Sourcefire VRT Rules Update

Date: 2013-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25276 <-> DISABLED <-> SERVER-OTHER Asterisk oversized Content-Length memory corruption attempt (server-other.rules)
 * 1:25275 <-> ENABLED <-> FILE-OTHER MSXML dynamic pointer casting arbitrary code execution attempt (file-other.rules)
 * 1:25274 <-> ENABLED <-> SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt (server-iis.rules)
 * 1:25273 <-> ENABLED <-> SERVER-WEBAPP Microsoft SCOM Web Console cross-site scripting attempt (server-webapp.rules)
 * 1:25272 <-> DISABLED <-> SERVER-WEBAPP Microsoft System Center Operations Manger cross site scripting attempt (server-webapp.rules)
 * 1:25271 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buzus outbound connection (malware-cnc.rules)
 * 1:25270 <-> ENABLED <-> FILE-OTHER overly large XML file MSXML heap overflow attempt (file-other.rules)
 * 1:25269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat outbound connection (malware-cnc.rules)
 * 1:25268 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBot variant outbound connection (malware-cnc.rules)
 * 1:25267 <-> ENABLED <-> SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt (server-other.rules)
 * 1:25266 <-> ENABLED <-> SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt (server-other.rules)
 * 1:25265 <-> ENABLED <-> SERVER-WEBAPP revoked subsidiary CA certificate for ego.gov.tr detected (server-webapp.rules)
 * 1:25264 <-> ENABLED <-> SERVER-WEBAPP revoked subsidiary CA certificate for e-islem.kktcmerkezbankasi.org detected (server-webapp.rules)
 * 1:25263 <-> ENABLED <-> SERVER-WEBAPP fraudulent digital certificate for google.com detected (server-webapp.rules)
 * 1:25262 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string IEToolbar (blacklist.rules)
 * 1:25261 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE (blacklist.rules)
 * 1:25260 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Mozila (blacklist.rules)
 * 1:25259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BancosBanload outbound connection (malware-cnc.rules)
 * 1:25258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rombrast outbound connection (malware-cnc.rules)
 * 1:25257 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Skintrim outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:498 <-> DISABLED <-> INDICATOR-COMPROMISE id check returned root (indicator-compromise.rules)
 * 1:19812 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS getDBConfigSettings credential information disclosure (server-other.rules)