Sourcefire VRT Rules Update

Date: 2013-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules)
 * 1:28256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader icc mluc integer overflow attempt (file-pdf.rules)
 * 1:28257 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ICC remote memory corruption attempt (file-pdf.rules)
 * 1:28258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt (browser-ie.rules)
 * 1:28259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt (browser-ie.rules)
 * 1:28260 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader ICC remote memory corruption attempt (file-pdf.rules)
 * 1:28261 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader icc mluc integer overflow attempt (file-pdf.rules)
 * 1:28262 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt (file-pdf.rules)
 * 1:28263 <-> ENABLED <-> FILE-OTHER Cisco WebEx recording integer overflow attempt (file-other.rules)
 * 1:28264 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit java compromise successful (exploit-kit.rules)
 * 1:28265 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page attempt (exploit-kit.rules)
 * 1:28266 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll composite glyf buffer overflow attempt (file-pdf.rules)
 * 1:28267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer option element use after free attempt (browser-ie.rules)
 * 1:28268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer option element use after free attempt (browser-ie.rules)
 * 1:28269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer option element use after free attempt (browser-ie.rules)
 * 1:28270 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer option element use after free attempt (browser-ie.rules)
 * 1:28271 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlfile null attribute access attempt (browser-ie.rules)
 * 1:28272 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer htmlfile ActiveX object access attempt (browser-plugins.rules)
 * 1:28273 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28274 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28276 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:28277 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:28278 <-> ENABLED <-> SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt (server-webapp.rules)
 * 1:28279 <-> ENABLED <-> PUA-ADWARE Wajam outbound connection - post install (pua-adware.rules)
 * 1:28280 <-> ENABLED <-> PUA-ADWARE Wajam outbound connection - post install (pua-adware.rules)
 * 1:28281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vdohx.su (blacklist.rules)
 * 1:28282 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vvhpq.net (blacklist.rules)
 * 1:28283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chickenkiller.com (blacklist.rules)
 * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules)
 * 1:28285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2 (malware-cnc.rules)
 * 1:28286 <-> ENABLED <-> FILE-OTHER overly large XML file MSXML heap overflow attempt (file-other.rules)
 * 1:28287 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted object cells reference memory corruption vulnerability (browser-ie.rules)
 * 1:28288 <-> ENABLED <-> SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:28291 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt (exploit-kit.rules)
 * 1:28292 <-> DISABLED <-> PROTOCOL-ICMP IPv6 0xfacebabe ICMP ping attempt (protocol-icmp.rules)
 * 1:28293 <-> ENABLED <-> BLACKLIST DNS request www.xiaopijia.com - Backdoor.Yaddos (blacklist.rules)
 * 1:28294 <-> ENABLED <-> BLACKLIST DNS request www.akwm139.com - Backdoor.Yaddos (blacklist.rules)
 * 1:28295 <-> ENABLED <-> BLACKLIST DNS request www.1860tour.com - Backdoor.Yaddos (blacklist.rules)
 * 1:28296 <-> ENABLED <-> BLACKLIST DNS request ghjgf.info - Backdoor.Yaddos (blacklist.rules)
 * 1:28297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain handjobheats.com - Win.Trojan.Injector (blacklist.rules)
 * 1:28298 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28299 <-> DISABLED <-> SERVER-WEBAPP WHMCS SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:4155 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer htmlfile ActiveX object access attempt (browser-plugins.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27621 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:26901 <-> DISABLED <-> BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt (browser-plugins.rules)
 * 1:26365 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26364 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26363 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26362 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26361 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26360 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26359 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26358 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:24336 <-> ENABLED <-> OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long comment buffer overflow attempt (os-windows.rules)
 * 1:7716 <-> DISABLED <-> MALWARE-BACKDOOR netdevil runtime detection (malware-backdoor.rules)
 * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (malware-cnc.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules)
 * 1:27918 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:23269 <-> ENABLED <-> FILE-OTHER Cisco WebEx recording integer overflow attempt (file-other.rules)
 * 1:21587 <-> DISABLED <-> FILE-OTHER VisiWave VWR file parsing code execution attempt (file-other.rules)
 * 1:20704 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer defaulttime behavior attack attempt (browser-plugins.rules)
 * 1:20572 <-> DISABLED <-> FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt (file-other.rules)
 * 1:23314 <-> DISABLED <-> OS-WINDOWS SMB invalid character argument injection attempt (os-windows.rules)
 * 1:15867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF font processing memory corruption attempt (file-pdf.rules)
 * 1:16176 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader collab.addStateModel remote corruption attempt (file-pdf.rules)
 * 1:20267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer circular reference exploit attempt (browser-ie.rules)
 * 1:16175 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader collab.removeStateModel denial of service attempt (file-pdf.rules)
 * 1:18670 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt (browser-ie.rules)
 * 1:16323 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2k uninitialized QCC memory corruption attempt (file-pdf.rules)
 * 1:20265 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null attribute DoS attempt (browser-ie.rules)
 * 1:16481 <-> DISABLED <-> BROWSER-OTHER Opera Content-Length header integer overflow attempt (browser-other.rules)
 * 1:18308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader icc mluc integer overflow attempt (file-pdf.rules)
 * 1:18419 <-> ENABLED <-> FILE-PDF Adobe Acorbat Reader field flags exploit attempt (file-pdf.rules)
 * 1:20263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlfile null attribute access attempt (browser-ie.rules)
 * 1:19678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote unauthenticated DoS/bugcheck vulnerability (os-windows.rules)
 * 1:28028 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt (exploit-kit.rules)
 * 1:20156 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getCosObj file overwrite attempt (file-pdf.rules)
 * 1:20543 <-> DISABLED <-> OS-WINDOWS Microsoft Windows IppRateLimitIcmp integer overflow exploit attempt (os-windows.rules)
 * 1:20154 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt (file-pdf.rules)
 * 1:20149 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded IFF file RGBA chunk memory corruption attempt (file-pdf.rules)
 * 1:20034 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:25137 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:19809 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:19621 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:19671 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules)
 * 1:20155 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType.dll composite glyf buffer overflow attempt (file-pdf.rules)
 * 1:18671 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt (browser-ie.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:26356 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:25808 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:25270 <-> ENABLED <-> FILE-OTHER overly large XML file MSXML heap overflow attempt (file-other.rules)
 * 1:24507 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:26355 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:27622 <-> ENABLED <-> FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt (file-java.rules)
 * 1:27644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Merong variant connection (malware-cnc.rules)
 * 1:27660 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reabfrus variant connection (malware-cnc.rules)
 * 1:26357 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:27661 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reabfrus variant connection (malware-cnc.rules)
 * 1:27685 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:27810 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit redirection (exploit-kit.rules)
 * 1:27865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request (exploit-kit.rules)
 * 1:24369 <-> DISABLED <-> MALWARE-CNC Lizamoon sql injection campaign ur.php response detected (malware-cnc.rules)