Sourcefire VRT Rules Update

Date: 2013-02-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25895 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25892 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25893 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25890 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25891 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25887 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25888 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25885 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25886 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25882 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25883 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25880 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25881 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25877 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25878 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25875 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25876 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25872 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25873 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25869 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25871 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25868 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Rus.SMS outbound communication attempt (malware-cnc.rules)
 * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25866 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25859 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Java exploit retrieval (exploit-kit.rules)
 * 1:25863 <-> DISABLED <-> MALWARE-CNC Win.Downloader.QBundle variant outbound connection (malware-cnc.rules)
 * 1:25862 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25861 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25857 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25858 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Java exploit download (exploit-kit.rules)
 * 1:25856 <-> DISABLED <-> TELNET Client env_opt_add Buffer Overflow attempt (telnet.rules)
 * 1:25860 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25864 <-> ENABLED <-> MALWARE-CNC Android AngryBirdsRioUnlocker initial device info send (malware-cnc.rules)
 * 1:25870 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25874 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25879 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25884 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25889 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25894 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25896 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25897 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25898 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25899 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25900 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25901 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25902 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25906 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25903 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25904 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25905 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25907 <-> ENABLED <-> SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent (server-webapp.rules)
 * 1:25855 <-> DISABLED <-> SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules)
 * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:25819 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable exploit attempt (file-pdf.rules)
 * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:25818 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable exploit attempt (file-pdf.rules)
 * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules)
 * 1:25797 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt (file-multimedia.rules)
 * 1:25598 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25773 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt (browser-ie.rules)
 * 1:25596 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25597 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25595 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25594 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25593 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25510 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25509 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25508 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules)
 * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules)
 * 1:25507 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:15157 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt (file-multimedia.rules)
 * 1:17269 <-> DISABLED <-> TELNET Client env_opt_add Buffer Overflow attempt (telnet.rules)
 * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules)
 * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules)
 * 1:16393 <-> DISABLED <-> SERVER-OTHER PostgreSQL bit substring buffer overflow attempt (server-other.rules)
 * 1:25506 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules)
 * 1:25323 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25326 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25325 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25322 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25505 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25327 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25328 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25476 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent (blacklist.rules)
 * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules)
 * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules)
 * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules)
 * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules)
 * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules)
 * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules)
 * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules)
 * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules)
 * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules)
 * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules)
 * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules)
 * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
 * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules)
 * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules)
 * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules)
 * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules)
 * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules)
 * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules)
 * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules)
 * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules)
 * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules)
 * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules)
 * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules)
 * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules)
 * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules)
 * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules)
 * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules)
 * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules)
 * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules)