Sourcefire VRT Rules Update

Date: 2013-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28324 <-> ENABLED <-> PUA-ADWARE FakeAV runtime detection (pua-adware.rules)
 * 1:28300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant connection attempt (malware-cnc.rules)
 * 1:28301 <-> DISABLED <-> INDICATOR-SCAN User-Agent known malicious user-agent Masscan (indicator-scan.rules)
 * 1:28302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Harbinger Rootkit variant - click fraud task request (malware-cnc.rules)
 * 1:28303 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules)
 * 1:28304 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28305 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Mecifg outbound connection (malware-cnc.rules)
 * 1:28306 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS expression defined to empty selection attempt (browser-ie.rules)
 * 1:28307 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit landing page (exploit-kit.rules)
 * 1:28308 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit payload - Adobe Reader compromise (exploit-kit.rules)
 * 1:28309 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise (exploit-kit.rules)
 * 1:28310 <-> ENABLED <-> EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise (exploit-kit.rules)
 * 1:28311 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28312 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28313 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28314 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28315 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28316 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28317 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28318 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28322 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28321 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection attempt (malware-cnc.rules)
 * 1:28319 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)
 * 1:28320 <-> DISABLED <-> FILE-OTHER Microsoft Office Image filter BMP overflow attempt (file-other.rules)

Modified Rules:


 * 1:24647 <-> DISABLED <-> SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt (server-webapp.rules)
 * 1:27022 <-> DISABLED <-> MALWARE-CNC Trojan.Netweird.A outbound communication (malware-cnc.rules)
 * 1:27721 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .su dns query (indicator-compromise.rules)
 * 1:28284 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .nl.ai dns query (indicator-compromise.rules)
 * 1:28190 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .cc dns query (indicator-compromise.rules)
 * 1:28137 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt (file-office.rules)
 * 1:28039 <-> ENABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:23736 <-> DISABLED <-> FILE-IDENTIFY PLS file magic detected (file-identify.rules)
 * 1:21687 <-> DISABLED <-> FILE-IDENTIFY PLS file attachment detected (file-identify.rules)
 * 1:21688 <-> DISABLED <-> FILE-IDENTIFY PLS file attachment detected (file-identify.rules)
 * 1:24463 <-> DISABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21922 <-> DISABLED <-> FILE-OTHER VLC mms hostname buffer overflow attempt (file-other.rules)
 * 1:21498 <-> DISABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21480 <-> DISABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:20972 <-> DISABLED <-> FILE-IDENTIFY M4V file magic request (file-identify.rules)
 * 1:20924 <-> DISABLED <-> FILE-IDENTIFY PLS file magic detected (file-identify.rules)
 * 1:17732 <-> DISABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:19246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS expression defined to empty selection attempt (browser-ie.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:20123 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt (file-office.rules)
 * 1:14018 <-> DISABLED <-> FILE-IDENTIFY PLS multimedia playlist file download request (file-identify.rules)
 * 1:17526 <-> DISABLED <-> FILE-PDF Adobe Acrobat and Adobe Reader U3D RHAdobeMeta buffer overflow attempt (file-pdf.rules)
 * 1:19199 <-> ENABLED <-> OS-WINDOWS Smb2Create_Finalize malformed EndOfFile field exploit attempt (os-windows.rules)
 * 1:25323 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit EOT file download (exploit-kit.rules)
 * 1:27685 <-> DISABLED <-> SERVER-WEBAPP ASPMForum SQL injection attempt (server-webapp.rules)
 * 1:24464 <-> DISABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 3:23847 <-> ENABLED <-> NETBIOS MS-RAP NetServerEnum2 read access violation attempt (netbios.rules)