Sourcefire VRT Rules Update

Date: 2013-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27667 <-> ENABLED <-> SERVER-WEBAPP Joomla media.php file.upload direct administrator access attempt (server-webapp.rules)
 * 1:27669 <-> DISABLED <-> APP-DETECT Heyoka outbound communication attempt (app-detect.rules)
 * 1:27644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Merong variant connection attempt (malware-cnc.rules)
 * 1:27646 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt (server-other.rules)
 * 1:27647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nelaja variant outbound connection (malware-cnc.rules)
 * 1:27645 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Binjo variant outbound connection (malware-cnc.rules)
 * 1:27650 <-> DISABLED <-> BLACKLIST DNS request for known malware domain cdn.abacocafe.com (blacklist.rules)
 * 1:27648 <-> ENABLED <-> MALWARE-CNC Win.SpyBanker.ZSL variant outbound connection (malware-cnc.rules)
 * 1:27649 <-> ENABLED <-> MALWARE-CNC Brazilian Banking Trojan data theft (malware-cnc.rules)
 * 1:27670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.evf variant connection attempt (malware-cnc.rules)
 * 1:27651 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pen.abacocafe.com (blacklist.rules)
 * 1:27664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Castov variant connection attempt (malware-cnc.rules)
 * 1:27655 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Enchanim variant connection attempt (malware-cnc.rules)
 * 1:27678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Goolelo variant connection attempt (malware-cnc.rules)
 * 1:27663 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt (browser-ie.rules)
 * 1:27656 <-> DISABLED <-> BROWSER-PLUGINS VMWare Remote Console format string code execution attempt (browser-plugins.rules)
 * 1:27657 <-> DISABLED <-> BROWSER-PLUGINS VMWare Remote Console format string code execution attempt (browser-plugins.rules)
 * 1:27658 <-> DISABLED <-> BROWSER-PLUGINS VMWare Remote Console format string code execution attempt (browser-plugins.rules)
 * 1:27652 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pens.abacocafe.com (blacklist.rules)
 * 1:27671 <-> DISABLED <-> FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt (file-flash.rules)
 * 1:27659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gapz variant connection attempt (malware-cnc.rules)
 * 1:27660 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reabfrus variant connection attempt (malware-cnc.rules)
 * 1:27677 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27661 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reabfrus variant connection attempt (malware-cnc.rules)
 * 1:27676 <-> DISABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27674 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27675 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27672 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27673 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27668 <-> DISABLED <-> APP-DETECT Heyoka initial outbound connection attempt (app-detect.rules)
 * 1:27662 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Galfun variant outbound connection (malware-cnc.rules)
 * 1:27654 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Agent outbound connection attempt (malware-cnc.rules)
 * 1:27666 <-> ENABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:27665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Castov variant connection attempt (malware-cnc.rules)
 * 1:27653 <-> DISABLED <-> BLACKLIST DNS request for known malware domain vpen.abacocafe.com (blacklist.rules)

Modified Rules:


 * 1:27623 <-> ENABLED <-> SERVER-OTHER Joomla media.php arbitrary file upload attempt (server-other.rules)
 * 1:15873 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox location spoofing attempt via invalid window.open characters (browser-firefox.rules)
 * 1:7205 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt (file-office.rules)
 * 1:25563 <-> DISABLED <-> FILE-PDF Adobe Reader heap-based buffer overflow attempt (file-pdf.rules)
 * 1:26081 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - Suspected Crimepack (malware-cnc.rules)
 * 1:26430 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP malformed onStatus message type confusion attempt (file-flash.rules)
 * 1:21935 <-> DISABLED <-> FILE-OFFICE Microsoft Works 9 and Word 12 converter heap overflow attempt (file-office.rules)
 * 1:26779 <-> ENABLED <-> MALWARE-CNC cridex encrypted POST check-in (malware-cnc.rules)
 * 1:27578 <-> ENABLED <-> SERVER-OTHER OpenX POST to known backdoored file (server-other.rules)
 * 1:27601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection attempt (malware-cnc.rules)
 * 1:13300 <-> DISABLED <-> FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt (file-flash.rules)
 * 1:16241 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel FeatHdr BIFF record remote code execution attempt (file-office.rules)
 * 1:21655 <-> ENABLED <-> FILE-FLASH Adobe Flash Video invalid tag type attempt (file-flash.rules)
 * 1:27119 <-> DISABLED <-> INDICATOR-OBFUSCATION multiple plugin version detection attempt (indicator-obfuscation.rules)
 * 1:17603 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:19136 <-> ENABLED <-> SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt (server-webapp.rules)
 * 1:1993 <-> DISABLED <-> PROTOCOL-IMAP login literal buffer overflow attempt (protocol-imap.rules)
 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:23128 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt (browser-ie.rules)
 * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
 * 1:24674 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SST record invalid length memory corruption attempt (file-office.rules)
 * 1:24673 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SST record invalid length memory corruption attempt (file-office.rules)
 * 1:25564 <-> DISABLED <-> FILE-PDF Adobe Reader heap-based buffer overflow attempt (file-pdf.rules)
 * 1:26808 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit short jar request (exploit-kit.rules)
 * 1:18097 <-> DISABLED <-> BROWSER-PLUGINS VMWare Remote Console format string code execution attempt (browser-plugins.rules)
 * 1:18374 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string SurfBear (blacklist.rules)
 * 1:17459 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules)
 * 1:27621 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27622 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)