Sourcefire VRT Rules Update

Date: 2013-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25764 <-> ENABLED <-> MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt (malware-other.rules)
 * 1:25765 <-> ENABLED <-> MALWARE-CNC Trojan Agent YEH outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:25683 <-> DISABLED <-> FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt (file-flash.rules)
 * 1:25368 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Kuloz variant outbound connection (malware-cnc.rules)
 * 1:25679 <-> ENABLED <-> FILE-FLASH malformed regular expression exploit attempt (file-flash.rules)
 * 1:25681 <-> DISABLED <-> FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt (file-flash.rules)
 * 1:25675 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25677 <-> ENABLED <-> FILE-FLASH malformed regular expression exploit attempt (file-flash.rules)
 * 1:25553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:20019 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - test (blacklist.rules)
 * 1:10015 <-> DISABLED <-> BROWSER-PLUGINS Oracle ORADC ActiveX clsid access (browser-plugins.rules)
 * 1:24034 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B (blacklist.rules)
 * 1:9814 <-> DISABLED <-> BROWSER-PLUGINS ICQPhone.SipxPhoneManager ActiveX clsid access (browser-plugins.rules)