Sourcefire VRT Rules Update

Date: 2012-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24847 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdatek.eu (blacklist.rules)
 * 1:24845 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdated.org (blacklist.rules)
 * 1:24846 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdatek.at (blacklist.rules)
 * 1:24843 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdated.com (blacklist.rules)
 * 1:24844 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdated.net (blacklist.rules)
 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost Exploit Kit oubound JAR download attempt (exploit-kit.rules)
 * 1:24842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdater.net (blacklist.rules)
 * 1:24840 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page - JAR redirection (exploit-kit.rules)
 * 1:24839 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page - specific structure (exploit-kit.rules)
 * 1:24837 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange initial landing page (exploit-kit.rules)
 * 1:24838 <-> DISABLED <-> DELETED EXPLOIT-KIT Sweet Orange User-Agent - contype (deleted.rules)
 * 1:24835 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24836 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24833 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24834 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24832 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24831 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24830 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24828 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24829 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24827 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24848 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdatek.tw (blacklist.rules)
 * 1:24824 <-> ENABLED <-> FILE-IDENTIFY RealPlayer skin file download request (file-identify.rules)
 * 1:24825 <-> ENABLED <-> FILE-IDENTIFY RealPlayer skin file attachment detected (file-identify.rules)
 * 1:24826 <-> ENABLED <-> FILE-IDENTIFY RealPlayer skin file attachment detected (file-identify.rules)
 * 1:24820 <-> ENABLED <-> FILE-IDENTIFY Computer Graphics Metafile file download request (file-identify.rules)
 * 1:24823 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:24822 <-> ENABLED <-> FILE-IDENTIFY Computer Graphics Metafile file attachment detected (file-identify.rules)
 * 1:24819 <-> ENABLED <-> FILE-IDENTIFY M4V file magic detected (file-identify.rules)
 * 1:24818 <-> ENABLED <-> FILE-IDENTIFY M4V file magic detected (file-identify.rules)
 * 1:24821 <-> ENABLED <-> FILE-IDENTIFY Computer Graphics Metafile file attachment detected (file-identify.rules)
 * 1:24814 <-> ENABLED <-> SNMP Samsung printer default community string (snmp.rules)
 * 1:24815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio VSD file icon memory corruption attempt (file-office.rules)
 * 1:24817 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:24816 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:24856 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 22231.dtdns.net (blacklist.rules)
 * 1:24855 <-> ENABLED <-> BLACKLIST DNS request for known malware domain existing.suroot.com (blacklist.rules)
 * 1:24857 <-> DISABLED <-> MALWARE-CNC Win.Spy.Agent variant outbound connection (malware-cnc.rules)
 * 1:24853 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.chopbell.net (blacklist.rules)
 * 1:24854 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.chopbell.com (blacklist.rules)
 * 1:24850 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpchecks.net (blacklist.rules)
 * 1:24852 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.couchness.com (blacklist.rules)
 * 1:24851 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdates.net (blacklist.rules)
 * 1:24849 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.helpupdates.com (blacklist.rules)

Modified Rules:


 * 1:24315 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24784 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit 64-bit font file download (exploit-kit.rules)
 * 1:24783 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit 32-bit font file download (exploit-kit.rules)
 * 1:24782 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit outbound request (exploit-kit.rules)
 * 1:24110 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to an MP3 file (malware-other.rules)
 * 1:24213 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:24313 <-> ENABLED <-> SERVER-WEBAPP HP OpenView Operations Agent request attempt (server-webapp.rules)
 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:24288 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Flexty outbound connection (malware-cnc.rules)
 * 1:23153 <-> ENABLED <-> FILE-OTHER OpenType Font file integer overflow attempt (file-other.rules)
 * 1:24314 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24778 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page - Title (exploit-kit.rules)
 * 1:24779 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:24780 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:24781 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit outbound request (exploit-kit.rules)
 * 1:24106 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a PNG file (malware-other.rules)
 * 1:24107 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a BMP file (malware-other.rules)
 * 1:24109 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a ZIP file (malware-other.rules)
 * 1:24108 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a RAR file (malware-other.rules)
 * 1:24104 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPEG file (malware-other.rules)
 * 1:24103 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a JPG file (malware-other.rules)
 * 1:23959 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24105 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a GIF file (malware-other.rules)
 * 1:23961 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:23960 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:23154 <-> ENABLED <-> FILE-OTHER OpenType Font file integer overflow attempt (file-other.rules)
 * 1:23155 <-> ENABLED <-> FILE-OTHER OpenType Font file integer overflow attempt (file-other.rules)
 * 1:23958 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:23152 <-> ENABLED <-> FILE-OTHER OpenType Font file integer overflow attempt (file-other.rules)
 * 1:21444 <-> DISABLED <-> MALWARE-CNC TDSS outbound connection (malware-cnc.rules)
 * 1:21477 <-> DISABLED <-> MALWARE-CNC Trojan.Noobot outbound connection (malware-cnc.rules)
 * 1:20972 <-> ENABLED <-> FILE-IDENTIFY M4V file magic request (file-identify.rules)
 * 1:19156 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:18515 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio VSD file icon memory corruption attempt (file-office.rules)
 * 1:17433 <-> DISABLED <-> OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt (os-solaris.rules)
 * 1:17461 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer zipped skin file buffer overflow attempt (file-other.rules)
 * 1:16215 <-> ENABLED <-> SERVER-ORACLE Oracle Application Server Portal cross site scripting attempt (server-oracle.rules)
 * 1:24316 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24318 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24317 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24319 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 1:24638 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 redirection successful (exploit-kit.rules)
 * 1:24641 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt (file-multimedia.rules)
 * 1:24640 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt (file-multimedia.rules)
 * 1:24320 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt (server-webapp.rules)
 * 3:18949 <-> ENABLED <-> WEB-CLIENT PowerPoint malformed RecolorInfoAtom exploit attempt (web-client.rules)