Sourcefire VRT Rules Update

Date: 2013-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26937 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:26936 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:26935 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:26934 <-> DISABLED <-> MALWARE-OTHER Clickserver ad harvesting redirection attempt (malware-other.rules)
 * 1:26933 <-> DISABLED <-> MALWARE-OTHER Clickserver ad harvesting redirection attempt (malware-other.rules)
 * 1:26932 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeroaccess outbound connection (malware-cnc.rules)
 * 1:26931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeroaccess outbound connection (malware-cnc.rules)
 * 1:26930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeroaccess outbound connection (malware-cnc.rules)
 * 1:26929 <-> ENABLED <-> SERVER-WEBAPP SAP ConfigServlet command execution attempt (server-webapp.rules)
 * 1:26928 <-> DISABLED <-> FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26927 <-> DISABLED <-> FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26926 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:26925 <-> DISABLED <-> SQL generic convert injection attempt - GET parameter (sql.rules)
 * 1:26924 <-> ENABLED <-> MALWARE-CNC Potential Gozi Trojan HTTP Header Structure (malware-cnc.rules)
 * 1:26923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus outbound connection (malware-cnc.rules)
 * 1:26922 <-> ENABLED <-> OS-WINDOWS Microsoft Windows pprFlattenRec exploit attempt (os-windows.rules)
 * 1:26921 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Kazy download attempt (malware-other.rules)
 * 1:26920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality (blacklist.rules)
 * 1:26919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality (blacklist.rules)
 * 1:26918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay (blacklist.rules)
 * 1:26917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet (blacklist.rules)
 * 1:26916 <-> ENABLED <-> BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet (blacklist.rules)
 * 1:26915 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan (blacklist.rules)
 * 1:26914 <-> ENABLED <-> BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet (blacklist.rules)
 * 1:26913 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan (blacklist.rules)
 * 1:26912 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication (malware-cnc.rules)
 * 1:26911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication (malware-cnc.rules)
 * 1:26910 <-> DISABLED <-> MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers (malware-cnc.rules)

Modified Rules:


 * 1:711 <-> DISABLED <-> PROTOCOL-TELNET SGI telnetd format bug (protocol-telnet.rules)
 * 1:5997 <-> DISABLED <-> SERVER-WEBAPP WinProxy host header port buffer overflow attempt (server-webapp.rules)
 * 1:613 <-> DISABLED <-> INDICATOR-SCAN myscan (indicator-scan.rules)
 * 1:4638 <-> DISABLED <-> SERVER-OTHER RSVP Protocol zero length object DoS attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:3007 <-> DISABLED <-> PROTOCOL-IMAP command overflow attempt (protocol-imap.rules)
 * 1:26887 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26886 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26885 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26884 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26883 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26429 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt (file-flash.rules)
 * 1:26882 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:26829 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:26795 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.ZertSecurity apk download (malware-other.rules)
 * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:26755 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:26522 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB (blacklist.rules)
 * 1:26430 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt (file-flash.rules)
 * 1:26273 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.Chuli APK file download attempt (malware-other.rules)
 * 1:26272 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.Chuli APK file download attempt (malware-other.rules)
 * 1:26247 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.PremiumSMS APK file download attempt (malware-other.rules)
 * 1:15071 <-> DISABLED <-> PROTOCOL-SCADA Modbus exception returned (protocol-scada.rules)
 * 1:15876 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:26246 <-> ENABLED <-> MALWARE-OTHER Android ANDR.Trojan.PremiumSMS APK file download attempt (malware-other.rules)
 * 1:16684 <-> DISABLED <-> SERVER-SAMBA Samba smbd Session Setup AndX security blob length dos attempt (server-samba.rules)
 * 1:17060 <-> ENABLED <-> BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt (browser-plugins.rules)
 * 1:1734 <-> DISABLED <-> PROTOCOL-FTP USER overflow attempt (protocol-ftp.rules)
 * 1:26026 <-> ENABLED <-> OS-MOBILE Android Gmaster device information send (os-mobile.rules)
 * 1:17458 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:19014 <-> DISABLED <-> PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ (protocol-tftp.rules)
 * 1:19682 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:1973 <-> DISABLED <-> PROTOCOL-FTP MKD overflow attempt (protocol-ftp.rules)
 * 1:25835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:21162 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules)
 * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules)
 * 1:24639 <-> DISABLED <-> PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 122 invalid function call attempt (protocol-rpc.rules)
 * 1:24511 <-> ENABLED <-> FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt (file-java.rules)
 * 1:24304 <-> DISABLED <-> PROTOCOL-DNS dead alive6 DNS attempt (protocol-dns.rules)
 * 1:23954 <-> ENABLED <-> MALWARE-OTHER Android SMSZombie APK file download attempt (malware-other.rules)
 * 1:23852 <-> ENABLED <-> FILE-PDF Blackhole exploit kit related malicious file detection (file-pdf.rules)
 * 1:23851 <-> ENABLED <-> FILE-PDF Blackhole exploit kit related malicious file detection (file-pdf.rules)
 * 1:23493 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess outbound communication (malware-cnc.rules)
 * 1:23135 <-> DISABLED <-> FILE-FLASH Adobe Flash Player flash.DisplayObject memory corruption attempt (file-flash.rules)