Sourcefire VRT Rules Update

Date: 2012-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24627 <-> DISABLED <-> DOS Quest NetVault SmartDisk libnvbasics.dll denial of service attempt (dos.rules)

Modified Rules:


 * 1:24263 <-> ENABLED <-> FILE-PDF Overly large CreationDate within a pdf - likely malicious (file-pdf.rules)
 * 1:24286 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lurk variant outbound connection (malware-cnc.rules)
 * 1:24206 <-> ENABLED <-> FILE-IDENTIFY LZH archive file magic detected (file-identify.rules)
 * 1:24071 <-> DISABLED <-> FILE-IDENTIFY GZip file download request (file-identify.rules)
 * 1:24074 <-> ENABLED <-> FILE-IDENTIFY MP3 file download request (file-identify.rules)
 * 1:24045 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wsz file download request (file-identify.rules)
 * 1:24048 <-> ENABLED <-> FILE-IDENTIFY Winamp skin file wal file download request (file-identify.rules)
 * 1:21444 <-> DISABLED <-> MALWARE-CNC TDSS outbound connection (malware-cnc.rules)
 * 1:20690 <-> DISABLED <-> DOS Quest NetVault SmartDisk libnvbasics.dll denial of service attempt (dos.rules)
 * 1:24626 <-> ENABLED <-> FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt (file-pdf.rules)
 * 1:24625 <-> ENABLED <-> FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt (file-pdf.rules)
 * 1:24389 <-> DISABLED <-> INDICATOR-COMPROMISE itsoknoproblembro status check (indicator-compromise.rules)
 * 1:24467 <-> DISABLED <-> FILE-IDENTIFY XCF file download request (file-identify.rules)
 * 1:24459 <-> DISABLED <-> FILE-IDENTIFY PSD file download request (file-identify.rules)