Sourcefire VRT Rules Update

Date: 2011-09-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:20040 <-> DISABLED <-> BOTNET-CNC Trojan Win32.KSpyPro.A outbound connection (botnet-cnc.rules)
 * 1:20039 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Hardcore Software (blacklist.rules)
 * 1:20038 <-> DISABLED <-> BACKDOOR Trojan Agent.cve runtime traffic detected (backdoor.rules)
 * 1:20037 <-> DISABLED <-> BACKDOOR Trojan Agent.cve runtime traffic detected (backdoor.rules)
 * 1:20036 <-> DISABLED <-> BACKDOOR Trojan Win32 Agent.ndau runtime traffic detected (backdoor.rules)
 * 1:20035 <-> DISABLED <-> BACKDOOR Trojan Win32 Coinbit.A runtime traffic detected (backdoor.rules)
 * 1:20034 <-> ENABLED <-> EXPLOIT ESTsoft ALZip MIM File Buffer Overflow Attempt (exploit.rules)
 * 1:20033 <-> ENABLED <-> WEB-CLIENT MIME file type download attempt (web-client.rules)
 * 1:20032 <-> ENABLED <-> WEB-CLIENT MIME file type download attempt (web-client.rules)
 * 1:20031 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:20030 <-> ENABLED <-> SCADA IGSS IGSSDataServer.exe file operation upload attempt (scada.rules)
 * 1:20029 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Office Excel FNGROUPNAME Record Memory Corruption (specific-threats.rules)
 * 1:20028 <-> DISABLED <-> BACKDOOR Windows Antivirus Pro outbound connection (backdoor.rules)
 * 1:20027 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sb.degreesbuy.com (blacklist.rules)
 * 1:20026 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Banker.abg.b outbound connection (backdoor.rules)
 * 1:20025 <-> DISABLED <-> SPYWARE-PUT VirusBye outbound connection (spyware-put.rules)
 * 1:20024 <-> DISABLED <-> BACKDOOR Win32.Dreamy.bc outbound connection (backdoor.rules)
 * 1:20023 <-> DISABLED <-> BACKDOOR Advanced Virus Remover outbound connection (backdoor.rules)
 * 1:20022 <-> DISABLED <-> BACKDOOR Worm Win32.Padobot.z outbound connection (backdoor.rules)
 * 1:20021 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Brontok (blacklist.rules)
 * 1:20020 <-> DISABLED <-> BACKDOOR Malware Doctor outbound connection (backdoor.rules)
 * 1:20019 <-> DISABLED <-> BACKDOOR W32.Autorun.worm.dq outbound connection (backdoor.rules)
 * 1:20018 <-> DISABLED <-> BACKDOOR W32.Autorun.worm.dq outbound connection (backdoor.rules)
 * 1:20017 <-> DISABLED <-> BACKDOOR Worm Win32.Koobface.dq outbound connection (backdoor.rules)
 * 1:20016 <-> DISABLED <-> BOTNET-CNC Trojan Zeus outbound connection (botnet-cnc.rules)
 * 1:20015 <-> DISABLED <-> BOTNET-CNC Trojan Zeus outbound connection (botnet-cnc.rules)
 * 1:20014 <-> DISABLED <-> BACKDOOR Kaju outbound connection - confirmation (backdoor.rules)
 * 1:20013 <-> DISABLED <-> WEB-MISC HP OpenView Network Node Manager webappmon.exe host header buffer overflow attempt (web-misc.rules)
 * 1:20012 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A (blacklist.rules)
 * 1:20011 <-> ENABLED <-> BOTNET-CNC Briewots.A runtime traffic detected (botnet-cnc.rules)
 * 1:20010 <-> DISABLED <-> BOTNET-CNC Win32/Babmote.A runtime TCP traffic detected (botnet-cnc.rules)
 * 1:20009 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious User-Agent string Baby Remote - Win32/Babmote.A (blacklist.rules)
 * 1:20008 <-> DISABLED <-> BOTNET-CNC PDFMarca.A runtime traffic detected (botnet-cnc.rules)
 * 1:20007 <-> DISABLED <-> SPYWARE-PUT Cinmus.asaq runtime traffic detected (spyware-put.rules)
 * 1:20006 <-> DISABLED <-> BACKDOOR Worm Plurp.A runtime traffic detected (backdoor.rules)
 * 1:20005 <-> DISABLED <-> BACKDOOR Win32 Lecna.cr runtime traffic detected (backdoor.rules)
 * 1:20004 <-> DISABLED <-> BACKDOOR Trojan Spy Pilonoc install-time traffic detected (backdoor.rules)
 * 1:20003 <-> DISABLED <-> BACKDOOR Trojan Spy Pilonoc runtime traffic detected (backdoor.rules)
 * 1:20002 <-> DISABLED <-> BACKDOOR Allaple.e outbound connection (backdoor.rules)
 * 1:20001 <-> DISABLED <-> BACKDOOR Allaple.e outbound connection (backdoor.rules)
 * 1:20000 <-> ENABLED <-> WEB-CLIENT Hello from the VRT (web-client.rules)
 * 1:19999 <-> DISABLED <-> SPYWARE-PUT ThreatNuker outbound connection (spyware-put.rules)
 * 1:19998 <-> DISABLED <-> BOTNET-CNC Trojan.Downloader.Win32.Agent.dyfn outbound connection (botnet-cnc.rules)
 * 1:19997 <-> DISABLED <-> BACKDOOR Trojan PSW.Win32.QQPass.gam outbound connection (backdoor.rules)
 * 1:19996 <-> DISABLED <-> BACKDOOR Worm Brontok.C outbound connection (backdoor.rules)
 * 1:19995 <-> DISABLED <-> BOTNET-CNC Waledac outbound connection (botnet-cnc.rules)
 * 1:19994 <-> DISABLED <-> SPYWARE-PUT Antivirus 360 outbound connection (spyware-put.rules)
 * 1:19993 <-> DISABLED <-> BACKDOOR Win32 Poebot runtime traffic detected (backdoor.rules)

