Sourcefire VRT Rules Update

Date: 2013-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:25652 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptic variant outbound connection (malware-cnc.rules)
 * 1:25520 <-> DISABLED <-> OS-OTHER Apple iPhone User-Agent detected (os-other.rules)
 * 1:26212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (malware-cnc.rules)
 * 1:3519 <-> DISABLED <-> SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port (server-mysql.rules)
 * 1:26106 <-> DISABLED <-> MALWARE-CNC Zeus Variant Content Length Header Mismatch Oddities (malware-cnc.rules)
 * 1:26211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eldorado variant outbound connection (malware-cnc.rules)
 * 1:26024 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wecod variant outbound connection (malware-cnc.rules)
 * 1:26075 <-> ENABLED <-> MALWARE-CNC Bancos variant outbound connection SQL query POST data (malware-cnc.rules)
 * 1:26020 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit (exploit-kit.rules)
 * 1:26023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection (malware-cnc.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC GzWaaa outbound data connection (malware-cnc.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:25948 <-> ENABLED <-> EXPLOIT-KIT redirection to driveby download (exploit-kit.rules)
 * 1:25854 <-> ENABLED <-> MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie (malware-cnc.rules)
 * 1:25946 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C  (blacklist.rules)
 * 1:25519 <-> DISABLED <-> OS-OTHER Apple iPad User-Agent detected (os-other.rules)
 * 1:25511 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:25518 <-> DISABLED <-> OS-OTHER Apple iPod User-Agent detected (os-other.rules)
 * 1:25504 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit op.cgi (malware-cnc.rules)
 * 1:25503 <-> ENABLED <-> MALWARE-CNC Necurs Rootkit sba.cgi (malware-cnc.rules)
 * 1:25277 <-> ENABLED <-> MALWARE-OTHER Request for a non-legit postal receipt (malware-other.rules)
 * 1:25471 <-> ENABLED <-> MALWARE-CNC ZeroAccess Spiral Traffic (malware-cnc.rules)
 * 1:25269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat outbound connection (malware-cnc.rules)
 * 1:25271 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buzus outbound connection (malware-cnc.rules)
 * 1:25259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BancosBanload outbound connection (malware-cnc.rules)
 * 1:25257 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Skintrim outbound connection (malware-cnc.rules)
 * 1:25258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rombrast outbound connection (malware-cnc.rules)
 * 1:25224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer (malware-cnc.rules)
 * 1:25256 <-> ENABLED <-> MALWARE-CNC Win.Worm.Gamarue outbound connection (malware-cnc.rules)
 * 1:25119 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - NewBrandTest (blacklist.rules)
 * 1:24886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dorkbot outbound connection (malware-cnc.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:24798 <-> ENABLED <-> EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure (exploit-kit.rules)
 * 1:24885 <-> ENABLED <-> MALWARE-CNC Potential Banking Trojan Config File Download (malware-cnc.rules)
 * 1:24265 <-> ENABLED <-> MALWARE-OTHER Malicious UA detected on non-standard port (malware-other.rules)
 * 1:24598 <-> DISABLED <-> POLICY-SPAM 1.usa.gov URL in email, possible spam redirect (policy-spam.rules)
 * 1:24254 <-> DISABLED <-> INDICATOR-COMPROMISE IP only webpage redirect attempt (indicator-compromise.rules)
 * 1:24255 <-> ENABLED <-> MALWARE-CNC Sality logo.gif URLs (malware-cnc.rules)
 * 1:24251 <-> DISABLED <-> MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic (malware-cnc.rules)
 * 1:24253 <-> DISABLED <-> INDICATOR-COMPROMISE IP only webpage redirect attempt (indicator-compromise.rules)
 * 1:24102 <-> ENABLED <-> MALWARE-OTHER Possible Kuluoz spamvertised URL in email (malware-other.rules)
 * 1:24225 <-> ENABLED <-> MALWARE-OTHER malicious redirection attempt (malware-other.rules)
 * 1:24033 <-> DISABLED <-> BLACKLIST DNS request for known malware domain rewt.ru - W32.DorkBot-S (blacklist.rules)
 * 1:24034 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B (blacklist.rules)
