Sourcefire VRT Rules Update

Date: 2013-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28916 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt (file-java.rules)
 * 1:28961 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules)
 * 1:28960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:28958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jussuc variant outbound connection (malware-cnc.rules)
 * 1:28956 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks configuration management umaninv information disclosure attempt (server-webapp.rules)
 * 1:28953 <-> ENABLED <-> BLACKLIST DNS request to suspicious domain ns1.pollosm.me.uk - Win.Trojan.Bunitu.G (blacklist.rules)
 * 1:28954 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu.G proxy connection to Yahoo (malware-cnc.rules)
 * 1:28951 <-> DISABLED <-> BLACKLIST DNS reverse lookup response to malicious domain hosted-by.leaseweb.com - Win.Trojan.Bunitu.G (blacklist.rules)
 * 1:28949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kishlog variant outbound connection attempt (malware-cnc.rules)
 * 1:28950 <-> ENABLED <-> BLACKLIST DNS reverse lookup response to malicious domain .dataclub.biz - Win.Trojan.Bunitu.G (blacklist.rules)
 * 1:28948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kishlog variant outbound connection attempt (malware-cnc.rules)
 * 1:28944 <-> DISABLED <-> SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt (server-webapp.rules)
 * 1:28945 <-> DISABLED <-> INDICATOR-COMPROMISE exe.exe download (indicator-compromise.rules)
 * 1:28941 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix malicious download attempt (malware-cnc.rules)
 * 1:28938 <-> DISABLED <-> BLACKLIST DNS request for known malware domain appropriations.co.cc (blacklist.rules)
 * 1:28936 <-> DISABLED <-> SERVER-WEBAPP Horde groupware webmail edition ingo filter cross-site request forgery attempt (server-webapp.rules)
 * 1:28937 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope issuesiebelcmd soap request code execution attempt (server-webapp.rules)
 * 1:28935 <-> ENABLED <-> PUA-ADWARE InstallBrain software download attempt (pua-adware.rules)
 * 1:28934 <-> ENABLED <-> PUA-ADWARE InstallBrain software download attempt (pua-adware.rules)
 * 1:28932 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules)
 * 1:28931 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHM file load attempt (browser-ie.rules)
 * 1:28930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection (malware-cnc.rules)
 * 1:28929 <-> ENABLED <-> PUA-ADWARE Amonetize installer outbound connection attempt (pua-adware.rules)
 * 1:28928 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.amoninst.com (blacklist.rules)
 * 1:28927 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:28979 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules)
 * 1:28933 <-> DISABLED <-> BLACKLIST DNS request for known malware domain api.ibario.com (blacklist.rules)
 * 1:28939 <-> DISABLED <-> BLACKLIST DNS request for known malware domain havingbeothers.co.cc (blacklist.rules)
 * 1:28942 <-> DISABLED <-> SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt (server-webapp.rules)
 * 1:28943 <-> DISABLED <-> SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt (server-webapp.rules)
 * 1:28946 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:28947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tapaoux variant connection attempt (malware-cnc.rules)
 * 1:28952 <-> ENABLED <-> BLACKLIST DNS request to suspicious domain ns0.pollosm.me.uk - Win.Trojan.Bunitu.G (blacklist.rules)
 * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules)
 * 1:28957 <-> DISABLED <-> SERVER-WEBAPP RSS-aggregator display.php remote file include attempt (server-webapp.rules)
 * 1:28959 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fenhelua.com (blacklist.rules)
 * 1:28962 <-> ENABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules)
 * 1:28926 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules)
 * 1:28963 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page (exploit-kit.rules)
 * 1:28925 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28922 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28964 <-> DISABLED <-> DELETED EXPLOIT-KIT Multiple exploit kit flash exploit download (deleted.rules)
 * 1:28978 <-> DISABLED <-> FILE-OTHER CHM LZX compression reset interval anti-virus evasion attempt (file-other.rules)
 * 1:28965 <-> DISABLED <-> DELETED EXPLOIT-KIT Multiple exploit kit flash exploit download (deleted.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:28966 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound POST connection (exploit-kit.rules)
