Sourcefire VRT Rules Update

Date: 2013-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2953.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28181 <-> ENABLED <-> BLACKLIST DNS request for known malware domain netprotections.cc (blacklist.rules)
 * 1:28182 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zstats.cc (blacklist.rules)
 * 1:28185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pahxeeju.cc (blacklist.rules)
 * 1:28183 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xstats.cc (blacklist.rules)
 * 1:28187 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nohtheer.su (blacklist.rules)
 * 1:28184 <-> ENABLED <-> BLACKLIST DNS request for known malware domain statinfo.su (blacklist.rules)
 * 1:28188 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bo0keego.cc (blacklist.rules)
 * 1:28189 <-> ENABLED <-> BLACKLIST DNS request for known malware domain esysinfo.su (blacklist.rules)
 * 1:28190 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .cc dns query (indicator-compromise.rules)
 * 1:28191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:28192 <-> DISABLED <-> MALWARE-CNC Win.Kuluoz Potential Phishing URL (malware-cnc.rules)
 * 1:28193 <-> DISABLED <-> BLACKLIST DNS request for known malware domain- Win.Vobfus worm variant (blacklist.rules)
 * 1:28194 <-> ENABLED <-> EXPLOIT-KIT X2O exploit kit landing page (exploit-kit.rules)
 * 1:28195 <-> ENABLED <-> EXPLOIT-KIT X2O exploit kit post java exploit download attempt (exploit-kit.rules)
 * 1:28196 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit module call (exploit-kit.rules)
 * 1:28197 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit module call (exploit-kit.rules)
 * 1:28175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ubicahje.cc (blacklist.rules)
 * 1:28176 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oonucoog.cc (blacklist.rules)
 * 1:28198 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit module call (exploit-kit.rules)
 * 1:28173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uphebuch.su (blacklist.rules)
 * 1:28174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ahthuvuz.cc (blacklist.rules)
 * 1:28171 <-> ENABLED <-> BLACKLIST DNS request for known malware domain guodeira.cc (blacklist.rules)
 * 1:28172 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wahemah.cc (blacklist.rules)
 * 1:28199 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit module call (exploit-kit.rules)
 * 1:28170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain e-statistics.su (blacklist.rules)
 * 1:28169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wownthing.cc (blacklist.rules)
 * 1:28167 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eilahcha.cc (blacklist.rules)
 * 1:28168 <-> ENABLED <-> BLACKLIST DNS request for known malware domain main2woo.su (blacklist.rules)
 * 1:28200 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit redirection outbound attempt (exploit-kit.rules)
 * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules)
 * 1:28166 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bifrose variant connection attempt (malware-cnc.rules)
 * 1:28163 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt (browser-ie.rules)
 * 1:28164 <-> DISABLED <-> MALWARE-CNC Trojan.Win.FakeAV attempted file download (malware-cnc.rules)
 * 1:28201 <-> ENABLED <-> SERVER-OTHER Microsoft SharePoint XSS attempt (server-other.rules)
 * 1:28161 <-> DISABLED <-> FILE-OTHER Microsoft .NET XML digital signature denial of service attempt (file-other.rules)
 * 1:28162 <-> DISABLED <-> FILE-OTHER Microsoft .NET XML digital signature denial of service attempt (file-other.rules)
 * 1:28159 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLayoutBlock use after free attempt (browser-ie.rules)
 * 1:28160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:28157 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java XML digital signature spoofing attempt (browser-plugins.rules)
 * 1:28202 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLayoutBlock use after free attempt (browser-ie.rules)
 * 1:28155 <-> DISABLED <-> MALWARE-CNC Win.Foreign variant outbound connection - MSIE 7.2 (malware-cnc.rules)
 * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules)
 * 1:28153 <-> DISABLED <-> MALWARE-CNC Win.Foreign variant outbound connection - /html2/ (malware-cnc.rules)
 * 1:28203 <-> ENABLED <-> FILE-OTHER ATMFD Adobe font driver reserved command denial of service attempt (file-other.rules)
 * 1:28154 <-> DISABLED <-> MALWARE-CNC Win.Foreign variant outbound connection - MSIE 7.1 (malware-cnc.rules)
 * 1:28151 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer STextBlockPosition use after free attempt (browser-ie.rules)
 * 1:28152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kievandmoskaustt.in (blacklist.rules)
 * 1:28150 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file upload  (server-other.rules)
 * 1:28204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt (browser-ie.rules)
 * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules)
 * 1:28149 <-> DISABLED <-> SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion (server-other.rules)
 * 1:28146 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Salgorea variant connection attempt (malware-cnc.rules)
 * 1:28147 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Conficker variant connection attempt (malware-cnc.rules)
 * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:28144 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Wpbrutebot variant connection attempt (malware-cnc.rules)
 * 1:28145 <-> DISABLED <-> SERVER-WEBAPP OpenEMR information disclosure attempt (server-webapp.rules)
 * 1:28143 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Medfos outbound communication attempt (malware-cnc.rules)
 * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:28141 <-> ENABLED <-> MALWARE-CNC Win.Trojan.banker outbound communication attempt (malware-cnc.rules)
 * 1:28142 <-> DISABLED <-> BLACKLIST DNS request for known malware domain filenethost.com (blacklist.rules)
 * 1:28140 <-> DISABLED <-> PUA-ADWARE Win.Adware.Schmidti outbound communication attempt (pua-adware.rules)
 * 1:28207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:28139 <-> DISABLED <-> SERVER-WEBAPP Python Pickle remote code execution attempt (server-webapp.rules)
 * 1:28208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules)
 * 1:28177 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sysinfo.cc (blacklist.rules)
 * 1:28186 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eegeingo.cc (blacklist.rules)
 * 1:28178 <-> ENABLED <-> BLACKLIST DNS request for known malware domain inetprotections.su (blacklist.rules)
 * 1:28179 <-> ENABLED <-> BLACKLIST DNS request for known malware domain seguards.su (blacklist.rules)
 * 1:28180 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aenaethi.cc (blacklist.rules)