 * 1:24031 <-> DISABLED <-> BLACKLIST DNS request for known malware domain api.wipmania.com - Troj.Dorkbot-AO (blacklist.rules)
 * 1:24032 <-> DISABLED <-> BLACKLIST DNS request for known malware domain lolcantpwnme.net - W32.DorkBot-S (blacklist.rules)
 * 1:23795 <-> ENABLED <-> MALWARE-OTHER function urchin - known malware function name (malware-other.rules)
 * 1:24017 <-> ENABLED <-> MALWARE-OTHER Possible malicious redirect - rebots.php (malware-other.rules)
 * 1:23621 <-> ENABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules)
 * 1:23636 <-> ENABLED <-> INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder (indicator-obfuscation.rules)
 * 1:23481 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in setTimeout call (indicator-obfuscation.rules)
 * 1:23482 <-> DISABLED <-> INDICATOR-OBFUSCATION hex escaped characters in addEventListener call (indicator-obfuscation.rules)
 * 1:23239 <-> DISABLED <-> SERVER-OTHER Wireshark console.lua file load exploit attempt (server-other.rules)
 * 1:23179 <-> DISABLED <-> INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt (indicator-compromise.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT RedKit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:22959 <-> DISABLED <-> BLACKLIST DNS request for known malware domain world.rickstudio.ru - Mal/Rimecud-R (blacklist.rules)
 * 1:22960 <-> DISABLED <-> BLACKLIST DNS request for known malware domain portal.roomshowerbord.com - Mal/EncPk-ADU (blacklist.rules)
 * 1:22957 <-> DISABLED <-> BLACKLIST DNS request for known malware domain murik.portal-protection.net.ru - Mal/Rimecud-R (blacklist.rules)
 * 1:22958 <-> DISABLED <-> BLACKLIST DNS request for known malware domain slade.safehousenumber.com - Mal/Rimecud-R (blacklist.rules)
 * 1:21851 <-> ENABLED <-> MALWARE-CNC TDS Sutra - redirect received (malware-cnc.rules)
 * 1:22061 <-> ENABLED <-> MALWARE-OTHER Alureon - Malicious IFRAME load attempt (malware-other.rules)
 * 1:21849 <-> ENABLED <-> MALWARE-CNC TDS Sutra - HTTP header redirecting to a SutraTDS (malware-cnc.rules)
 * 1:21850 <-> ENABLED <-> MALWARE-CNC TDS Sutra - request hi.cgi (malware-cnc.rules)
 * 1:21846 <-> ENABLED <-> MALWARE-CNC TDS Sutra - request in.cgi (malware-cnc.rules)
 * 1:21848 <-> ENABLED <-> MALWARE-CNC TDS Sutra - page redirecting to a SutraTDS (malware-cnc.rules)
 * 1:21844 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN% (server-webapp.rules)
 * 1:21845 <-> ENABLED <-> MALWARE-CNC TDS Sutra - redirect received (malware-cnc.rules)
 * 1:21842 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %PATHEXT% (server-webapp.rules)
 * 1:21843 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %PROMPT% (server-webapp.rules)
 * 1:21840 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER% (server-webapp.rules)
 * 1:21841 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %PATH% (server-webapp.rules)
 * 1:21838 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath% (server-webapp.rules)
 * 1:21839 <-> DISABLED <-> SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME% (server-webapp.rules)
 * 1:21836 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %WINDIR% (server-webapp.rules)
 * 1:21837 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC% (server-webapp.rules)
 * 1:21835 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE% (server-webapp.rules)
 * 1:21833 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %USERDATA% (server-webapp.rules)
 * 1:21834 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %USERNAME% (server-webapp.rules)
 * 1:21832 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %TMP% (server-webapp.rules)
 * 1:21830 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot% (server-webapp.rules)
 * 1:21831 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %TEMP% (server-webapp.rules)
 * 1:21828 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86% (server-webapp.rules)
 * 1:21829 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive% (server-webapp.rules)
 * 1:21826 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA% (server-webapp.rules)
 * 1:21827 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES% (server-webapp.rules)
 * 1:21824 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE% (server-webapp.rules)
 * 1:21825 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH% (server-webapp.rules)
