Sourcefire VRT Rules Update

Date: 2011-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:15480 <-> ENABLED <-> WEB-CLIENT Quicktime movie record invalid version number exploit attempt (web-client.rules)
 * 1:19476 <-> DISABLED <-> BACKDOOR Exploit.Win32.SqlShell.r runtime detection (backdoor.rules)
 * 1:19477 <-> DISABLED <-> SPYWARE-PUT Trojan.Win32.Krap.af contact to server attempt (spyware-put.rules)
 * 1:19478 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.Taterf.B contact to server attempt (spyware-put.rules)
 * 1:19479 <-> DISABLED <-> SPYWARE-PUT Net-Worm.Win32.Piloyd.m contact to server attempt - request html (spyware-put.rules)
 * 1:19480 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt (blacklist.rules)
 * 1:19481 <-> DISABLED <-> SPYWARE-PUT Email-Worm.Win32.Agent.bx contact to server attempt (spyware-put.rules)
 * 1:19482 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string ErrorFix (blacklist.rules)
 * 1:19483 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.Reload.fy contact to server attempt (spyware-put.rules)
 * 1:19484 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.Agent.alqt contact to server attempt (spyware-put.rules)
 * 1:19485 <-> DISABLED <-> SPYWARE-PUT Packed.Win32.Black.d contact to server attempt (spyware-put.rules)
 * 1:19486 <-> DISABLED <-> SPYWARE-PUT W32.Fiala.A contact to server attempt (spyware-put.rules)
 * 1:19487 <-> DISABLED <-> SPYWARE-PUT Trojan.Win32.Agent.kih contact to server attempt (spyware-put.rules)
 * 1:19488 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.Failnum.A contact to server attempt (spyware-put.rules)
 * 1:19489 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.DeAlfa.fa contact to server attempt (spyware-put.rules)
 * 1:19490 <-> DISABLED <-> SPYWARE-PUT Backdoor.Win32.Koceg.B contact to server attempt (spyware-put.rules)
 * 1:19491 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Genome.vau outbound connection (backdoor.rules)
 * 1:19492 <-> DISABLED <-> BACKDOOR Windows System Defender outbound connection (backdoor.rules)
 * 1:19493 <-> ENABLED <-> BLACKLIST URI request for known malicious uri config.ini on 3322.org domain (blacklist.rules)
 * 1:19494 <-> DISABLED <-> BACKDOOR W32.Licum outbound connection (backdoor.rules)
 * 1:19495 <-> DISABLED <-> BACKDOOR Worm Win32.Pilleuz outbound connection (backdoor.rules)
 * 1:19496 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 01n02n4cx00.cc - TDL4 (blacklist.rules)
 * 1:19497 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 01n02n4cx00.com - TDL4 (blacklist.rules)
 * 1:19498 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 01n20n4cx00.com - TDL4 (blacklist.rules)
 * 1:19499 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 0imh17agcla.com - TDL4 (blacklist.rules)
 * 1:19500 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 10n02n4cx00.com - TDL4 (blacklist.rules)
 * 1:19501 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 1il1il1il.com - TDL4 (blacklist.rules)
 * 1:19502 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 1l1i16b0.com - TDL4 (blacklist.rules)
 * 1:19503 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 34jh7alm94.asia - TDL4 (blacklist.rules)
 * 1:19504 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 4gat16ag100.com - TDL4 (blacklist.rules)
 * 1:19505 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 4tag16ag100.com - TDL4 (blacklist.rules)
 * 1:19506 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 68b6b6b6.com - TDL4 (blacklist.rules)
 * 1:19507 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 69b69b6b96b.com - TDL4 (blacklist.rules)
 * 1:19508 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 7gaur15eb71.com - TDL4 (blacklist.rules)
 * 1:19509 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 7uagr15eb71.com - TDL4 (blacklist.rules)
 * 1:19510 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 86b6b6b6.com - TDL4 (blacklist.rules)
 * 1:19511 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 86b6b96b.com - TDL4 (blacklist.rules)
 * 1:19512 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 9669b6b96b.com - TDL4 (blacklist.rules)
 * 1:19513 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cap01tchaa.com - TDL4 (blacklist.rules)
 * 1:19514 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cap0itchaa.com - TDL4 (blacklist.rules)
 * 1:19515 <-> ENABLED <-> BLACKLIST DNS request for known malware domain countri1l.com - TDL4 (blacklist.rules)