Modified Rules:


 * 1:27907 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt (exploit-kit.rules)
 * 1:27777 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure (exploit-kit.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27003 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:27010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot payment .scr download attempt (malware-cnc.rules)
 * 1:27008 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound connection (malware-cnc.rules)
 * 1:27007 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound connection (malware-cnc.rules)
 * 1:26946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uptime RAT beacon attempt (malware-cnc.rules)
 * 1:27002 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:26944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Post_Show RAT beacon attempt (malware-cnc.rules)
 * 1:26945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bisonal RAT beacon attempt (malware-cnc.rules)
 * 1:26942 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PipCreat RAT beacon attempt (malware-cnc.rules)
 * 1:26943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Post_Show RAT beacon attempt (malware-cnc.rules)
 * 1:26178 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hiloti outbound connection (malware-cnc.rules)
 * 1:26941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PipCreat RAT dropper download attempt (malware-cnc.rules)
 * 1:25991 <-> DISABLED <-> MALWARE-CNC Win.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:26072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locati variant outbound connection attempt (malware-cnc.rules)
 * 1:25974 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25990 <-> DISABLED <-> MALWARE-CNC Win.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:25854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie (malware-cnc.rules)
 * 1:25973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boolflot variant outbound connection (malware-cnc.rules)
 * 1:25804 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt (exploit-kit.rules)
 * 1:25806 <-> ENABLED <-> EXPLOIT-KIT Whitehole exploit kit landing page (exploit-kit.rules)
 * 1:25628 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:25664 <-> ENABLED <-> SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt (server-other.rules)
 * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules)
 * 1:25600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dilavtor variant outbound connection (malware-cnc.rules)
 * 1:25571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Medialabs outbound connection (malware-cnc.rules)
 * 1:25572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Virut variant outbound connection (malware-cnc.rules)
 * 1:25551 <-> DISABLED <-> MALWARE-CNC Win.Worm.Dipasik variant outbound connection (malware-cnc.rules)
 * 1:25570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Medialabs outbound connection (malware-cnc.rules)
 * 1:25076 <-> ENABLED <-> MALWARE-CNC Win.Worm.Joanap variant Runtime Detection (malware-cnc.rules)
 * 1:25545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Printlove variant outbound connection (malware-cnc.rules)
 * 1:25070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules)
 * 1:25071 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Macnsed variant outbound connection (malware-cnc.rules)
 * 1:24539 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:25027 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Opachki variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:24385 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tracur variant outbound communication (malware-cnc.rules)
 * 1:24524 <-> DISABLED <-> SERVER-MAIL Novell GroupWise internet agent iCalendar parsing denial of service attempt (server-mail.rules)
 * 1:24384 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Tracur variant outbound communication (malware-cnc.rules)
 * 1:24334 <-> DISABLED <-> MALWARE-CNC Win.Spy.Agent variant connect to cnc-server attempt (malware-cnc.rules)
 * 1:21632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:20432 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hiloti outbound connection (malware-cnc.rules)
 * 1:21444 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS outbound connection (malware-cnc.rules)
 * 1:17555 <-> DISABLED <-> BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt (browser-plugins.rules)
 * 1:17736 <-> DISABLED <-> SERVER-OTHER McAfee LHA Type-2 file handling overflow attempt (server-other.rules)
 * 1:11290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed named graph information ascii overflow attempt (file-office.rules)
 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:11258 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Named Graph Information unicode overflow attempt (file-office.rules)
 * 1:8738 <-> DISABLED <-> BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX clsid access (browser-plugins.rules)
 * 1:28028 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt (exploit-kit.rules)
 * 1:27955 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules)
 * 1:28138 <-> ENABLED <-> EXPLOIT-KIT DotkaChef exploit kit redirection attempt (exploit-kit.rules)
 * 1:28072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Omexo outbound communication attempt (malware-cnc.rules)