Sourcefire VRT Rules Update

Date: 2012-02-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21424 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Ghodow.A connect to cnc attempt (botnet-cnc.rules)
 * 1:21427 <-> ENABLED <-> BOTNET-CNC W32.Trojan.Delf variant outbound connection (botnet-cnc.rules)
 * 1:21432 <-> DISABLED <-> FILE-IDENTIFY MPPL file attachment detected (file-identify.rules)
 * 1:21435 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.Mentor inbound connection - post infection (botnet-cnc.rules)
 * 1:21428 <-> ENABLED <-> BOTNET-CNC W32.Trojan.Generic-24 outbound connection (botnet-cnc.rules)
 * 1:21430 <-> ENABLED <-> BOTNET-CNC Trojan.W32.BeeOne runtime traffic detected (botnet-cnc.rules)
 * 1:21437 <-> DISABLED <-> WEB-CLIENT WordPerfect WP3TablesGroup heap overflow attempt (web-client.rules)
 * 1:21436 <-> ENABLED <-> BOTNET-CNC TROJAN Win32.Startpage variant outbound connection (botnet-cnc.rules)
 * 1:21419 <-> DISABLED <-> WEB-CLIENT RealNetworks RealPlayer compressed skin overflow attempt (web-client.rules)
 * 1:21434 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.Mentor outbound connection (botnet-cnc.rules)
 * 1:21433 <-> DISABLED <-> FILE-IDENTIFY MPPL file attachment detected (file-identify.rules)
 * 1:21426 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Scar variant outbound connection (botnet-cnc.rules)
 * 1:21421 <-> DISABLED <-> DOS ISC BIND DNSSEC authority response record overflow attempt (dos.rules)
 * 1:21425 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Ghodow.A exe file download attempt (botnet-cnc.rules)
 * 1:21418 <-> ENABLED <-> BOTNET-CNC Trojan.FareIt outbound connection (botnet-cnc.rules)
 * 1:21429 <-> ENABLED <-> SPECIFIC-THREATS Possible unknown malicious PDF (specific-threats.rules)
 * 1:21431 <-> ENABLED <-> SPECIFIC-THREATS Possible malicious pdf (new pdf exploit -- specific-threats.rules)
 * 1:21422 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Excel Lel record memory corruption attempt (specific-threats.rules)
 * 1:21420 <-> DISABLED <-> WEB-CLIENT RealNetworks RealPlayer compressed skin overflow attempt (web-client.rules)
 * 1:21423 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Publisher Opltc memory corruption attempt (specific-threats.rules)
 * 3:15912 <-> ENABLED <-> BAD-TRAFFIC TCP window closed before receiving data (bad-traffic.rules)

Modified Rules:


 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21010 <-> DISABLED <-> FILE-IDENTIFY Microsoft Money file attachment detected (file-identify.rules)
 * 1:21014 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cy3 file attachment detected (file-identify.rules)
 * 1:21016 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cyb file attachment detected (file-identify.rules)
 * 1:21009 <-> DISABLED <-> FILE-IDENTIFY Microsoft Money file attachment detected (file-identify.rules)
 * 1:21013 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cy3 file attachment detected (file-identify.rules)
 * 1:20984 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:20986 <-> DISABLED <-> FILE-IDENTIFY Microsoft Office Word docx file attachment detected (file-identify.rules)
 * 1:20987 <-> DISABLED <-> FILE-IDENTIFY Microsoft Office Word docx file attachment detected (file-identify.rules)
 * 1:20983 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected (file-identify.rules)
 * 1:20985 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:20982 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected (file-identify.rules)
 * 1:20979 <-> ENABLED <-> FILE-IDENTIFY TTE file attachment detected (file-identify.rules)
