Sourcefire VRT Rules Update

Date: 2012-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24361 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gozi.Prinimalka variant outbound connection attempt (malware-cnc.rules)
 * 1:24362 <-> ENABLED <-> FILE-FLASH Adobe Flash null reference JIT compilation attempt (file-flash.rules)
 * 1:24363 <-> DISABLED <-> FILE-FLASH Adobe Flash null reference JIT compilation attempt (file-flash.rules)
 * 1:24364 <-> ENABLED <-> FILE-FLASH Adobe Flash null reference JIT compilation attempt (file-flash.rules)
 * 1:24365 <-> DISABLED <-> FILE-FLASH Adobe Flash null reference JIT compilation attempt (file-flash.rules)
 * 1:24366 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed record stack exhaustion attempt (file-flash.rules)
 * 1:24367 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed record stack exhaustion attempt (file-flash.rules)
 * 1:24368 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign phone-home attempt (malware-cnc.rules)
 * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules)
 * 1:24370 <-> DISABLED <-> EXPLOIT Linux kernel IA32 out-of-bounds system call attempt (exploit.rules)
 * 1:24371 <-> DISABLED <-> EXPLOIT Linux kernel IA32 out-of-bounds system call attempt (exploit.rules)
 * 1:24372 <-> ENABLED <-> DOS Kerberos KDC null pointer dereference denial of service attempt (dos.rules)

Modified Rules:


 * 1:24107 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a BMP file (malware-other.rules)
 * 1:24105 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a GIF file (malware-other.rules)
 * 1:24106 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a PNG file (malware-other.rules)
 * 1:24103 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPG file (malware-other.rules)
 * 1:24104 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPEG file (malware-other.rules)
 * 1:19183 <-> DISABLED <-> WEB-IIS Microsoft Windows IIS FastCGI heap overflow attempt (web-iis.rules)
 * 1:15467 <-> ENABLED <-> FILE-OFFICE Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt (file-office.rules)
 * 1:15466 <-> ENABLED <-> FILE-OFFICE Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt (file-office.rules)
 * 1:18536 <-> ENABLED <-> FILE-OFFICE OpenOffice.org Microsoft Office Word file processing integer underflow attempt (file-office.rules)
 * 1:18611 <-> DISABLED <-> WEB-MISC Oracle Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:20496 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:21793 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt (browser-ie.rules)
 * 1:21995 <-> DISABLED <-> MALWARE-CNC Win32.Dorkbot.I Runtime Detection Generic (malware-cnc.rules)
 * 1:22096 <-> DISABLED <-> BLACKLIST DNS request for known malware domain buffet.servehttp.com (blacklist.rules)
 * 1:22918 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - search (indicator-compromise.rules)
 * 1:23113 <-> ENABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules)
 * 1:23097 <-> DISABLED <-> DOS IBM solidDB SELECT statement denial of service attempt (dos.rules)
 * 1:23226 <-> ENABLED <-> INDICATOR-OBFUSCATION JavaScript error suppression routine (indicator-obfuscation.rules)
 * 1:23114 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules)
 * 1:23279 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint name field cross site scripting attempt (file-office.rules)
 * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules)
 * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules)
 * 1:23602 <-> DISABLED <-> SCAN Skipfish scan Firefox agent string (scan.rules)
 * 1:23601 <-> DISABLED <-> SCAN Skipfish scan default agent string (scan.rules)
 * 1:23604 <-> DISABLED <-> SCAN Skipfish scan iPhone agent string (scan.rules)
 * 1:23603 <-> DISABLED <-> SCAN Skipfish scan MSIE agent string (scan.rules)
 * 1:23621 <-> ENABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules)
 * 1:23826 <-> DISABLED <-> MALWARE-CNC FinFisher outbound connection (malware-cnc.rules)
 * 1:23825 <-> DISABLED <-> MALWARE-CNC FinFisher initial outbound connection (malware-cnc.rules)
 * 1:23636 <-> ENABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules)
 * 1:23967 <-> DISABLED <-> FILE-FLASH Adobe Flash OpenType font memory corruption attempt - compressed (file-flash.rules)
 * 1:24198 <-> DISABLED <-> FILE-OFFICE Microsoft Office SharePoint name field cross site scripting attempt (file-office.rules)
 * 1:24110 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to an MP3 file (malware-other.rules)
 * 1:24168 <-> DISABLED <-> INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content (indicator-obfuscation.rules)
 * 1:24109 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a ZIP file (malware-other.rules)
 * 1:24286 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lurk variant outbound connection (malware-cnc.rules)
 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:24345 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Drexonin variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24346 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zbot variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24347 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Bloropac variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24353 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF malformed listid attempt (file-office.rules)
 * 1:24354 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF malformed listid attempt (file-office.rules)
 * 1:24108 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a RAR file (malware-other.rules)
 * 1:15455 <-> ENABLED <-> FILE-OFFICE Microsoft Office WordPad and Office Text Converters XST parsing buffer overflow attempt (file-office.rules)