Sourcefire VRT Rules Update

Date: 2011-05-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:18982 <-> DISABLED <-> BOTNET-CNC WinSpywareProtect outbound connection (botnet-cnc.rules)
 * 1:18981 <-> DISABLED <-> BOTNET-CNC WinSpywareProtect outbound connection (botnet-cnc.rules)
 * 1:18978 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Pasta.aoq runtime detection (botnet-cnc.rules)
 * 1:18979 <-> ENABLED <-> BOTNET-CNC Worm.Win32.AutoRun.fmo outbound connection (botnet-cnc.rules)
 * 1:18976 <-> DISABLED <-> BOTNET-CNC Rogue-Software.AVCare outbound connection (botnet-cnc.rules)
 * 1:18974 <-> ENABLED <-> WEB-ACTIVEX SAP Crystal Reports PrintControl.dll ActiveX clsid access (web-activex.rules)
 * 1:18972 <-> ENABLED <-> ORACLE Oracle Secure Backup Administration selector variable command injection attempt (oracle.rules)
 * 1:18973 <-> DISABLED <-> WEB-CLIENT Apple Safari Webkit button first-letter style rendering code execution attempt (web-client.rules)
 * 1:18975 <-> ENABLED <-> WEB-ACTIVEX SAP Crystal Reports PrintControl.dll ActiveX function call access (web-activex.rules)
 * 1:18977 <-> DISABLED <-> BOTNET-CNC Trojan-Proxy.Win32.Agent.boe outbound connection (botnet-cnc.rules)
 * 1:18980 <-> DISABLED <-> BOTNET-CNC WinSpywareProtect outbound connection (botnet-cnc.rules)
 * 1:18985 <-> ENABLED <-> WEB-MISC CA ARCserve Axis2 default credential login attempt (web-misc.rules)
 * 1:18984 <-> DISABLED <-> BLACKLIST URI request for known malicious URI - Win32/Trojanclicker (blacklist.rules)
 * 1:18983 <-> ENABLED <-> POLICY Apple Mach-O executable download attempt (policy.rules)

Modified Rules:


 * 1:16144 <-> ENABLED <-> BOTNET-CNC Bredolab bot contact to C&C server attempt (botnet-cnc.rules)
 * 1:16140 <-> ENABLED <-> BACKDOOR torpig-mebroot command and control checkin (backdoor.rules)
 * 3:18637 <-> ENABLED <-> EXPLOIT Powerpoint ExObjRefAtom within an OfficeArtClientData container exploit attempt (exploit.rules)
 * 3:18635 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Powerpoint malformed record call to freed object attempt (specific-threats.rules)
 * 3:15499 <-> ENABLED <-> WEB-CLIENT PowerPoint 95 converter CString in ExEmbed container buffer overflow attempt (web-client.rules)