 * 1:28968 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:28970 <-> DISABLED <-> SERVER-WEBAPP Fortinet FortiAnalyzer cross-site request forgery attempt.  (server-webapp.rules)
 * 1:28971 <-> DISABLED <-> SERVER-WEBAPP Fortinet FortiAnalyzer cross-site request forgery attempt.  (server-webapp.rules)
 * 1:28972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt (browser-ie.rules)
 * 1:28973 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt (browser-ie.rules)
 * 1:28974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt (browser-ie.rules)
 * 1:28975 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed GIF double-free remote code execution attempt (browser-ie.rules)
 * 1:28920 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28921 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28987 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot outbound connection (malware-cnc.rules)
 * 1:28985 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download attempt (malware-cnc.rules)
 * 1:28984 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download attempt (malware-cnc.rules)
 * 1:28988 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot outbound connection (malware-cnc.rules)
 * 1:28986 <-> ENABLED <-> MALWARE-CNC Win.Worm.Neeris IRCbot outbound connection (malware-cnc.rules)
 * 1:28982 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC (malware-cnc.rules)
 * 1:28983 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Steckt IRCbot executable download attempt (malware-cnc.rules)
 * 1:28977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket (malware-cnc.rules)
 * 1:28981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wifi-usbx.me (blacklist.rules)
 * 1:28918 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi variant network connectivity check attempt (malware-cnc.rules)
 * 1:28917 <-> DISABLED <-> PROTOCOL-SCADA Microsys Promotic directory traversal attempt (protocol-scada.rules)
 * 1:28923 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28980 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teamimmsky.de (blacklist.rules)
 * 1:28924 <-> DISABLED <-> BROWSER-IE Microsoft Windows showHelp CHM malicious file execution attempt (browser-ie.rules)
 * 1:28913 <-> DISABLED <-> MALWARE-BACKDOOR Zollard outbound connection attempt (malware-backdoor.rules)
 * 1:28919 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi variant network connectivity check attempt (malware-cnc.rules)
 * 1:28976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration (malware-cnc.rules)
 * 1:28915 <-> ENABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt (file-java.rules)
 * 1:28914 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Anony variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules)
 * 1:11834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt (browser-ie.rules)
 * 1:121 <-> DISABLED <-> MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request (malware-backdoor.rules)
 * 1:1264 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request TCP (protocol-rpc.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules)
 * 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules)
 * 1:19081 <-> DISABLED <-> INDICATOR-OBFUSCATION known suspicious decryption routine (indicator-obfuscation.rules)
 * 1:19808 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt (browser-ie.rules)
 * 1:20607 <-> ENABLED <-> SERVER-OTHER Novell Groupwise internet agent http uri buffer overflow attempt (server-other.rules)
 * 1:20608 <-> ENABLED <-> SERVER-OTHER Novell Groupwise internet agent http uri buffer overflow attempt (server-other.rules)
 * 1:23253 <-> DISABLED <-> BROWSER-PLUGINS HP Easy Printer Care XMLSimpleAccessor ActiveX function call access attempt (browser-plugins.rules)
 * 1:24506 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:24551 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:25285 <-> DISABLED <-> SERVER-OTHER Ruby on Rails authlogic session cookie SQL injection attempt (server-other.rules)
 * 1:25830 <-> ENABLED <-> FILE-JAVA Oracle Java malicious class download attempt (file-java.rules)
 * 1:26699 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:28538 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection attempt (malware-cnc.rules)
 * 1:28814 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection (malware-cnc.rules)
 * 1:28815 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection (malware-cnc.rules)
 * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules)
 * 1:631 <-> DISABLED <-> SERVER-MAIL ehlo cybercop attempt (server-mail.rules)
 * 1:632 <-> DISABLED <-> SERVER-MAIL expn cybercop attempt (server-mail.rules)
 * 1:660 <-> DISABLED <-> SERVER-MAIL expn root (server-mail.rules)