 * 1:21822 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86% (server-webapp.rules)
 * 1:21823 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC% (server-webapp.rules)
 * 1:21820 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %APPDATA% (server-webapp.rules)
 * 1:21821 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES% (server-webapp.rules)
 * 1:21819 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA% (server-webapp.rules)
 * 1:21818 <-> DISABLED <-> SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE% (server-webapp.rules)
 * 1:21562 <-> ENABLED <-> MALWARE-CNC Trojan.Bredolab variant outbound connection (malware-cnc.rules)
 * 1:21646 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:21475 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string core-project (blacklist.rules)
 * 1:21492 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:21442 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - base64 encoded (malware-cnc.rules)
 * 1:21444 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.TDSS outbound connection (malware-cnc.rules)
 * 1:21438 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet (exploit-kit.rules)
 * 1:21417 <-> ENABLED <-> FILE-PDF hostile PDF associated with Laik exploit kit (file-pdf.rules)
 * 1:21375 <-> DISABLED <-> SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde (server-webapp.rules)
 * 1:21267 <-> DISABLED <-> POLICY-OTHER TRENDnet IP Camera anonymous access attempt (policy-other.rules)
 * 1:21327 <-> ENABLED <-> BLACKLIST User-Agent ASafaWeb Scan (blacklist.rules)
 * 1:21257 <-> DISABLED <-> BLACKLIST URI - known scanner tool muieblackcat (blacklist.rules)
 * 1:21266 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Morfeus Scanner (blacklist.rules)
 * 1:21255 <-> ENABLED <-> BLACKLIST known malicious FTP login banner - 0wns j0 (blacklist.rules)
 * 1:21256 <-> ENABLED <-> BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting (blacklist.rules)
 * 1:2086 <-> DISABLED <-> SERVER-WEBAPP streaming server parse_xml.cgi access (server-webapp.rules)
 * 1:21246 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string DataCha0s (blacklist.rules)
 * 1:16365 <-> ENABLED <-> PUA-ADWARE OnlineGames download attempt (pua-adware.rules)
 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update attempt (malware-cnc.rules)
 * 1:13513 <-> DISABLED <-> SQL generic sql insert injection attempt - GET parameter (sql.rules)
 * 1:15875 <-> DISABLED <-> SQL generic sql insert injection attempt - POST parameter (sql.rules)
 * 1:25829 <-> ENABLED <-> MALWARE-CNC Trojan Banker FTC variant outbound connection (malware-cnc.rules)
 * 1:25807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication (malware-cnc.rules)
 * 1:25580 <-> ENABLED <-> MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack (malware-other.rules)
 * 1:25525 <-> DISABLED <-> OS-OTHER Nintendo User-Agent detected (os-other.rules)
 * 1:25579 <-> ENABLED <-> MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack (malware-other.rules)
 * 1:25524 <-> DISABLED <-> OS-OTHER Kindle User-Agent detected (os-other.rules)
 * 1:25523 <-> DISABLED <-> OS-OTHER Samsung User-Agent detected (os-other.rules)
 * 1:25627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound communication (malware-cnc.rules)
 * 1:25521 <-> DISABLED <-> OS-OTHER Android User-Agent detected (os-other.rules)
 * 1:25577 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST (malware-cnc.rules)
 * 1:25522 <-> DISABLED <-> OS-OTHER Nokia User-Agent detected (os-other.rules)
 * 1:25675 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules)
 * 1:25660 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Medfos variant outbound connection (malware-cnc.rules)
 * 1:25578 <-> ENABLED <-> MALWARE-OTHER Fake postal receipt HTTP Response phishing attack (malware-other.rules)
 * 1:25765 <-> ENABLED <-> MALWARE-CNC Trojan Agent YEH outbound connection (malware-cnc.rules)
 * 1:25766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:25809 <-> ENABLED <-> MALWARE-CNC Sality logos.gif URLs (malware-cnc.rules)
 * 3:16343 <-> ENABLED <-> WEB-CLIENT obfuscated header in PDF (web-client.rules)
 * 3:23180 <-> ENABLED <-> SMTP obfuscated header in PDF attachment (web-client.rules)
 * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules)