Sourcefire VRT Rules Update

Date: 2013-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2955.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28791 <-> DISABLED <-> FILE-FLASH Adobe FlashPlayer loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:28792 <-> DISABLED <-> FILE-FLASH Adobe FlashPlayer loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:28793 <-> DISABLED <-> FILE-FLASH Adobe FlashPlayer loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon exploit kit payload download attempt (exploit-kit.rules)
 * 1:28794 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:28796 <-> ENABLED <-> EXPLOIT-KIT iFRAMEr successful cnt.php redirection (exploit-kit.rules)
 * 1:28797 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt (exploit-kit.rules)
 * 1:28798 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage (exploit-kit.rules)
 * 1:28799 <-> ENABLED <-> MALWARE-CNC Win-Trojan-Mxtcycle outbound communication attempt (malware-cnc.rules)
 * 1:28800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus outbound connection attempt (malware-cnc.rules)
 * 1:28801 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Bancos outbound connection attempt (deleted.rules)
 * 1:28802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos outbound connection attempt (malware-cnc.rules)
 * 1:28803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector outbound connection attempt (malware-cnc.rules)
 * 1:28805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palevo outbound connection attempt (malware-cnc.rules)
 * 1:28804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector outbound connection attempt (malware-cnc.rules)
 * 1:28806 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware download - single digit .exe file download from MSIE without any Accept headers (indicator-compromise.rules)
 * 1:28807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound communication (malware-cnc.rules)
 * 1:28808 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Ptiger outbound communication attempt (malware-cnc.rules)
 * 1:28809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:25859 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious jar file download (exploit-kit.rules)
 * 1:25858 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit Java exploit download (exploit-kit.rules)
 * 1:26055 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26053 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26048 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit PDF exploit (exploit-kit.rules)
 * 1:26051 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious jar file download (exploit-kit.rules)
 * 1:26046 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page (exploit-kit.rules)
 * 1:25857 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit PDF exploit (exploit-kit.rules)
 * 1:25860 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page (exploit-kit.rules)
 * 1:25952 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page (exploit-kit.rules)
 * 1:25953 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page (exploit-kit.rules)
 * 1:19225 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:25324 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page detected (exploit-kit.rules)
 * 1:25045 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit requesting payload (exploit-kit.rules)
 * 1:25507 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25955 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious jar file download (exploit-kit.rules)
 * 1:25508 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit java exploit retrieval (exploit-kit.rules)
 * 1:25509 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25957 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:25958 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:25960 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit former location - has been removed (exploit-kit.rules)
 * 1:25961 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit Portable Executable download (exploit-kit.rules)
 * 1:25956 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:25964 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:25965 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:25966 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26254 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit redirection page (exploit-kit.rules)
 * 1:25959 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26510 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit pdf payload detection (exploit-kit.rules)
 * 1:25967 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26540 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:27109 <-> DISABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download (exploit-kit.rules)
 * 1:25968 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit Portable Executable download (exploit-kit.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:26052 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26047 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit redirection structure (exploit-kit.rules)
 * 1:26054 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious class file download (exploit-kit.rules)
 * 1:26506 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit jar file redirection (exploit-kit.rules)
 * 1:26617 <-> ENABLED <-> EXPLOIT-KIT iFramer injection - specific structure (exploit-kit.rules)
 * 1:26091 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit landing page  (exploit-kit.rules)
 * 1:26229 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit MyApplet class retrieval (exploit-kit.rules)
 * 1:26056 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit Portable Executable download (exploit-kit.rules)
 * 1:26228 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit redirection page (exploit-kit.rules)
 * 1:26256 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit malicious jar download (exploit-kit.rules)
 * 1:25539 <-> ENABLED <-> EXPLOIT-KIT Red Dot java retrieval attempt (exploit-kit.rules)
 * 1:25510 <-> DISABLED <-> EXPLOIT-KIT Cool exploit kit java exploit retrieval (exploit-kit.rules)