Sourcefire VRT Rules Update

Date: 2013-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2950.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload information upload attempt (malware-cnc.rules)
 * 1:28104 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hy.micrsofts.com (blacklist.rules)
 * 1:28105 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection attempt (malware-cnc.rules)
 * 1:28103 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Workspace file FontCount record memory corruption attempt (file-office.rules)
 * 1:28098 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt (server-other.rules)
 * 1:28097 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ohlat variant connection attempt (malware-cnc.rules)
 * 1:28102 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS ReportFilterID/reportTemplateID SQL injection attempt (server-other.rules)
 * 1:28100 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS deleteReportFilter SQL injection attempt (server-other.rules)
 * 1:28101 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt (server-other.rules)
 * 1:28099 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt (server-other.rules)
 * 1:28107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload download attempt (malware-cnc.rules)
 * 1:28108 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash exploit download attempt (exploit-kit.rules)
 * 1:28072 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Omexo outbound communication attempt (malware-cnc.rules)
 * 1:28073 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Kimsuky variant file stealing attempt (malware-cnc.rules)
 * 1:28074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ADKR connection attempt (malware-cnc.rules)
 * 1:28109 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:28075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.gzfw connection attempt (malware-cnc.rules)
 * 1:28076 <-> DISABLED <-> SERVER-WEBAPP Drupal Core OpenID information disclosure attempt (server-webapp.rules)
 * 1:28077 <-> DISABLED <-> BLACKLIST DNS request for known malware domain cmeef.info (blacklist.rules)
 * 1:28078 <-> DISABLED <-> BLACKLIST DNS request for known malware domain karder.ws (blacklist.rules)
 * 1:28110 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit font file exploit download attempt (exploit-kit.rules)
 * 1:28079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Napolar outbound connection attempt (malware-cnc.rules)
 * 1:28080 <-> DISABLED <-> MALWARE-CNC Win.Napolar trojan data theft (malware-cnc.rules)
 * 1:28081 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt (os-mobile.rules)
 * 1:28082 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt (os-mobile.rules)
 * 1:28111 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit post Java compromise download attempt (exploit-kit.rules)
 * 1:28083 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt (server-webapp.rules)
 * 1:28084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hupigon variant connection attempt (malware-cnc.rules)
 * 1:28085 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kartmanscript.com (blacklist.rules)
 * 1:28086 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt (os-mobile.rules)
 * 1:28087 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt (os-mobile.rules)
 * 1:28112 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 9 null character in string information disclosure attempt (browser-ie.rules)
 * 1:28093 <-> DISABLED <-> SERVER-WEBAPP Western Digital Arkeia Appliance directory traversal attempt (server-webapp.rules)
 * 1:28094 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Liteol variant connection attempt (malware-cnc.rules)
 * 1:28095 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Liteol variant connection attempt (malware-cnc.rules)
 * 1:28113 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt (file-office.rules)
 * 1:28096 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spynet variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:4676 <-> DISABLED <-> SERVER-ORACLE Enterprise Manager Application Server Control web parameter overflow attempt (server-oracle.rules)
 * 1:4677 <-> DISABLED <-> SERVER-ORACLE Enterprise Manager Application Server Control GET parameter overflow attempt (server-oracle.rules)
 * 1:27821 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt (file-office.rules)
 * 1:27944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:27635 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Record Code Execution attempt (file-office.rules)
 * 1:27820 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel PtgMemFunc zero-value cce-field read access violation attempt (file-office.rules)
 * 1:2343 <-> DISABLED <-> PROTOCOL-FTP STOR overflow attempt (protocol-ftp.rules)
 * 1:27201 <-> DISABLED <-> MALWARE-CNC Unknown Brazilian Banking Trojan (malware-cnc.rules)
 * 1:20123 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ShrFmla record use after free attempt (file-office.rules)
 * 1:21080 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:17522 <-> ENABLED <-> FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow (file-java.rules)
 * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:16447 <-> DISABLED <-> PROTOCOL-RPC Solaris UDP portmap sadmin request attempt (protocol-rpc.rules)
 * 1:17517 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Record Code Execution attempt (file-office.rules)
 * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:12458 <-> DISABLED <-> PROTOCOL-RPC Solaris TCP portmap sadmin port query request attempt (protocol-rpc.rules)
 * 1:12626 <-> DISABLED <-> PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt (protocol-rpc.rules)
 * 1:12627 <-> DISABLED <-> PROTOCOL-RPC Solaris TCP portmapper sadmin port query attempt (protocol-rpc.rules)
 * 1:12628 <-> DISABLED <-> PROTOCOL-RPC Solaris UDP portmapper sadmin port query attempt (protocol-rpc.rules)
 * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:17433 <-> DISABLED <-> OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt (os-solaris.rules)
 * 1:18634 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Workspace file FontCount record memory corruption attempt (file-office.rules)
 * 1:19810 <-> DISABLED <-> SERVER-OTHER CA Total Defense Suite UNCWS deleteReportTemplate SQL injection attempt (server-other.rules)
 * 1:26652 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:26853 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt (browser-ie.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27943 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:7205 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt (file-office.rules)
 * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules)