VRT Rules 2014-08-26
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-identify, indicator-compromise, malware-cnc, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-08-26 14:39:29 UTC

Sourcefire VRT Rules Update

Date: 2014-08-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain managejave.myftp.org - Win.Trojan.Kronos (blacklist.rules)
 * 1:31691 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kronos variant outbound connection (malware-cnc.rules)
 * 1:31692 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit landing page detected (exploit-kit.rules)
 * 1:31693 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korplug Poisoned Hurricane Malware outbound communication (malware-cnc.rules)
 * 1:31694 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31695 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31696 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31697 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31698 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31699 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules)
 * 1:31702 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31703 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31704 <-> DISABLED <-> SERVER-OTHER FCKeditor textinputs cross site scripting attempt (server-other.rules)
 * 1:31705 <-> ENABLED <-> BLACKLIST DNS request for known PUA domain mytransitguide.com - MyTransitGuide Toolbar (blacklist.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound communication (malware-cnc.rules)
 * 1:31707 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:31708 <-> DISABLED <-> SERVER-OTHER Cougar-LG SSH key path access attempt (server-other.rules)
 * 1:31709 <-> DISABLED <-> SERVER-OTHER Cougar-LG configuration file access attempt (server-other.rules)
 * 1:31710 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alquimedes.net - Win.Trojan.Ragua (blacklist.rules)
 * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31715 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31716 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Otupsys variant outbound connection (malware-cnc.rules)
 * 1:31717 <-> ENABLED <-> MALWARE-CNC Win.Trojan.JavaInstaller variant outbound connection attempt (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound communication (malware-cnc.rules)

Modified Rules:


 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:18926 <-> DISABLED <-> PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt (protocol-snmp.rules)
 * 1:19062 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FakePlus variant outbound connection (malware-cnc.rules)
 * 1:21995 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:19592 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:19572 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FFSearch variant outbound connection (malware-cnc.rules)
 * 1:19569 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perkesh variant outbound connection (malware-cnc.rules)
 * 1:19429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C variant outbound connection (malware-cnc.rules)
 * 1:19344 <-> DISABLED <-> MALWARE-CNC AntiMalware Pro variant outbound connection (malware-cnc.rules)
 * 1:19343 <-> DISABLED <-> MALWARE-CNC Adware Pro variant outbound connection (malware-cnc.rules)
 * 1:19342 <-> DISABLED <-> MALWARE-CNC Adware Professional variant outbound connection (malware-cnc.rules)
 * 1:22000 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:13679 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:26695 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namihno variant outbound request (malware-cnc.rules)
 * 1:21997 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:21996 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:19656 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Peace.lh variant outbound connection (malware-cnc.rules)
 * 1:19700 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.tnr variant outbound connection (malware-cnc.rules)
 * 1:12712 <-> DISABLED <-> PROTOCOL-SNMP oversized sysName set request (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:19716 <-> DISABLED <-> MALWARE-CNC TrojanSpy.Win32.Banker.OO variant outbound connection (malware-cnc.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:19719 <-> DISABLED <-> MALWARE-CNC Email-Worm.Win32.Bagle.of variant outbound connection (malware-cnc.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:22001 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:19753 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TrojanSpy.Win32.Zbot.gen.C variant outbound connection (malware-cnc.rules)
 * 1:21998 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:19754 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Delf.RGL variant outbound connection (malware-cnc.rules)
 * 1:25076 <-> ENABLED <-> MALWARE-CNC Win.Worm.Joanap variant variant outbound connection (malware-cnc.rules)
 * 1:19759 <-> DISABLED <-> MALWARE-CNC Trojan-PSW.Win32.FireThief.h variant outbound connection (malware-cnc.rules)
 * 1:19788 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Win32.VB.pnc variant outbound connection (malware-cnc.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:19781 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Agent.aqpn variant outbound connection (malware-cnc.rules)
 * 1:19799 <-> DISABLED <-> MALWARE-CNC PWS.Win32.Zbot.gen.Q variant outbound connection (malware-cnc.rules)
 * 1:19800 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pher.ij variant outbound connection (malware-cnc.rules)
 * 1:19805 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Smser.cx variant outbound connection (malware-cnc.rules)
 * 1:21632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:19863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Httpbot.yi variant outbound connection (malware-cnc.rules)
 * 1:21945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:21946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:21981 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Selvice variant outbound connection (malware-cnc.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:21982 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insain variant outbound connection (malware-cnc.rules)

