Sourcefire VRT Rules Update

Date: 2013-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28893 <-> DISABLED <-> BROWSER-OTHER known revoked certificate for Tresor CA (browser-other.rules)
 * 1:28889 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:28872 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28890 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:28886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection attempt (malware-cnc.rules)
 * 1:28880 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt (browser-ie.rules)
 * 1:28879 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Tavdig variant outbound connection attempt (malware-cnc.rules)
 * 1:28877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:28878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:28876 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:28875 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:28874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:28871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28869 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28868 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server attempt (malware-cnc.rules)
 * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server attempt (malware-cnc.rules)
 * 1:28859 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot (blacklist.rules)
 * 1:28860 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Nitedrem (blacklist.rules)
 * 1:28861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Roxfora variant outbound connection attempt (malware-cnc.rules)
 * 1:28862 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CViewportChangeInvalidation use after free attempt (browser-ie.rules)
 * 1:28863 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CViewportChangeInvalidation use after free attempt (browser-ie.rules)
 * 1:28864 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tofsee variant outbound connection attempt (malware-cnc.rules)
 * 1:28865 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table sub structure use after free attempt (browser-ie.rules)
 * 1:28866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table sub structure use after free attempt (browser-ie.rules)
 * 1:28867 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28881 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:28873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:28882 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules)
 * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:28887 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:28888 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt (file-pdf.rules)
 * 1:28892 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hi.mybro.biz (blacklist.rules)
 * 1:28891 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rome0.biz (blacklist.rules)
 * 1:28870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:26338 <-> ENABLED <-> EXPLOIT-KIT IFRAMEr injection detection - leads to exploit kit (exploit-kit.rules)
 * 1:26346 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:27271 <-> ENABLED <-> EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure (exploit-kit.rules)
 * 1:27741 <-> ENABLED <-> EXPLOIT-KIT Zip file downloaded by Java (exploit-kit.rules)
 * 1:27816 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file download attempt (exploit-kit.rules)
 * 1:28464 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28465 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28466 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28467 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28468 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28469 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28470 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28471 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28472 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28473 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28525 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28526 <-> ENABLED <-> FILE-OFFICE Microsoft Office GDI library TIFF handling integer overflow attempt (file-office.rules)
 * 1:28847 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Tavdig download attempt (malware-other.rules)
 * 1:28848 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Tavdig download attempt (malware-other.rules)
 * 1:4899 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ISupportErrorInfo Interface ActiveX object access (browser-plugins.rules)
 * 3:13879 <-> ENABLED <-> WEB-CLIENT Windows BMP image conversion arbitrary code execution attempt (web-client.rules)