Modified Rules:


 * 1:10123 <-> DISABLED <-> SPECIFIC-THREATS PA168 chipset based IP phone default password attempt (specific-threats.rules)
 * 1:10124 <-> DISABLED <-> SPECIFIC-THREATS PA168 chipset based IP phone authentication bypass (specific-threats.rules)
 * 1:16093 <-> DISABLED <-> BACKDOOR bugsprey runtime detection - initial connection (backdoor.rules)
 * 1:16310 <-> ENABLED <-> WEB-CLIENT IE 6/7 outerHTML invalid reference arbitrary code execution attempt (web-client.rules)
 * 1:16311 <-> ENABLED <-> WEB-CLIENT IE 6/7 single line outerHTML invalid reference arbitrary code execution attempt (web-client.rules)
 * 1:16358 <-> DISABLED <-> BACKDOOR bugsprey runtime detection - initial connection (backdoor.rules)
 * 1:16579 <-> ENABLED <-> CHAT mIRC IRC URL buffer overflow attempt (chat.rules)
 * 1:16588 <-> ENABLED <-> SPECIFIC-THREATS iseemedia LPViewer ActiveX exploit attempt (specific-threats.rules)
 * 1:16732 <-> ENABLED <-> WEB-CLIENT SafeNet SoftRemote multiple policy file local overflow attempt (web-client.rules)
 * 1:16735 <-> ENABLED <-> SPECIFIC-THREATS URSoft W32Dasm Import/Export function buffer overflow attempt (specific-threats.rules)
 * 1:16798 <-> DISABLED <-> SPECIFIC-THREATS Orbit Downloader long URL buffer overflow attempt (specific-threats.rules)
 * 1:17571 <-> ENABLED <-> WEB-ACTIVEX obfuscated instantiation of ActiveX object - likely malicious (web-activex.rules)
 * 1:18244 <-> ENABLED <-> WEB-CLIENT Sun Java browser plugin docbase overflow attempt (web-client.rules)
 * 1:18649 <-> ENABLED <-> SCADA IGSS IGSSDataServer.exe file operation overflow attempt (scada.rules)
 * 1:19262 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19263 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:19264 <-> ENABLED <-> SPECIFIC-THREATS Adobe Flash ActionScript float index array memory corruption (specific-threats.rules)
 * 1:3085 <-> DISABLED <-> EXPLOIT AIM goaway message buffer overflow attempt (exploit.rules)
 * 1:3471 <-> DISABLED <-> WEB-CLIENT iTunes playlist URL overflow attempt (web-client.rules)
 * 1:7020 <-> DISABLED <-> WEB-CLIENT isComponentInstalled function buffer overflow (web-client.rules)