2014-08-26 14:39:29 UTC

Sourcefire VRT Rules Update

Date: 2014-08-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain managejave.myftp.org - Win.Trojan.Kronos (blacklist.rules)
 * 1:31691 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kronos variant outbound connection (malware-cnc.rules)
 * 1:31692 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit landing page detected (exploit-kit.rules)
 * 1:31693 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korplug Poisoned Hurricane Malware outbound communication (malware-cnc.rules)
 * 1:31694 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31695 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31696 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31697 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31698 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31699 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules)
 * 1:31702 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31703 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31704 <-> DISABLED <-> SERVER-OTHER FCKeditor textinputs cross site scripting attempt (server-other.rules)
 * 1:31705 <-> ENABLED <-> BLACKLIST DNS request for known PUA domain mytransitguide.com - MyTransitGuide Toolbar (blacklist.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound communication (malware-cnc.rules)
 * 1:31707 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:31708 <-> DISABLED <-> SERVER-OTHER Cougar-LG SSH key path access attempt (server-other.rules)
 * 1:31709 <-> DISABLED <-> SERVER-OTHER Cougar-LG configuration file access attempt (server-other.rules)
 * 1:31710 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alquimedes.net - Win.Trojan.Ragua (blacklist.rules)
 * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31715 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31716 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Otupsys variant outbound connection (malware-cnc.rules)
 * 1:31717 <-> ENABLED <-> MALWARE-CNC Win.Trojan.JavaInstaller variant outbound connection attempt (malware-cnc.rules)
 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound communication (malware-cnc.rules)

Modified Rules:


 * 1:19592 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:19572 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FFSearch variant outbound connection (malware-cnc.rules)
 * 1:19569 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perkesh variant outbound connection (malware-cnc.rules)
 * 1:19429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C variant outbound connection (malware-cnc.rules)
 * 1:19344 <-> DISABLED <-> MALWARE-CNC AntiMalware Pro variant outbound connection (malware-cnc.rules)
 * 1:19343 <-> DISABLED <-> MALWARE-CNC Adware Pro variant outbound connection (malware-cnc.rules)
 * 1:19342 <-> DISABLED <-> MALWARE-CNC Adware Professional variant outbound connection (malware-cnc.rules)
 * 1:26695 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namihno variant outbound request (malware-cnc.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:21997 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:21996 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:13679 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:12712 <-> DISABLED <-> PROTOCOL-SNMP oversized sysName set request (protocol-snmp.rules)
 * 1:19656 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Peace.lh variant outbound connection (malware-cnc.rules)
 * 1:19700 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.tnr variant outbound connection (malware-cnc.rules)
 * 1:19716 <-> DISABLED <-> MALWARE-CNC TrojanSpy.Win32.Banker.OO variant outbound connection (malware-cnc.rules)
 * 1:19719 <-> DISABLED <-> MALWARE-CNC Email-Worm.Win32.Bagle.of variant outbound connection (malware-cnc.rules)
 * 1:19753 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TrojanSpy.Win32.Zbot.gen.C variant outbound connection (malware-cnc.rules)
 * 1:19754 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Delf.RGL variant outbound connection (malware-cnc.rules)
 * 1:21998 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:19759 <-> DISABLED <-> MALWARE-CNC Trojan-PSW.Win32.FireThief.h variant outbound connection (malware-cnc.rules)
 * 1:22001 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:22000 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:19781 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Agent.aqpn variant outbound connection (malware-cnc.rules)
 * 1:19788 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Win32.VB.pnc variant outbound connection (malware-cnc.rules)
 * 1:19799 <-> DISABLED <-> MALWARE-CNC PWS.Win32.Zbot.gen.Q variant outbound connection (malware-cnc.rules)
 * 1:19800 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pher.ij variant outbound connection (malware-cnc.rules)
 * 1:19805 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Smser.cx variant outbound connection (malware-cnc.rules)
 * 1:18926 <-> DISABLED <-> PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt (protocol-snmp.rules)
 * 1:19062 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FakePlus variant outbound connection (malware-cnc.rules)
 * 1:21632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:19863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Httpbot.yi variant outbound connection (malware-cnc.rules)
 * 1:21945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:25076 <-> ENABLED <-> MALWARE-CNC Win.Worm.Joanap variant variant outbound connection (malware-cnc.rules)
 * 1:21946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:21995 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:21981 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Selvice variant outbound connection (malware-cnc.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:21982 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insain variant outbound connection (malware-cnc.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)