 * 1:20980 <-> ENABLED <-> FILE-IDENTIFY OTF file attachment detected (file-identify.rules)
 * 1:20981 <-> ENABLED <-> FILE-IDENTIFY OTF file attachment detected (file-identify.rules)
 * 1:20945 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20978 <-> ENABLED <-> FILE-IDENTIFY TTE file attachment detected (file-identify.rules)
 * 1:20947 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20948 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20944 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20946 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20943 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20936 <-> ENABLED <-> FILE-IDENTIFY QCP file attachment detected (file-identify.rules)
 * 1:20941 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20942 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20931 <-> DISABLED <-> FILE-IDENTIFY MKS file attachment detected (file-identify.rules)
 * 1:20935 <-> ENABLED <-> FILE-IDENTIFY QCP file attachment detected (file-identify.rules)
 * 1:20933 <-> DISABLED <-> FILE-IDENTIFY MKA file attachment detected (file-identify.rules)
 * 1:20934 <-> DISABLED <-> FILE-IDENTIFY MKA file attachment detected (file-identify.rules)
 * 1:20932 <-> DISABLED <-> FILE-IDENTIFY MKS file attachment detected (file-identify.rules)
 * 1:20918 <-> DISABLED <-> FILE-IDENTIFY BAK file attachment detected (file-identify.rules)
 * 1:20930 <-> DISABLED <-> FILE-IDENTIFY MKV file attachment detected (file-identify.rules)
 * 1:20929 <-> DISABLED <-> FILE-IDENTIFY MKV file attachment detected (file-identify.rules)
 * 1:20925 <-> ENABLED <-> FILE-IDENTIFY Adobe Pagemaker file attachment detected (file-identify.rules)
 * 1:20926 <-> ENABLED <-> FILE-IDENTIFY Adobe Pagemaker file attachment detected (file-identify.rules)
 * 1:20913 <-> ENABLED <-> FILE-IDENTIFY XML Shareable Playlist Format file attachment detected (file-identify.rules)
 * 1:20917 <-> DISABLED <-> FILE-IDENTIFY BAK file attachment detected (file-identify.rules)
 * 1:20915 <-> ENABLED <-> FILE-IDENTIFY caff file attachment detected (file-identify.rules)
 * 1:20916 <-> ENABLED <-> FILE-IDENTIFY caff file attachment detected (file-identify.rules)
 * 1:20912 <-> ENABLED <-> FILE-IDENTIFY EPS file attachment detected (file-identify.rules)
 * 1:20914 <-> ENABLED <-> FILE-IDENTIFY XML Shareable Playlist Format file attachment detected (file-identify.rules)
 * 1:20911 <-> ENABLED <-> FILE-IDENTIFY EPS file attachment detected (file-identify.rules)
 * 1:20908 <-> ENABLED <-> FILE-IDENTIFY DXF file attachment detected (file-identify.rules)
 * 1:20909 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected (file-identify.rules)
 * 1:20910 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected (file-identify.rules)
 * 1:20907 <-> ENABLED <-> FILE-IDENTIFY DXF file attachment detected (file-identify.rules)
 * 1:20898 <-> DISABLED <-> FILE-IDENTIFY MIDI file attachment detected (file-identify.rules)
 * 1:20905 <-> ENABLED <-> FILE-IDENTIFY X PixMap file attachment detected (file-identify.rules)
 * 1:20906 <-> ENABLED <-> FILE-IDENTIFY X PixMap file attachment detected (file-identify.rules)
 * 1:20896 <-> DISABLED <-> FILE-IDENTIFY AutoDesk 3D Studio Maxscript file attachment detected (file-identify.rules)
 * 1:20899 <-> DISABLED <-> FILE-IDENTIFY MIDI file attachment detected (file-identify.rules)
 * 1:20895 <-> DISABLED <-> FILE-IDENTIFY AutoDesk 3D Studio Maxscript file attachment detected (file-identify.rules)
 * 1:20857 <-> DISABLED <-> FILE-IDENTIFY TwinVQ file attachment detected (file-identify.rules)
