Sourcefire VRT Rules Update

Date: 2013-05-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26562 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests (exploit-kit.rules)
 * 1:26564 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:26565 <-> ENABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules)
 * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules)
 * 1:26570 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26572 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26569 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26567 <-> ENABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules)
 * 1:26566 <-> ENABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules)
 * 1:26563 <-> ENABLED <-> MALWARE-CNC Harakit botnet traffic (malware-cnc.rules)

Modified Rules:


 * 1:26348 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit delivery (exploit-kit.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:26296 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:25139 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit eot outbound connection (exploit-kit.rules)
 * 1:25255 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit redirection attempt (exploit-kit.rules)
 * 1:25138 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit pdf outbound connection (exploit-kit.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit exe outbound connection (exploit-kit.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection (exploit-kit.rules)
 * 1:24841 <-> ENABLED <-> EXPLOIT-KIT Sibhost Exploit Kit outbound JAR download attempt (exploit-kit.rules)
 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html (exploit-kit.rules)
 * 1:24798 <-> ENABLED <-> EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure (exploit-kit.rules)
 * 1:24263 <-> ENABLED <-> FILE-PDF Overly large CreationDate within a pdf - likely malicious (file-pdf.rules)
 * 1:23225 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit (exploit-kit.rules)
 * 1:23221 <-> DISABLED <-> EXPLOIT-KIT RedKit Jar File Naming Algorithm (exploit-kit.rules)
 * 1:23222 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt (exploit-kit.rules)
 * 1:23220 <-> ENABLED <-> EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar (exploit-kit.rules)
 * 1:21874 <-> ENABLED <-> EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse (exploit-kit.rules)
 * 1:23223 <-> DISABLED <-> EXPLOIT-KIT RedKit Landing Page Received - applet and code (exploit-kit.rules)
 * 1:15559 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:23219 <-> ENABLED <-> EXPLOIT-KIT Redkit Java Exploit request to .class file (exploit-kit.rules)
 * 1:24647 <-> ENABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules)
 * 1:26297 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit redirection page (exploit-kit.rules)
 * 1:21875 <-> ENABLED <-> EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill (exploit-kit.rules)
 * 1:26346 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:25137 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit jar outbound connection (exploit-kit.rules)
 * 1:25798 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit 32-alpha jar request (exploit-kit.rules)
 * 1:25808 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:25971 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit redirection (exploit-kit.rules)
 * 1:26384 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26383 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit successful redirection (exploit-kit.rules)
 * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules)
 * 1:26345 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:25988 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:25989 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26013 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit redirection page received (exploit-kit.rules)
 * 1:26090 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit Landing Page (exploit-kit.rules)
 * 1:26094 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26232 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26233 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Sakura Exploit kit redirection structure (exploit-kit.rules)