Sourcefire VRT Rules Update

Date: 2013-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2953.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28325 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zuza outbound communication attempt (malware-cnc.rules)
 * 1:28386 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt (os-windows.rules)
 * 1:28384 <-> ENABLED <-> FILE-IDENTIFY HTML Help Index download file attachment detected (file-identify.rules)
 * 1:28385 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx remote code execution attempt (os-windows.rules)
 * 1:28383 <-> ENABLED <-> FILE-IDENTIFY HTML Help Index download file attachment detected (file-identify.rules)
 * 1:28381 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Temvice outbound communication attempt (malware-other.rules)
 * 1:28382 <-> ENABLED <-> FILE-IDENTIFY HTML Help Index file download request (file-identify.rules)
 * 1:28379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28380 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28376 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28374 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28375 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:28372 <-> ENABLED <-> PUA-ADWARE UpdateStar encapsulated installer outbound connection (pua-adware.rules)
 * 1:28373 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Mutopy outbound communication attempt (malware-tools.rules)
 * 1:28371 <-> ENABLED <-> PUA-ADWARE UpdateStar CIS file retrieval attempt (pua-adware.rules)
 * 1:28370 <-> ENABLED <-> FILE-IDENTIFY CIS file attachment detected (file-identify.rules)
 * 1:28368 <-> ENABLED <-> FILE-IDENTIFY CIS file magic detected (file-identify.rules)
 * 1:28369 <-> ENABLED <-> FILE-IDENTIFY CIS file attachment detected (file-identify.rules)
 * 1:28367 <-> ENABLED <-> FILE-IDENTIFY CIS file magic detected (file-identify.rules)
 * 1:28366 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound communication attempt (malware-cnc.rules)
 * 1:28365 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Stoberox outbound communication attempt (malware-other.rules)
 * 1:28363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:28364 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:28361 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules)
 * 1:28362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string SUiCiDE/1.5 (blacklist.rules)
 * 1:28359 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28360 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28358 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28354 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28355 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:28352 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt (browser-ie.rules)
 * 1:28353 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt (browser-ie.rules)
 * 1:28350 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules)
 * 1:28351 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules)
 * 1:28348 <-> ENABLED <-> MALWARE-OTHER SimpleTDS - request to go.php (malware-other.rules)
 * 1:28349 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules)
 * 1:28346 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28347 <-> ENABLED <-> MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS (malware-other.rules)
 * 1:28345 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28343 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28344 <-> DISABLED <-> INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation (indicator-obfuscation.rules)
 * 1:28341 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28342 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28339 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28340 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28338 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28336 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28337 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28334 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28335 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28333 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28331 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28332 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:28329 <-> ENABLED <-> BLACKLIST DNS request for known malware domain u.eastmoon.pl (blacklist.rules)
 * 1:28330 <-> ENABLED <-> BLACKLIST DNS request for known malware domain y.opennews.su (blacklist.rules)
 * 1:28328 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon outbound communication attempt (malware-cnc.rules)
 * 1:28387 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help security zone bypass attempt (os-windows.rules)
 * 1:28327 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 8800.org (blacklist.rules)
 * 1:28326 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zuza outbound communication attempt (malware-cnc.rules)

Modified Rules:


 * 1:24960 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:28109 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:27593 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split (indicator-obfuscation.rules)
 * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules)
 * 1:27592 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:27272 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode (indicator-obfuscation.rules)
 * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules)
 * 1:26441 <-> ENABLED <-> INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected (indicator-obfuscation.rules)
 * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
 * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules)
 * 1:28111 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Mangnitude exploit kit post Java compromise download attempt (exploit-kit.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:5838 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - EI (blacklist.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online ncrypt.dll dll-load exploit attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online wlanapi.dll dll-load exploit attempt (os-windows.rules)
 * 1:21796 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:23125 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM manipulation memory corruption attempt (browser-ie.rules)
 * 1:21324 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:21323 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt (file-flash.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt (file-flash.rules)
 * 1:21319 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:20703 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules)
 * 1:20722 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules)
 * 1:20701 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp4x322.dll dll-load exploit attempt (file-office.rules)
 * 1:20702 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules)
 * 1:20254 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules)
 * 1:20700 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint pp7x32.dll dll-load exploit attempt (file-office.rules)
 * 1:20253 <-> DISABLED <-> OS-WINDOWS Microsoft products oleacc.dll dll-load exploit attempt (os-windows.rules)
 * 1:19620 <-> DISABLED <-> FILE-FLASH Adobe multiple products dwmapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:19673 <-> DISABLED <-> OS-WINDOWS Microsoft Data Access Components bidlab.dll dll-load exploit attempt (os-windows.rules)
 * 1:19465 <-> DISABLED <-> OS-WINDOWS Visio mfc71 dll-load attempt (os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Adobe multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:18951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt (browser-ie.rules)
 * 1:19236 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag event memory corruption attempt (browser-ie.rules)
 * 1:18629 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc100.dll dll-load exploit attempt (os-windows.rules)
 * 1:18809 <-> DISABLED <-> BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt (browser-firefox.rules)
 * 1:18627 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc80.dll dll-load exploit attempt (os-windows.rules)
 * 1:18628 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc90.dll dll-load exploit attempt (os-windows.rules)
 * 1:18626 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc42.dll dll-load exploit attempt (os-windows.rules)
 * 1:18623 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc100.dll dll-load exploit attempt (os-windows.rules)
 * 1:18625 <-> DISABLED <-> OS-WINDOWS Microsoft Foundation Class applications mfc40.dll dll-load exploit attempt (os-windows.rules)
 * 1:18621 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc80.dll dll-load exploit attempt (os-windows.rules)
 * 1:18622 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc90.dll dll-load exploit attempt (os-windows.rules)
 * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:18619 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc40.dll dll-load exploit attempt (os-windows.rules)
 * 1:18620 <-> DISABLED <-> OS-WINDOWS Microsoft Visual Studio MFC applications mfc42.dll dll-load exploit attempt (os-windows.rules)
 * 1:18241 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows WMI administrator tools object viewer ActiveX clsid access (browser-plugins.rules)
 * 1:18495 <-> ENABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18102 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader invalid PDF JavaScript printSeps extension call attempt (file-pdf.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:16376 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTableLayout memory corruption attempt (browser-ie.rules)
 * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:25353 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:24963 <-> ENABLED <-> BROWSER-PLUGINS Microsoft DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:28108 <-> ENABLED <-> EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt (exploit-kit.rules)
 * 1:23285 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:24961 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:26101 <-> ENABLED <-> INDICATOR-OBFUSCATION String.fromCharCode concatenation (indicator-obfuscation.rules)
 * 1:26092 <-> ENABLED <-> INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages (indicator-obfuscation.rules)
 * 1:24508 <-> DISABLED <-> FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt (file-pdf.rules)
 * 1:24077 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upof outbound connection (malware-cnc.rules)
 * 1:24962 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules)
 * 1:25354 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:24957 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24959 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:25391 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download (exploit-kit.rules)
 * 1:24958 <-> ENABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:25355 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord exploit attempt (file-office.rules)
 * 1:24970 <-> ENABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)