 * 1:20894 <-> ENABLED <-> FILE-IDENTIFY Video Spirit file attachment detected (file-identify.rules)
 * 1:20893 <-> ENABLED <-> FILE-IDENTIFY Video Spirit file attachment detected (file-identify.rules)
 * 1:20856 <-> DISABLED <-> FILE-IDENTIFY TwinVQ file attachment detected (file-identify.rules)
 * 1:20855 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Visio file attachment detected (file-identify.rules)
 * 1:20850 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20851 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20854 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Visio file attachment detected (file-identify.rules)
 * 1:20799 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20849 <-> DISABLED <-> FILE-IDENTIFY MAKI file attachment detected (file-identify.rules)
 * 1:20801 <-> DISABLED <-> FILE-IDENTIFY MIME file type file attachment detected (file-identify.rules)
 * 1:20848 <-> DISABLED <-> FILE-IDENTIFY MAKI file attachment detected (file-identify.rules)
 * 1:20798 <-> ENABLED <-> FILE-IDENTIFY Adobe Shockwave Flash file attachment detected (file-identify.rules)
 * 1:20800 <-> DISABLED <-> FILE-IDENTIFY MIME file type file attachment detected (file-identify.rules)
 * 1:20796 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:20792 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:20793 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:20795 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file attachment detected (file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:542 <-> DISABLED <-> CHAT IRC nick change (chat.rules)
 * 1:2528 <-> DISABLED <-> SMTP PCT Client_Hello overflow attempt (smtp.rules)
 * 1:6182 <-> DISABLED <-> CHAT IRC channel notice (chat.rules)
 * 1:8426 <-> DISABLED <-> MISC SSLv3 openssl get shared ciphers overflow attempt (misc.rules)
 * 1:8427 <-> DISABLED <-> MISC SSLv2 openssl get shared ciphers overflow attempt (misc.rules)
 * 1:8428 <-> DISABLED <-> MISC SSLv2 openssl get shared ciphers overflow attempt (misc.rules)
 * 1:21053 <-> ENABLED <-> FILE-IDENTIFY UltraISO CUE file attachment detected (file-identify.rules)
 * 1:20090 <-> DISABLED <-> POLICY IRC DCC file transfer request on non-standard port (policy.rules)
 * 1:20000 <-> DISABLED <-> WEB-CLIENT Achievement Unlocked (Billion Dollar Company -- web-client.rules)
 * 1:19092 <-> DISABLED <-> SPECIFIC-THREATS OpenSSL ssl3_get_key_exchange use-after-free attempt (specific-threats.rules)
 * 1:19551 <-> DISABLED <-> POLICY self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (policy.rules)
 * 1:18714 <-> DISABLED <-> DOS OpenSSL TLS connection record handling denial of service attempt (dos.rules)
 * 1:18713 <-> DISABLED <-> DOS OpenSSL TLS connection record handling denial of service attempt (dos.rules)
 * 1:19091 <-> DISABLED <-> SPECIFIC-THREATS OpenSSL ssl3_get_key_exchange use-after-free attempt (specific-threats.rules)
 * 1:18701 <-> ENABLED <-> FILE-IDENTIFY Rich text file .rtf attachment (file-identify.rules)
 * 1:18553 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel .xlw attachment (file-identify.rules)
 * 1:18554 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint .ppt attachment (file-identify.rules)
 * 1:18552 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel .xls attachment (file-identify.rules)
 * 1:18551 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word .doc attachment (file-identify.rules)
 * 1:18525 <-> DISABLED <-> EXPLOIT Lotus Domino LDAP Heap Buffer Overflow Attempt (exploit.rules)
 * 1:17431 <-> ENABLED <-> EXPLOIT Microsoft Windows IIS SChannel improper certificate verification (exploit.rules)
