Sourcefire VRT Rules Update

Date: 2013-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28114 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28115 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28116 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28117 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28129 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28130 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28118 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28128 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28131 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28126 <-> DISABLED <-> BROWSER-PLUGINS WibuKey Runtime ActiveX clsid access (browser-plugins.rules)
 * 1:28125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banbra variant connection attempt (malware-cnc.rules)
 * 1:28127 <-> DISABLED <-> BROWSER-PLUGINS WibuKey Runtime ActiveX function call access (browser-plugins.rules)
 * 1:28136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:28119 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28132 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28120 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28133 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word remote code execution attempt (file-office.rules)
 * 1:28121 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28122 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dorkbot variant connection attempt (malware-cnc.rules)
 * 1:28123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28135 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FtCbls remote code execution attempt (file-office.rules)
 * 1:28124 <-> DISABLED <-> FILE-OTHER PCRE character class heap buffer overflow attempt (file-other.rules)
 * 1:28137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt (file-office.rules)
 * 1:28138 <-> ENABLED <-> EXPLOIT-KIT DotkaChef redirection attempt (exploit-kit.rules)

Modified Rules:


 * 1:25225 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:28042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Caphaw outbound connection attempt (malware-cnc.rules)
 * 1:27257 <-> ENABLED <-> MALWARE-CNC Win.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language (malware-cnc.rules)
 * 1:23878 <-> DISABLED <-> BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12286 <-> DISABLED <-> FILE-OTHER PCRE character class heap buffer overflow attempt (file-other.rules)
 * 1:19810 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS deleteReportTemplate SQL injection attempt (server-other.rules)
 * 1:15491 <-> DISABLED <-> SERVER-WEBAPP Subversion 1.0.2 dated-rev-report buffer overflow over http attempt (server-webapp.rules)
 * 1:20268 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:25226 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:26682 <-> DISABLED <-> BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request (exploit-kit.rules)
 * 1:27750 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:28098 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt (server-other.rules)
 * 1:28099 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt (server-other.rules)
 * 1:18312 <-> DISABLED <-> SERVER-OTHER Subversion 1.0.2 get-dated-rev buffer overflow attempt (server-other.rules)
 * 1:28100 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS deleteReportFilter SQL injection attempt (server-other.rules)
 * 1:20123 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt (file-office.rules)