Sourcefire VRT Rules Update

Date: 2011-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19614 <-> DISABLED <-> BACKDOOR Win32.IRCBot.kkr outbound connection (backdoor.rules)
 * 1:19613 <-> DISABLED <-> BACKDOOR Rogue Software Registry Cleaner Pro outbound connection (backdoor.rules)
 * 1:19615 <-> DISABLED <-> BACKDOOR Win32.IRCBot.kkr outbound connection (backdoor.rules)
 * 1:19618 <-> ENABLED <-> NETBIOS Adobe Captivate dwmapi.dll dll-load exploit attempt (netbios.rules)
 * 1:19611 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious User-Agent string INet - Win32.Virus.Jusabli.A (blacklist.rules)
 * 1:19612 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Banload.bvk outbound connection (backdoor.rules)
 * 1:19617 <-> ENABLED <-> NETBIOS Adobe Audition assist.dll dll-load exploit attempt (netbios.rules)
 * 1:19619 <-> ENABLED <-> WEB-CLIENT Adobe Audition assist.dll dll-load exploit attempt (web-client.rules)
 * 1:19620 <-> ENABLED <-> WEB-CLIENT Adobe Captivate dwmapi.dll dll-load exploit attempt (web-client.rules)
 * 1:19616 <-> DISABLED <-> BACKDOOR Trojan Banker.Win32.Banbra.mcq outbound connection (backdoor.rules)
 * 1:19621 <-> ENABLED <-> WEB-CLIENT MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (web-client.rules)

Modified Rules:


 * 1:19148 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player SWF file MP4 data parsing memory corruption attempt (web-client.rules)
 * 1:19604 <-> ENABLED <-> WEB-CLIENT Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt (web-client.rules)
 * 1:19602 <-> ENABLED <-> NETBIOS Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt (netbios.rules)
 * 1:19603 <-> ENABLED <-> WEB-CLIENT Oracle Java Runtime Environment .hotspotrc file load exploit attempt (web-client.rules)
 * 1:19601 <-> ENABLED <-> NETBIOS Oracle Java Runtime Environment .hotspotrc file load exploit attempt (netbios.rules)