 * 1:1789 <-> DISABLED <-> CHAT IRC dns request (chat.rules)
 * 1:1729 <-> DISABLED <-> CHAT IRC channel join (chat.rules)
 * 1:17252 <-> DISABLED <-> NETBIOS Microsoft Windows Print Spooler arbitrary file write attempt  (netbios.rules)
 * 1:1640 <-> DISABLED <-> CHAT IRC DCC chat request (chat.rules)
 * 1:16823 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.FlyStudio known command and control channel traffic (botnet-cnc.rules)
 * 1:16181 <-> ENABLED <-> WEB-CLIENT Microsoft Windows CryptoAPI ASN.1 integer overflow attempt (web-client.rules)
 * 1:16291 <-> DISABLED <-> WEB-CLIENT Mozilla Network Security Services regexp heap overflow attempt (web-client.rules)
 * 1:1639 <-> DISABLED <-> CHAT IRC DCC file transfer request (chat.rules)
 * 1:15475 <-> ENABLED <-> WEB-CLIENT Microsoft Windows ISA Server cross-site scripting attempt (web-client.rules)
 * 1:1463 <-> DISABLED <-> CHAT IRC message (chat.rules)
 * 1:15185 <-> DISABLED <-> POLICY Nintendo Wii SSL Server Hello (policy.rules)
 * 1:20089 <-> DISABLED <-> POLICY IRC nick change on non-standard port (policy.rules)
 * 1:20091 <-> DISABLED <-> POLICY IRC DCC chat request on non-standard port (policy.rules)
 * 1:20094 <-> DISABLED <-> POLICY IRC message on non-standard port (policy.rules)
 * 1:20092 <-> DISABLED <-> POLICY IRC channel join on non-standard port (policy.rules)
 * 1:20093 <-> DISABLED <-> POLICY IRC channel notice on non-standard port (policy.rules)
 * 1:20095 <-> DISABLED <-> POLICY IRC dns request on non-standard port (policy.rules)
 * 1:21417 <-> ENABLED <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit (specific-threats.rules)
 * 1:21412 <-> DISABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21110 <-> DISABLED <-> FILE-IDENTIFY MPEG video stream file attachment detected (file-identify.rules)
 * 1:21343 <-> ENABLED <-> SPECIFIC-THREATS Blackhole exploit kit pdf request (specific-threats.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21115 <-> DISABLED <-> FILE-IDENTIFY Cisco Webex Player file attachment detected (file-identify.rules)
 * 1:21387 <-> DISABLED <-> WEB-CLIENT Oracle Java runtime RMIConnectionImpl deserialization execution attempt (web-client.rules)
 * 1:21208 <-> ENABLED <-> BACKDOOR Win32.RShot.brw outbound connection (backdoor.rules)
 * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21153 <-> DISABLED <-> FILE-IDENTIFY S3M file attachment detected (file-identify.rules)
 * 1:21397 <-> DISABLED <-> SPECIFIC-THREATS MicroP mppl stack buffer overflow (specific-threats.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21152 <-> DISABLED <-> FILE-IDENTIFY S3M file attachment detected (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21054 <-> ENABLED <-> FILE-IDENTIFY UltraISO CUE file attachment detected (file-identify.rules)
 * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21061 <-> ENABLED <-> FILE-IDENTIFY AVI file attachment detected (file-identify.rules)
 * 1:21111 <-> DISABLED <-> FILE-IDENTIFY MPEG video stream file attachment detected (file-identify.rules)
 * 1:2527 <-> ENABLED <-> SMTP STARTTLS attempt (smtp.rules)
 * 1:21062 <-> ENABLED <-> FILE-IDENTIFY AVI file attachment detected (file-identify.rules)
 * 1:21398 <-> DISABLED <-> FILE-IDENTIFY MPPL file download request (file-identify.rules)
 * 1:21411 <-> DISABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21114 <-> DISABLED <-> FILE-IDENTIFY Cisco Webex Player file attachment detected (file-identify.rules)
 * 1:2515 <-> DISABLED <-> MISC PCT Client_Hello overflow attempt (misc.rules)