Sourcefire VRT Rules Update

Date: 2013-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27017 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dapato variant inbound response connection (malware-cnc.rules)
 * 1:27016 <-> ENABLED <-> OS-MOBILE Android AnserverBot initial contact (os-mobile.rules)
 * 1:27015 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string iexplorer (blacklist.rules)
 * 1:27014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt (malware-cnc.rules)
 * 1:27013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Phoenot variant outbound connection (malware-cnc.rules)
 * 1:27012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Phoenot variant outbound connection (malware-cnc.rules)
 * 1:27011 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt (malware-cnc.rules)
 * 1:27010 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt (malware-cnc.rules)
 * 1:27009 <-> DISABLED <-> DELETED MALWARE-CNC WIN.Trojan.Zbot outbound connection (deleted.rules)
 * 1:27008 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Zbot outbound connection (malware-cnc.rules)
 * 1:27007 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Zbot outbound connection (malware-cnc.rules)
 * 1:27006 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt (server-webapp.rules)
 * 1:27005 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit Portable Executable downloaded when mp3 is declared (exploit-kit.rules)
 * 1:27004 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit jar file download (exploit-kit.rules)
 * 1:27003 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:27002 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:27001 <-> DISABLED <-> SERVER-OTHER Novell ZENWorks Remote Management overflow attempt (server-other.rules)
 * 1:27000 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection (malware-cnc.rules)
 * 1:26999 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection (malware-cnc.rules)
 * 1:26998 <-> DISABLED <-> MALWARE-CNC OSX.Trojan.Morcut file download attempt (malware-cnc.rules)
 * 1:26997 <-> DISABLED <-> MALWARE-CNC OSX.Trojan.Morcut outbound connection attempt (malware-cnc.rules)
 * 1:26996 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant outbound connection (malware-cnc.rules)
 * 1:26995 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant outbound connection (malware-cnc.rules)
 * 1:26994 <-> DISABLED <-> BROWSER-PLUGINS Oracle Javadoc generated frame replacement attempt (browser-plugins.rules)
 * 1:26993 <-> DISABLED <-> SERVER-WEBAPP Microsoft Outlook Web Access Login URL Redirection attempt (server-webapp.rules)
 * 1:26992 <-> ENABLED <-> SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt (server-webapp.rules)
 * 1:26991 <-> ENABLED <-> SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt (server-webapp.rules)
 * 1:26990 <-> ENABLED <-> SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt (server-webapp.rules)
 * 1:26989 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:26988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt (browser-ie.rules)
 * 1:26987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules)
 * 1:26986 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Xenil variant outbound connection (malware-cnc.rules)
 * 1:26985 <-> ENABLED <-> EXPLOIT-KIT Rawin exploit kit outbound java retrieval (exploit-kit.rules)
 * 1:26984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:15259 <-> DISABLED <-> PROTOCOL-DNS DNS root query traffic amplification attempt (protocol-dns.rules)
 * 1:15260 <-> DISABLED <-> PROTOCOL-DNS DNS root query response traffic amplification attempt (protocol-dns.rules)
 * 1:15726 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt (server-webapp.rules)
 * 1:15958 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Remote Management overflow attempt (server-other.rules)
 * 1:1842 <-> DISABLED <-> PROTOCOL-IMAP login buffer overflow attempt (protocol-imap.rules)
 * 1:19125 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt (protocol-dns.rules)
 * 1:1941 <-> ENABLED <-> PROTOCOL-TFTP GET filename overflow attempt (protocol-tftp.rules)
 * 1:1972 <-> DISABLED <-> PROTOCOL-FTP PASS overflow attempt (protocol-ftp.rules)
 * 1:20576 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Remote Management overflow attempt (server-other.rules)
 * 1:20704 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer defaulttime behavior attack attempt (browser-plugins.rules)
 * 1:21421 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt (protocol-dns.rules)
 * 1:23368 <-> DISABLED <-> PROTOCOL-DNS Tftpd32 DNS server denial of service attempt (protocol-dns.rules)
 * 1:2338 <-> DISABLED <-> PROTOCOL-FTP LIST buffer overflow attempt (protocol-ftp.rules)
 * 1:23825 <-> DISABLED <-> MALWARE-CNC FinFisher initial outbound connection (malware-cnc.rules)
 * 1:23826 <-> DISABLED <-> MALWARE-CNC FinFisher outbound connection (malware-cnc.rules)
 * 1:25476 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent (blacklist.rules)
 * 1:25650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:26262 <-> ENABLED <-> SERVER-OTHER MongoDB nativeHelper.apply method command injection attempt (server-other.rules)
 * 1:26324 <-> DISABLED <-> PROTOCOL-DNS ISC BIND NAPTR record regular expression handling denial of service attempt (protocol-dns.rules)
 * 1:26427 <-> DISABLED <-> PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt (protocol-dns.rules)
 * 1:26535 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit landing page - specific structure (exploit-kit.rules)
 * 1:26879 <-> DISABLED <-> BROWSER-OTHER local loopback address in html (browser-other.rules)
 * 1:26926 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:26941 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt (malware-cnc.rules)