Sourcefire VRT Rules Update

Date: 2011-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19581 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Apher.gpd outbound connection (backdoor.rules)
 * 1:19583 <-> DISABLED <-> BACKDOOR Trojan Win32.Bumat.rts outbound connection (backdoor.rules)
 * 1:19584 <-> DISABLED <-> BACKDOOR Worm Win32.Dref.C outbound connection (backdoor.rules)
 * 1:19585 <-> DISABLED <-> BACKDOOR Worm Win32.Dref.C outbound connection - notification (backdoor.rules)
 * 1:19586 <-> DISABLED <-> BACKDOOR Trojan Clicker Win32.Agent.dlg outbound connection (backdoor.rules)
 * 1:19587 <-> DISABLED <-> BACKDOOR Win32.Sereki.B outbound connection (backdoor.rules)
 * 1:19588 <-> DISABLED <-> BACKDOOR Win32.Sereki.B successful connection (backdoor.rules)
 * 1:19589 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious User-Agent string MacProtector (blacklist.rules)
 * 1:19590 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Savnut.B outbound connection (botnet-cnc.rules)
 * 1:19591 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Powp.pyv outbound connection (botnet-cnc.rules)
 * 1:19592 <-> DISABLED <-> SPYWARE-PUT Trickler Trojan-Downloader.Win32.Agent.bjkd Runtime Detection (spyware-put.rules)
 * 1:19593 <-> DISABLED <-> BACKDOOR Worm Trojan.Win32.Agent.btxm runtime detection - IRC (backdoor.rules)
 * 1:19594 <-> DISABLED <-> SPYWARE-PUT Win32.Fruspam runtime detection (spyware-put.rules)
 * 1:19595 <-> ENABLED <-> BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card! (blacklist.rules)
 * 1:19596 <-> DISABLED <-> BACKDOOR Poison Ivy runtime detection (backdoor.rules)
 * 1:19597 <-> DISABLED <-> BACKDOOR Trojan.Win32.Agent.cws runtime detection (backdoor.rules)
 * 1:19598 <-> DISABLED <-> SPYWARE-PUT Infostealer.Gampass runtime detection (spyware-put.rules)
 * 1:19599 <-> ENABLED <-> ORACLE Warehouse builder WE_OLAP_AW_REMOVE_SOLVE_ID SQL Injection attempt (oracle.rules)
 * 1:19600 <-> ENABLED <-> ORACLE Warehouse builder WE_OLAP_AW_SET_SOLVE_ID SQL Injection attempt (oracle.rules)
 * 1:19601 <-> ENABLED <-> NETBIOS Oracle Java Runtime Environment .hotspotrc file load exploit attempt (netbios.rules)
 * 1:19602 <-> ENABLED <-> NETBIOS Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt (netbios.rules)
 * 1:19580 <-> DISABLED <-> BACKDOOR Worm Win32.Basun.wsc inbound connection (backdoor.rules)
 * 1:19610 <-> ENABLED <-> WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX function call access (web-activex.rules)
 * 1:19609 <-> ENABLED <-> EXPLOIT Novell ZENworks Handheld Management upload directory traversal attempt (exploit.rules)
 * 1:19582 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Apher.gpd outbound connection (backdoor.rules)
 * 1:19608 <-> ENABLED <-> BOTNET-CNC Backdoor Win32.Wisscmd.A outbound connection (botnet-cnc.rules)
 * 1:19605 <-> ENABLED <-> ORACLE Glass Fish Server malformed username cross site scripting attempt (oracle.rules)
 * 1:19607 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word STSH record parsing memory corruption (specific-threats.rules)
 * 1:19606 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word STSH record parsing memory corruption (specific-threats.rules)
 * 1:19604 <-> ENABLED <-> WEB-CLIENT Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt (web-client.rules)
 * 1:19603 <-> ENABLED <-> WEB-CLIENT Oracle Java Runtime Environment .hotspotrc file load exploit attempt (web-client.rules)

Modified Rules:


 * 1:17401 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped (specific-threats.rules)
 * 1:17400 <-> ENABLED <-> WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation (web-client.rules)
 * 1:19051 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Murofet.A outbound connection (botnet-cnc.rules)
 * 1:19465 <-> ENABLED <-> NETBIOS Visio mfc71 dll-load exploit attempt (netbios.rules)
 * 1:19466 <-> ENABLED <-> WEB-CLIENT Visio mfc71 dll-load exploit attempt (web-client.rules)