2014-08-26 14:39:29 UTC

Sourcefire VRT Rules Update

Date: 2014-08-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound communication (malware-cnc.rules)
 * 1:31717 <-> ENABLED <-> MALWARE-CNC Win.Trojan.JavaInstaller variant outbound connection attempt (malware-cnc.rules)
 * 1:31716 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Otupsys variant outbound connection (malware-cnc.rules)
 * 1:31715 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31711 <-> DISABLED <-> INDICATOR-COMPROMISE Keylog string over FTP detected (indicator-compromise.rules)
 * 1:31710 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alquimedes.net - Win.Trojan.Ragua (blacklist.rules)
 * 1:31709 <-> DISABLED <-> SERVER-OTHER Cougar-LG configuration file access attempt (server-other.rules)
 * 1:31708 <-> DISABLED <-> SERVER-OTHER Cougar-LG SSH key path access attempt (server-other.rules)
 * 1:31707 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound communication (malware-cnc.rules)
 * 1:31705 <-> ENABLED <-> BLACKLIST DNS request for known PUA domain mytransitguide.com - MyTransitGuide Toolbar (blacklist.rules)
 * 1:31704 <-> DISABLED <-> SERVER-OTHER FCKeditor textinputs cross site scripting attempt (server-other.rules)
 * 1:31703 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31702 <-> ENABLED <-> FILE-IDENTIFY Microsoft Silverlight application file magic detected (file-identify.rules)
 * 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:31699 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31698 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31697 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31696 <-> DISABLED <-> SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt (server-webapp.rules)
 * 1:31695 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31694 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:31693 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korplug Poisoned Hurricane Malware outbound communication (malware-cnc.rules)
 * 1:31692 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit landing page detected (exploit-kit.rules)
 * 1:31691 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kronos variant outbound connection (malware-cnc.rules)
 * 1:31690 <-> ENABLED <-> BLACKLIST DNS request for known malware domain managejave.myftp.org - Win.Trojan.Kronos (blacklist.rules)

Modified Rules:


 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:12712 <-> DISABLED <-> PROTOCOL-SNMP oversized sysName set request (protocol-snmp.rules)
 * 1:13679 <-> DISABLED <-> BROWSER-PLUGINS IBiz EBanking Integrator ActiveX clsid access (browser-plugins.rules)
 * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules)
 * 1:26695 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namihno variant outbound request (malware-cnc.rules)
 * 1:25076 <-> ENABLED <-> MALWARE-CNC Win.Worm.Joanap variant variant outbound connection (malware-cnc.rules)
 * 1:22001 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:22000 <-> DISABLED <-> MALWARE-CNC Win.Worm.amna variant outbound connection (malware-cnc.rules)
 * 1:21998 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:21997 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:21996 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:21982 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insain variant outbound connection (malware-cnc.rules)
 * 1:21995 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection (malware-cnc.rules)
 * 1:21981 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Selvice variant outbound connection (malware-cnc.rules)
 * 1:21946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:21945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection (malware-cnc.rules)
 * 1:21632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:19863 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Httpbot.yi variant outbound connection (malware-cnc.rules)
 * 1:19805 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Smser.cx variant outbound connection (malware-cnc.rules)
 * 1:19800 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pher.ij variant outbound connection (malware-cnc.rules)
 * 1:19799 <-> DISABLED <-> MALWARE-CNC PWS.Win32.Zbot.gen.Q variant outbound connection (malware-cnc.rules)
 * 1:19788 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Win32.VB.pnc variant outbound connection (malware-cnc.rules)
 * 1:19781 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Agent.aqpn variant outbound connection (malware-cnc.rules)
 * 1:19759 <-> DISABLED <-> MALWARE-CNC Trojan-PSW.Win32.FireThief.h variant outbound connection (malware-cnc.rules)
 * 1:19754 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Downloader.Delf.RGL variant outbound connection (malware-cnc.rules)
 * 1:19753 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TrojanSpy.Win32.Zbot.gen.C variant outbound connection (malware-cnc.rules)
 * 1:19719 <-> DISABLED <-> MALWARE-CNC Email-Worm.Win32.Bagle.of variant outbound connection (malware-cnc.rules)
 * 1:19716 <-> DISABLED <-> MALWARE-CNC TrojanSpy.Win32.Banker.OO variant outbound connection (malware-cnc.rules)
 * 1:19700 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.tnr variant outbound connection (malware-cnc.rules)
 * 1:19656 <-> DISABLED <-> MALWARE-CNC Trojan-Dropper.Win32.Peace.lh variant outbound connection (malware-cnc.rules)
 * 1:19592 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:19572 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FFSearch variant outbound connection (malware-cnc.rules)
 * 1:19569 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Perkesh variant outbound connection (malware-cnc.rules)
 * 1:19429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C variant outbound connection (malware-cnc.rules)
 * 1:19344 <-> DISABLED <-> MALWARE-CNC AntiMalware Pro variant outbound connection (malware-cnc.rules)
 * 1:19343 <-> DISABLED <-> MALWARE-CNC Adware Pro variant outbound connection (malware-cnc.rules)
 * 1:19342 <-> DISABLED <-> MALWARE-CNC Adware Professional variant outbound connection (malware-cnc.rules)
 * 1:19062 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FakePlus variant outbound connection (malware-cnc.rules)
 * 1:18926 <-> DISABLED <-> PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt (protocol-snmp.rules)
 * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules)
 * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules)
 * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules)
 * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)