Sourcefire VRT Rules Update

Date: 2013-02-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26016 <-> ENABLED <-> MALWARE-CNC Android GGTracker server communication (malware-cnc.rules)
 * 1:26014 <-> ENABLED <-> EXPLOIT-KIT Dong Da exploit kit successful redirection (exploit-kit.rules)
 * 1:26015 <-> ENABLED <-> MALWARE-CNC Android Lovetrap initial connection (malware-cnc.rules)
 * 1:26012 <-> DISABLED <-> DELETED EXPLOIT-KIT Dong Da exploit kit landing page received (deleted.rules)
 * 1:26010 <-> ENABLED <-> MALWARE-CNC CNC Dirtjumper outbound connection (malware-cnc.rules)
 * 1:26011 <-> DISABLED <-> DELETED MALWARE-CNC WIN.Flooder.Dirtjumper outbound connection (deleted.rules)
 * 1:26007 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt (file-flash.rules)
 * 1:26006 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26001 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:25989 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25987 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upof variant outbound connection (malware-cnc.rules)
 * 1:25988 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25985 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)
 * 1:25986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)
 * 1:25983 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS tunneling attempt (indicator-obfuscation.rules)
 * 1:25984 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)
 * 1:25982 <-> ENABLED <-> EXPLOIT-KIT g01pack browser check attempt (exploit-kit.rules)
 * 1:25993 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Buzus variant outbound connection (malware-cnc.rules)
 * 1:25991 <-> DISABLED <-> MALWARE-CNC WIN.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:25990 <-> DISABLED <-> MALWARE-CNC WIN.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:25994 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25995 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Banload variant outbound connection (malware-cnc.rules)
 * 1:25992 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Buzus variant outbound connection (malware-cnc.rules)
 * 1:25996 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reswor variant outbound connection (malware-cnc.rules)
 * 1:25997 <-> ENABLED <-> MALWARE-CNC Android jSMSHider initial encrypted device info send (malware-cnc.rules)
 * 1:25998 <-> ENABLED <-> MALWARE-CNC Android ADRD encrypted information leak (malware-cnc.rules)
 * 1:25999 <-> ENABLED <-> MALWARE-CNC Android ADRD encrypted information leak (malware-cnc.rules)
 * 1:26000 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt (file-flash.rules)
 * 1:26008 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt (file-flash.rules)
 * 1:26013 <-> ENABLED <-> EXPLOIT-KIT Dong Da exploit kit redirection page received (exploit-kit.rules)
 * 1:26021 <-> DISABLED <-> FILE-PDF Adobe Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:26020 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit (malware-cnc.rules)
 * 1:26019 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bredo variant outbound connection (malware-cnc.rules)
 * 1:26018 <-> ENABLED <-> MALWARE-CNC Android GGTracker installation call out (malware-cnc.rules)
 * 1:26017 <-> ENABLED <-> MALWARE-CNC Android GGTracker leak of device phone number (malware-cnc.rules)

Modified Rules:


 * 1:7203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word information string overflow attempt (file-office.rules)
 * 1:20276 <-> DISABLED <-> INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected (indicator-obfuscation.rules)
 * 1:2123 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (indicator-compromise.rules)
 * 1:21040 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules)
 * 1:24334 <-> DISABLED <-> MALWARE-CNC WIN.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:23223 <-> DISABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and code (exploit-kit.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:24491 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection (malware-cnc.rules)
 * 1:7202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document summary information string overflow attempt (file-office.rules)
 * 1:20225 <-> ENABLED <-> NETBIOS SMI file download request (netbios.rules)
 * 1:20226 <-> DISABLED <-> NETBIOS MPlayer SMI file buffer overflow attempt (netbios.rules)
 * 1:20224 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:19888 <-> DISABLED <-> INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected (indicator-obfuscation.rules)
 * 1:18756 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows 7/Server 2008R2 (indicator-compromise.rules)
 * 1:18757 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows Vista (indicator-compromise.rules)
 * 1:17688 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)