Sourcefire VRT Rules Update

Date: 2013-11-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2955.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Castov variant connection attempt (malware-cnc.rules)
 * 1:28558 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string getURLdown (blacklist.rules)
 * 1:28557 <-> DISABLED <-> PROTOCOL-DNS Malformed DNS query with HTTP content (protocol-dns.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:28555 <-> DISABLED <-> MALWARE-OTHER SQL Slammer worm propagation attempt inbound (malware-other.rules)
 * 1:28554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload (malware-cnc.rules)
 * 1:28552 <-> DISABLED <-> INDICATOR-SCAN inbound probing for IPTUX messenger port  (indicator-scan.rules)
 * 1:28551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NXI ftp username communication attempt (malware-cnc.rules)

Modified Rules:


 * 1:28416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pony outbound connection attempt (malware-cnc.rules)
 * 1:28445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan (blacklist.rules)
 * 1:28474 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection (exploit-kit.rules)
 * 1:28475 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection (exploit-kit.rules)
 * 1:28476 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection (exploit-kit.rules)
 * 1:28496 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer createRange user after free attempt (browser-ie.rules)