Sourcefire VRT Rules Update

Date: 2012-05-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.2.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:22064 <-> DISABLED <-> WEB-PHP PHP-CGI command injection attempt (web-php.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22059 <-> ENABLED <-> BOTNET-CNC Trojan.Downloader variant outbound connection (botnet-cnc.rules)
 * 1:22049 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Internet Security ActiveX clsid access (web-activex.rules)
 * 1:22048 <-> ENABLED <-> BOTNET-CNC Trojan.Zeus P2P outbound communication attempt (botnet-cnc.rules)
 * 1:22047 <-> ENABLED <-> BOTNET-CNC Trojan.Jokbot variant outbound connection attempt (botnet-cnc.rules)
 * 1:22050 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Internet Security ActiveX function call (web-activex.rules)
 * 1:22051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mysundayparty.com - OSX.Maljava (blacklist.rules)
 * 1:22065 <-> DISABLED <-> BOTNET-CNC Trojan.Zeprox variant outbound connection (botnet-cnc.rules)
 * 1:22052 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules)
 * 1:22054 <-> ENABLED <-> BOTNET-CNC Trojan.Prorat variant outbound connection attempt (botnet-cnc.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (file-identify.rules)
 * 1:22042 <-> DISABLED <-> FILE-OTHER Microsoft Windows .NET invalid parsing of graphics data attempt (file-other.rules)
 * 1:22053 <-> DISABLED <-> BOTNET-CNC Trojan.Insomnia variant inbound connection - post infection (botnet-cnc.rules)
 * 1:22055 <-> ENABLED <-> SPECIFIC-THREATS Blackhole Older jar file download (specific-threats.rules)
 * 1:22041 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing redirection page (specific-threats.rules)
 * 1:22056 <-> DISABLED <-> BOTNET-CNC Trojan.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22057 <-> DISABLED <-> BOTNET-CNC Trojan.Kbot variant outbound connection (botnet-cnc.rules)
 * 1:22058 <-> ENABLED <-> BOTNET-CNC Trojan.Kbot variant outbound connection (specific-threats.rules)
 * 1:22060 <-> ENABLED <-> BOTNET-CNC Trojan.Fepgul outbound connection (botnet-cnc.rules)
 * 1:22061 <-> DISABLED <-> SPECIFIC-THREATS Alureon - Malicious IFRAME load attempt (specific-threats.rules)
 * 1:22062 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Winpawr variant outbound connection (botnet-cnc.rules)
 * 1:22063 <-> ENABLED <-> WEB-PHP PHP-CGI remote file include attempt (web-php.rules)

Modified Rules:


 * 1:19954 <-> DISABLED <-> BACKDOOR Hack Style RAT outbound connection (backdoor.rules)
 * 1:20139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document summary information string overflow attempt (file-office.rules)
 * 1:21345 <-> DISABLED <-> SPECIFIC-THREATS possible Blackhole exploit kit malicious jar request (specific-threats.rules)
 * 1:21346 <-> DISABLED <-> SPECIFIC-THREATS possible Blackhole exploit kit malicious jar download (specific-threats.rules)
 * 1:21792 <-> DISABLED <-> FILE-OTHER Microsoft Windows .NET invalid parsing of graphics data attempt (file-other.rules)
 * 1:21959 <-> DISABLED <-> BOTNET-CNC UPDATE communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:21961 <-> DISABLED <-> BOTNET-CNC IP2B communication protocol connection to server attempt (botnet-cnc.rules)
 * 1:2550 <-> DISABLED <-> EXPLOIT Nullsoft Winamp XM file buffer overflow attempt (exploit.rules)