 * 1:19516 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dg6a51ja813.com - TDL4 (blacklist.rules)
 * 1:19517 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gd6a15ja813.com - TDL4 (blacklist.rules)
 * 1:19518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i0m71gmak01.com - TDL4 (blacklist.rules)
 * 1:19519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ikaturi11.com - TDL4 (blacklist.rules)
 * 1:19520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jna0-0akq8x.com - TDL4 (blacklist.rules)
 * 1:19521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ka18i7gah10.com - TDL4 (blacklist.rules)
 * 1:19522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kai817hag10.com - TDL4 (blacklist.rules)
 * 1:19523 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kangojim1.com - TDL4 (blacklist.rules)
 * 1:19524 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kangojjm1.com - TDL4 (blacklist.rules)
 * 1:19525 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kur1k0nona.com - TDL4 (blacklist.rules)
 * 1:19526 <-> ENABLED <-> BLACKLIST DNS request for known malware domain l04undreyk.com - TDL4 (blacklist.rules)
 * 1:19527 <-> ENABLED <-> BLACKLIST DNS request for known malware domain li1i16b0.com - TDL4 (blacklist.rules)
 * 1:19528 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lj1i16b0.com - TDL4 (blacklist.rules)
 * 1:19529 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lkaturi71.com - TDL4 (blacklist.rules)
 * 1:19530 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lkaturl11.com - TDL4 (blacklist.rules)
 * 1:19531 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lkaturl71.com - TDL4 (blacklist.rules)
 * 1:19532 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lo4undreyk.com - TDL4 (blacklist.rules)
 * 1:19533 <-> ENABLED <-> BLACKLIST DNS request for known malware domain n16fa53.com - TDL4 (blacklist.rules)
 * 1:19534 <-> ENABLED <-> BLACKLIST DNS request for known malware domain neywrika.in - TDL4 (blacklist.rules)
 * 1:19535 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nichtadden.in - TDL4 (blacklist.rules)
 * 1:19536 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nl6fa53.com - TDL4 (blacklist.rules)
 * 1:19537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nyewrika.in - TDL4 (blacklist.rules)
 * 1:19557 <-> DISABLED <-> BACKDOOR Win32.Shark.ag outbound connection (backdoor.rules)
 * 1:19556 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Homa.dk outbound connection (backdoor.rules)
 * 1:19555 <-> DISABLED <-> BACKDOOR Trojan Downloader Win32.Small.akow outbound connection (backdoor.rules)
 * 1:19554 <-> DISABLED <-> SPYWARE-PUT Trojan Fakeav Antivirus Xp Pro outbound connection (spyware-put.rules)
 * 1:19553 <-> ENABLED <-> WEB-PHP phpMyAdmin session_to_unset session variable injection attempt (web-php.rules)
 * 1:19552 <-> ENABLED <-> WEB-CLIENT Microsoft Excel format record code execution attempt (web-client.rules)
 * 1:19551 <-> ENABLED <-> POLICY self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (policy.rules)
 * 1:19550 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zz87lhfda88.com - TDL4 (blacklist.rules)
 * 1:19549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zz87jhfda88.com - TDL4 (blacklist.rules)
 * 1:19548 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zz87ihfda88.com - TDL4 (blacklist.rules)
 * 1:19547 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zna81udha01.com - TDL4 (blacklist.rules)
 * 1:19546 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zna61udha01.com - TDL4 (blacklist.rules)
 * 1:19545 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xx87lhfda88.com - TDL4 (blacklist.rules)
 * 1:19544 <-> ENABLED <-> BLACKLIST DNS request for known malware domain u101mnuy2k.com - TDL4 (blacklist.rules)
 * 1:19543 <-> ENABLED <-> BLACKLIST DNS request for known malware domain u101mnay2k.com - TDL4 (blacklist.rules)
 * 1:19540 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rukkieanno.in - TDL4 (blacklist.rules)
 * 1:19542 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sho1cilewk.com - TDL4 (blacklist.rules)
 * 1:19541 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sh01cilewk.com - TDL4 (blacklist.rules)
 * 1:19538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rukkeianno.com - TDL4 (blacklist.rules)
 * 1:19539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rukkeianno.in - TDL4 (blacklist.rules)

Modified Rules: