K-line active (policy-social.rules)
 * 1:25471 <-> ENABLED <-> MALWARE-CNC ZeroAccess Spiral Traffic (malware-cnc.rules)
 * 1:25502 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft GDI EMF malformed file buffer overflow attempt (file-multimedia.rules)
 * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules)
 * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules)
 * 1:25428 <-> DISABLED <-> BLACKLIST DNS request for known malware domain nt-windows-check.com (blacklist.rules)
 * 1:25430 <-> DISABLED <-> BLACKLIST DNS request for known malware domain nt-windows-update.com (blacklist.rules)
 * 1:25424 <-> DISABLED <-> BLACKLIST DNS request for known malware domain msonlinecheck.com (blacklist.rules)
 * 1:25422 <-> DISABLED <-> BLACKLIST DNS request for known malware domain msgenuine.net (blacklist.rules)
 * 1:25423 <-> DISABLED <-> BLACKLIST DNS request for known malware domain msinfoonline.org (blacklist.rules)
 * 1:25420 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ms-software-genuine.com (blacklist.rules)
 * 1:25421 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ms-software-update.com (blacklist.rules)
 * 1:25419 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ms-software-check.com (blacklist.rules)
 * 1:25417 <-> DISABLED <-> BLACKLIST DNS request for known malware domain microsoftupdate.com (blacklist.rules)
 * 1:25431 <-> DISABLED <-> BLACKLIST DNS request for known malware domain os-microsoft-check.com (blacklist.rules)
 * 1:25418 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mobile-update.com (blacklist.rules)
 * 1:25432 <-> DISABLED <-> BLACKLIST DNS request for known malware domain os-microsoft-update.com (blacklist.rules)
 * 1:25416 <-> DISABLED <-> BLACKLIST DNS request for known malware domain microsoftcheck.com (blacklist.rules)
 * 1:25415 <-> DISABLED <-> BLACKLIST DNS request for known malware domain microsoft-msdn.com (blacklist.rules)
 * 1:25433 <-> DISABLED <-> BLACKLIST DNS request for known malware domain osgenuine.com (blacklist.rules)
 * 1:25414 <-> DISABLED <-> BLACKLIST DNS request for known malware domain genuineupdate.com (blacklist.rules)
 * 1:25435 <-> DISABLED <-> BLACKLIST DNS request for known malware domain svchost-online.com (blacklist.rules)
 * 1:25413 <-> DISABLED <-> BLACKLIST DNS request for known malware domain genuineservicecheck.com (blacklist.rules)
 * 1:25436 <-> DISABLED <-> BLACKLIST DNS request for known malware domain svchost-update.com (blacklist.rules)
 * 1:25412 <-> DISABLED <-> BLACKLIST DNS request for known malware domain genuine-check.com (blacklist.rules)
 * 1:25437 <-> DISABLED <-> BLACKLIST DNS request for known malware domain update-genuine.com (blacklist.rules)
 * 1:25411 <-> DISABLED <-> BLACKLIST DNS request for known malware domain drivers-update-online.com (blacklist.rules)
 * 1:25410 <-> DISABLED <-> BLACKLIST DNS request for known malware domain drivers-get.com (blacklist.rules)
 * 1:25438 <-> DISABLED <-> BLACKLIST DNS request for known malware domain win-check-update.com (blacklist.rules)
 * 1:25409 <-> DISABLED <-> BLACKLIST DNS request for known malware domain drivers-check.com (blacklist.rules)
 * 1:25440 <-> DISABLED <-> BLACKLIST DNS request for known malware domain windows-genuine.com (blacklist.rules)
 * 1:25441 <-> DISABLED <-> BLACKLIST DNS request for known malware domain windowscheckupdate.com (blacklist.rules)
 * 1:25442 <-> DISABLED <-> BLACKLIST DNS request for known malware domain windowsonlineupdate.com (blacklist.rules)
 * 1:25443 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wingenuine.com (blacklist.rules)
 * 1:25445 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wins-driver-update.com (blacklist.rules)
 * 1:25446 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wins-update.com (blacklist.rules)
 * 1:25447 <-> DISABLED <-> BLACKLIST DNS request for known malware domain xponlineupdate.com (blacklist.rules)
 * 1:25448 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Jinch variant outbound connection (malware-cnc.rules)
 * 1:25450 <-> DISABLED <-> FILE-PDF Javascript openDoc UNC network request attempt (file-pdf.rules)
 * 1:25451 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules)
 * 1:25452 <-> DISABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules)
 * 1:25453 <-> DISABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules)
 * 1:25455 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules)
 * 1:25456 <-> DISABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules)
 * 1:25457 <-> DISABLED <-> INDICATOR-OBFUSCATION JPEG header followed by PDF header (indicator-obfuscation.rules)
 * 1:25477 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25478 <-> DISABLED <-> POLICY-SOCIAL IRC G-line active (policy-social.rules)
 * 1:25474 <-> DISABLED <-> SERVER-OTHER Citrix Access Gateway legacy authentication attempt (server-other.rules)
 * 1:25472 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25473 <-> DISABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25475 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:25405 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dll-host-udate.com (blacklist.rules)
 * 1:25470 <-> DISABLED <-> MALWARE-CNC Win.Trojan.LoDo variant outbound connection (malware-cnc.rules)
 * 1:25469 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt (file-pdf.rules)

Modified Rules:


 * 1:18682 <-> DISABLED <-> FILE-PDF transfer of a PDF with OpenAction object attempt (file-pdf.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules)
 * 1:20084 <-> DISABLED <-> SERVER-OTHER ALTAP Salamander PE Viewer PDB Filename Buffer Overflow (server-other.rules)
 * 1:20238 <-> DISABLED <-> SERVER-OTHER Java calendar deserialize vulnerability (server-other.rules)
 * 1:20249 <-> ENABLED <-> SERVER-OTHER Java Web Start BasicService arbitrary command execution attempt (server-other.rules)
 * 1:25083 <-> DISABLED <-> APP-DETECT Apple Messages service server request attempt (app-detect.rules)
 * 1:25302 <-> ENABLED <-> FILE-OTHER jar archive exploit kit download attempt (file-other.rules)
 * 1:25333 <-> DISABLED <-> DNS Exim DKIM decoding buffer overflow attempt (dns.rules)
 * 1:4135 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt (browser-ie.rules)
 * 1:23538 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt (file-office.rules)
 * 1:23612 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:17579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Drawing Record msofbtOPT Code Execution attempt (file-office.rules)
 * 1:25082 <-> DISABLED <-> APP-DETECT Apple Messages client side certificate request attempt (app-detect.rules)
 * 1:25058 <-> DISABLED <-> SERVER-OTHER IBM Director CIM server alert indication request dll injection attempt (server-other.rules)
 * 1:16364 <-> DISABLED <-> DOS IBM DB2 database server SQLSTT denial of service attempt (dos.rules)
 * 1:16188 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt (file-office.rules)
 * 1:15499 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt (file-office.rules)
 * 1:13626 <-> DISABLED <-> FILE-IDENTIFY Microsoft Office Access file magic detected (file-identify.rules)
 * 1:11836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:24868 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt (file-office.rules)
 * 1:24650 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:24649 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:24452 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt (browser-ie.rules)
 * 1:18338 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string NSISDL/1.2 (blacklist.rules)
 * 1:23884 <-> DISABLED <-> FILE-PDF Adober Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18681 <-> DISABLED <-> FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript string attempt (file-pdf.rules)
 * 1:20610 <-> ENABLED <-> FILE-FLASH Adobe Shockwave Flash Flex authoring tool XSS exploit attempt (file-flash.rules)
 * 1:25301 <-> ENABLED <-> EXPLOIT-KIT redirect to malicious java archive attempt (exploit-kit.rules)
 * 3:20275 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt (netbios.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)
 * 3:17775 <-> ENABLED <-> SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (misc.rules)
 * 3:15300 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt (web-client.rules)
 * 3:15454 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (web-client.rules)