Sourcefire VRT Rules Update

Date: 2013-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26482 <-> DISABLED <-> MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C (malware-cnc.rules)
 * 1:26483 <-> ENABLED <-> SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt (server-webapp.rules)
 * 1:26486 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26487 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26467 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magic variant inbound connection (malware-cnc.rules)
 * 1:26468 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:26469 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:26470 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download (malware-other.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26472 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt (file-multimedia.rules)
 * 1:26473 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26485 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26481 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crysis variant outbound connection (malware-cnc.rules)
 * 1:26484 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26478 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26479 <-> DISABLED <-> SERVER-OTHER ActFax LPD Server data field buffer overflow attempt (server-other.rules)
 * 1:26474 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26475 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26476 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26477 <-> DISABLED <-> FILE-OTHER CoolPlayer playlist file handling buffer overflow attempt (file-other.rules)
 * 1:26480 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent (malware-cnc.rules)

Modified Rules:


 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1253 <-> DISABLED <-> TELNET bsd exploit client finishing (telnet.rules)
 * 1:15384 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt (file-multimedia.rules)
 * 1:16282 <-> DISABLED <-> PUA-P2P Bittorrent uTP peer request (pua-p2p.rules)
 * 1:17210 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows executable file load from SMB share attempt (file-executable.rules)
 * 1:18945 <-> DISABLED <-> MALWARE-CNC Virus.Win32.Feberr variant outbound connection (malware-cnc.rules)
 * 1:1948 <-> DISABLED <-> DNS dns zone transfer via UDP detected (dns.rules)
 * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:20090 <-> DISABLED <-> INDICATOR-COMPROMISE IRC DCC file transfer request on non-standard port (indicator-compromise.rules)
 * 1:20091 <-> DISABLED <-> INDICATOR-COMPROMISE IRC DCC chat request on non-standard port (indicator-compromise.rules)
 * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules)
 * 1:20093 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel notice on non-standard port (indicator-compromise.rules)
 * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules)
 * 1:20095 <-> DISABLED <-> INDICATOR-COMPROMISE IRC dns request on non-standard port (indicator-compromise.rules)
 * 1:26241 <-> DISABLED <-> BROWSER-PLUGINS ActivePDF WebGrabber APWebGrb.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:26385 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt (file-executable.rules)