Sourcefire VRT Rules Update

Date: 2013-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2953.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28603 <-> ENABLED <-> FILE-PDF Adobe Reader badly formatted type 0 font attempt (file-pdf.rules)
 * 1:28605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kasnam variant connection attempt (malware-cnc.rules)
 * 1:28602 <-> ENABLED <-> FILE-PDF Adobe Reader badly formatted type 0 font attempt (file-pdf.rules)
 * 1:28600 <-> ENABLED <-> FILE-PDF Adobe Reader badly formatted type 0 font attempt (file-pdf.rules)
 * 1:28601 <-> ENABLED <-> FILE-PDF Adobe Reader badly formatted type 0 font attempt (file-pdf.rules)
 * 1:28598 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Reader field dictionary null pointer dereference attempt (file-pdf.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28597 <-> ENABLED <-> FILE-PDF Adobe Acrobat and Adobe Reader field dictionary null pointer dereference attempt (file-pdf.rules)
 * 1:28593 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit payload download (exploit-kit.rules)
 * 1:28595 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval (exploit-kit.rules)
 * 1:28591 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28592 <-> ENABLED <-> FILE-PDF Adobe Reader TTF remote code execution attempt (file-pdf.rules)
 * 1:28588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GlyphOffset memory disclosure attempt (file-flash.rules)
 * 1:28590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GlyphOffset memory disclosure attempt (file-flash.rules)
 * 1:28585 <-> ENABLED <-> FILE-PDF Adobe Reader OTF font head table size overflow attempt (file-pdf.rules)
 * 1:28586 <-> ENABLED <-> FILE-PDF Adobe Reader OTF font head table size overflow attempt (file-pdf.rules)
 * 1:28583 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28582 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28579 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28580 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28577 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader memory disclosure attempt (file-pdf.rules)
 * 1:28578 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader memory disclosure attempt (file-pdf.rules)
 * 1:28576 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader FDF submitForm cross-site scripting attempt (file-other.rules)
 * 1:28560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Plugx FTP keepalive outbound connection attempt (malware-cnc.rules)
 * 1:28561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Plugx outbound connection attempt (malware-cnc.rules)
 * 1:28562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sidopa outbound communication attempt (malware-cnc.rules)
 * 1:28563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pkdesco outbound communication attempt (malware-cnc.rules)
 * 1:28581 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28570 <-> ENABLED <-> FILE-IDENTIFY FDF file magic detected (file-identify.rules)
 * 1:28565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sluegot variant connection attempt (malware-cnc.rules)
 * 1:28564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pkdesco outbound communication attempt (malware-cnc.rules)
 * 1:28571 <-> ENABLED <-> FILE-IDENTIFY FDF file attachment detected (file-identify.rules)
 * 1:28584 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight ScriptObject untrusted pointer dereference attempt (browser-plugins.rules)
 * 1:28568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote memory corruption attempt (file-flash.rules)
 * 1:28569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote memory corruption attempt (file-flash.rules)
 * 1:28611 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:28566 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player use after free race condition (deleted.rules)
 * 1:28589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:28575 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader FDF submitForm cross-site scripting attempt (file-other.rules)
 * 1:28574 <-> ENABLED <-> FILE-IDENTIFY FDF file download request (file-identify.rules)
 * 1:28573 <-> ENABLED <-> FILE-IDENTIFY FDF file magic detected (file-identify.rules)
 * 1:28572 <-> ENABLED <-> FILE-IDENTIFY FDF file attachment detected (file-identify.rules)
 * 1:28594 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request (exploit-kit.rules)
 * 1:28599 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Lesirt outbound communication attempt (malware-cnc.rules)
 * 1:28604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kasnam variant connection attempt (malware-cnc.rules)
 * 1:28606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Surtr variant connection attempt (malware-cnc.rules)
 * 1:28607 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:28608 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure (exploit-kit.rules)
 * 1:28609 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download (exploit-kit.rules)
 * 1:28620 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:28619 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:28618 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDSElementGetPageRangeList recursive call denial of service attempt (file-pdf.rules)
 * 1:28567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free race condition (file-flash.rules)
 * 1:28617 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDSElementGetPageRangeList recursive call denial of service attempt (file-pdf.rules)
 * 1:28614 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:28610 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt (exploit-kit.rules)
 * 1:28616 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit payload download attempt (exploit-kit.rules)
 * 1:28612 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Silverlight exploit download (exploit-kit.rules)
 * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules)
 * 1:28613 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page - specific-structure (exploit-kit.rules)

Modified Rules:


 * 1:28490 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted object memory corruption attempt (browser-ie.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:28489 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:25679 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:25676 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:25677 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:25678 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:24139 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:25452 <-> ENABLED <-> INDICATOR-OBFUSCATION PNG header followed by PDF header (indicator-obfuscation.rules)
 * 1:25451 <-> ENABLED <-> INDICATOR-OBFUSCATION GIF header followed by PDF header (indicator-obfuscation.rules)
 * 1:25367 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:25366 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:22063 <-> ENABLED <-> SERVER-WEBAPP PHP-CGI remote file include attempt (server-webapp.rules)
 * 1:24062 <-> ENABLED <-> MALWARE-CNC W32.Trojan.Hufysk variant outbound connection (malware-cnc.rules)
 * 1:23238 <-> DISABLED <-> NETBIOS Wireshark console.lua file load exploit attempt (netbios.rules)
 * 1:23600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gamarue outbound connection attempt (malware-cnc.rules)
 * 1:19668 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer telnet.exe file load exploit attempt (browser-ie.rules)
 * 1:22078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:15869 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ASnative command execution attempt (file-flash.rules)