Sourcefire VRT Rules Update

Date: 2011-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19652 <-> ENABLED <-> BOTNET-CNC Teevsock C outbound connection (botnet-cnc.rules)
 * 1:19651 <-> ENABLED <-> WEB-ACTIVEX Cisco AnyConnect ActiveX function call access (web-activex.rules)
 * 1:19650 <-> ENABLED <-> WEB-ACTIVEX Cisco AnyConnect ActiveX clsid access (web-activex.rules)
 * 1:19649 <-> ENABLED <-> EXPLOIT HP Intelligent Management Center dbman buffer overflow attempt (exploit.rules)
 * 1:19648 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:19647 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:19646 <-> ENABLED <-> POLICY PDF with click-to-launch executable (policy.rules)
 * 1:19645 <-> ENABLED <-> EXPLOIT cross-site scripting attempt via form data attempt (exploit.rules)
 * 1:19644 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lysyfyj.com (blacklist.rules)
 * 1:19643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.java119.com (blacklist.rules)
 * 1:19642 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.qqaz.info (blacklist.rules)
 * 1:19641 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.registry.cu.cc (blacklist.rules)
 * 1:19640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mendi38.com (blacklist.rules)
 * 1:19639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s0pp0rtdesk.com (blacklist.rules)
 * 1:19638 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /kx4.txt (blacklist.rules)
 * 1:19637 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /install.asp?mac= (blacklist.rules)
 * 1:19636 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v (blacklist.rules)
 * 1:19635 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /app/?prj= (blacklist.rules)
 * 1:19634 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /a.gif?V= (blacklist.rules)
 * 1:19633 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid= (blacklist.rules)
 * 1:19632 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid= (blacklist.rules)
 * 1:19631 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - AnSSip= (blacklist.rules)
 * 1:19630 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /?epl= (blacklist.rules)
 * 1:19629 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - .ippi?g= (blacklist.rules)
 * 1:19628 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /1cup/script.php (blacklist.rules)
 * 1:19627 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (blacklist.rules)
 * 1:19626 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /setup_b.asp?prj= (blacklist.rules)
 * 1:19625 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - .sys.php?getexe= (blacklist.rules)
 * 1:19624 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - GoogleListener.aspx (blacklist.rules)
 * 1:19623 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - vic.aspx?ver= (blacklist.rules)
 * 1:19622 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - pte.aspx?ver= (blacklist.rules)

Modified Rules:


 * 1:18649 <-> ENABLED <-> SCADA IGSS IGSSDataServer.exe file operation overflow attempt (scada.rules)