Sourcefire VRT Rules Update

Date: 2013-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26105 <-> DISABLED <-> SERVER-OTHER BigAnt IM Server buffer overflow attempt (server-other.rules)
 * 1:26104 <-> ENABLED <-> MALWARE-CNC Android KMin imei imsi leakage (malware-cnc.rules)
 * 1:26103 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra ping request buffer overflow attempt (server-other.rules)
 * 1:26102 <-> ENABLED <-> MALWARE-CNC Android GoldDream device registration (malware-cnc.rules)
 * 1:26100 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules)
 * 1:26098 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Java archive transfer (exploit-kit.rules)
 * 1:26099 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection page (exploit-kit.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26097 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Java archive transfer (exploit-kit.rules)
 * 1:26094 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26095 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules)
 * 1:26093 <-> ENABLED <-> MALWARE-OTHER Compromised website response - leads to Exploit Kit (malware-other.rules)
 * 1:26090 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit Landing Page (exploit-kit.rules)
 * 1:26091 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit landing page  (exploit-kit.rules)
 * 1:26088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection (malware-cnc.rules)
 * 1:26089 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:26086 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Exicon variant outbound connection (malware-cnc.rules)
 * 1:26087 <-> ENABLED <-> MALWARE-CNC Android GoneIn60Seconds data upload (malware-cnc.rules)
 * 1:26084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:26085 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:26082 <-> DISABLED <-> FILE-PDF Nuance PDF reader launch overflow attempt (file-pdf.rules)
 * 1:26083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file download request (file-identify.rules)
 * 1:26080 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:26081 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - Suspected Crimepack (malware-cnc.rules)
 * 1:26078 <-> DISABLED <-> FILE-PDF transfer of a PDF with OpenAction object attempt (file-pdf.rules)
 * 1:26079 <-> ENABLED <-> FILE-PDF PDF file with embedded PDF object (file-pdf.rules)
 * 1:26076 <-> DISABLED <-> FILE-PDF download of a PDF with embedded JavaScript - JS string attempt (file-pdf.rules)
 * 1:26077 <-> DISABLED <-> FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript string attempt (file-pdf.rules)
 * 1:26074 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt (server-other.rules)
 * 1:26075 <-> ENABLED <-> MALWARE-CNC Bancos variant outbound connection SQL query POST data (malware-cnc.rules)
 * 1:26072 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Locati variant outbound connection attempt (malware-cnc.rules)
 * 1:26073 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt (server-other.rules)
 * 1:26070 <-> ENABLED <-> FILE-OTHER Ichitaro JSMISC32.dll dll-load exploit attempt (file-other.rules)
 * 1:26071 <-> ENABLED <-> FILE-OTHER Ichitaro JSMISC32.dll dll-load exploit attempt (file-other.rules)

Modified Rules:


 * 1:26049 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:26051 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:26050 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:26045 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - setup (exploit-kit.rules)
 * 1:25472 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25506 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:24782 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit outbound request (exploit-kit.rules)
 * 1:25509 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:24780 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:25963 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25962 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25955 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25961 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25951 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25954 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25915 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25950 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25857 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25859 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25832 <-> ENABLED <-> FILE-OTHER Oracle Java JMX class arbitrary code execution attempt (file-other.rules)
 * 1:25788 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe use after free attempt (browser-ie.rules)
 * 1:24781 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit outbound request (exploit-kit.rules)
 * 1:24778 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page - Title (exploit-kit.rules)
 * 1:24779 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:2338 <-> DISABLED <-> PROTOCOL-FTP LIST buffer overflow attempt (protocol-ftp.rules)
 * 1:25597 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25598 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25596 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25595 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25594 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:26056 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25510 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:24439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection (malware-cnc.rules)
 * 1:21848 <-> ENABLED <-> MALWARE-CNC TDS Sutra - page redirecting to a SutraTDS (malware-cnc.rules)
 * 1:25593 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:21849 <-> ENABLED <-> MALWARE-CNC TDS Sutra - HTTP header redirecting to a SutraTDS (malware-cnc.rules)
 * 1:21236 <-> DISABLED <-> SERVER-WEBAPP UNLOCK Webdav Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:21845 <-> ENABLED <-> MALWARE-CNC TDS Sutra - redirect received (malware-cnc.rules)
 * 1:21234 <-> DISABLED <-> SERVER-WEBAPP MKCOL Webdav Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:21235 <-> DISABLED <-> SERVER-WEBAPP LOCK WebDAV Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:19657 <-> ENABLED <-> MALWARE-CNC FakeAV variant traffic (malware-cnc.rules)
 * 1:20634 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt (browser-ie.rules)
 * 1:17567 <-> DISABLED <-> SERVER-OTHER LANDesk Management Suite Alerting Service buffer overflow attempt (server-other.rules)
 * 1:17904 <-> DISABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:15910 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getElementById object corruption (browser-ie.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:11836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:3079 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer ANI file parsing buffer overflow attempt (browser-ie.rules)
 * 1:25056 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit 32-bit font file download (exploit-kit.rules)
 * 1:24783 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit 32-bit font file download (exploit-kit.rules)
 * 1:24784 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit 64-bit font file download (exploit-kit.rules)
 * 1:25055 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit 64-bit font file download (exploit-kit.rules)
 * 1:25322 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25328 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25327 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:26048 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25968 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)