Sourcefire VRT Rules Update

Date: 2012-02-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21259 <-> ENABLED <-> SPECIFIC-THREATS Blackhole exploit kit response (specific-threats.rules)
 * 1:21258 <-> DISABLED <-> SHELLCODE Feng-Shui heap grooming using Oleaut32 (shellcode.rules)
 * 1:21257 <-> DISABLED <-> BLACKLIST URI - known scanner tool muieblackcat (blacklist.rules)
 * 1:21256 <-> ENABLED <-> BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting (blacklist.rules)
 * 1:21255 <-> ENABLED <-> BLACKLIST known malicious FTP login banner - 0wns j0 (blacklist.rules)
 * 1:21254 <-> ENABLED <-> WEB-CLIENT Foxit Reader createDataObject file write attempt (web-client.rules)
 * 1:21253 <-> DISABLED <-> SPECIFIC-THREATS Adobe Reader malformed shading modifier heap corruption attempt (specific-threats.rules)
 * 1:21252 <-> DISABLED <-> BACKDOOR Trojan.Win32.Sirefef.P runtime detection (backdoor.rules)
 * 1:21251 <-> DISABLED <-> BACKDOOR Trojan.Win32.Sirefef.P runtime detection (backdoor.rules)
 * 1:21250 <-> DISABLED <-> BACKDOOR Win32.VBasddsa.A runtime traffic detected (backdoor.rules)
 * 1:21235 <-> ENABLED <-> WEB-MISC LOCK Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21234 <-> ENABLED <-> WEB-MISC MKCOL Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21233 <-> DISABLED <-> WEB-MISC Symantec Antivirus admin scan interface negative Content-Length attempt (web-misc.rules)
 * 1:21236 <-> ENABLED <-> WEB-MISC UNLOCK Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21237 <-> ENABLED <-> WEB-MISC PROPFIND Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21238 <-> ENABLED <-> WEB-MISC PROPPATCH Webdav Stack Buffer Overflow attempt (web-misc.rules)
 * 1:21239 <-> ENABLED <-> BOTNET-CNC W32.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:21240 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan outbound connection (botnet-cnc.rules)
 * 1:21241 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan initial outbound connection (botnet-cnc.rules)
 * 1:21242 <-> ENABLED <-> BOTNET-CNC MsUpdater Trojan outbound connection (botnet-cnc.rules)
 * 1:21243 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher 2003 EscherStm memory corruption attempt (specific-threats.rules)
 * 1:21244 <-> ENABLED <-> FILE-IDENTIFY New Executable binary file magic detection (file-identify.rules)
 * 1:21245 <-> DISABLED <-> BLACKLIST DNS query to DNSChanger malware IP address (blacklist.rules)
 * 1:21246 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string DataCha0s (blacklist.rules)
 * 1:21247 <-> DISABLED <-> WEB-CLIENT IBM Lotusnotes s_viewname buffer overflow attempt (web-client.rules)
 * 1:21248 <-> DISABLED <-> WEB-CLIENT IBM Domino HTTP redirect host buffer overflow attempt (web-client.rules)
 * 1:21249 <-> DISABLED <-> BACKDOOR Win32.VBasddsa.A runtime traffic detected (backdoor.rules)
 * 1:21190 <-> DISABLED <-> POLICY Mozilla Multiple Products MozOrientation loading attempt (policy.rules)
 * 1:21191 <-> DISABLED <-> NETBIOS Mozilla Multiple Products MozOrientation loading attempt (netbios.rules)
 * 1:21192 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Syswrt.dvd outbound connection (botnet-cnc.rules)
 * 1:21193 <-> DISABLED <-> BACKDOOR Win32.Dalbot.A outbound connection (backdoor.rules)
 * 1:21194 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Wealwedst.A outbound connection (botnet-cnc.rules)
 * 1:21195 <-> DISABLED <-> BACKDOOR Win32.Protux.B outbound connection (backdoor.rules)
 * 1:21196 <-> DISABLED <-> BACKDOOR Win32.Caphaw.A outbound connection (backdoor.rules)
 * 1:21197 <-> DISABLED <-> BACKDOOR Win32.Caphaw.A outbound connection (backdoor.rules)
 * 1:21198 <-> DISABLED <-> BACKDOOR Win32.Qinubot.A outbound connection (backdoor.rules)
 * 1:21199 <-> DISABLED <-> BACKDOOR Win32.Qinubot.A outbound connection (backdoor.rules)
 * 1:21200 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Yakes.cmu outbound connection (botnet-cnc.rules)
 * 1:21201 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Yakes.cmu outbound connection (botnet-cnc.rules)
 * 1:21202 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Scapzilla.A outbound connection (botnet-cnc.rules)
 * 1:21203 <-> DISABLED <-> BOTNET-CNC Virus Win32.Induc.B outbound connection (botnet-cnc.rules)
 * 1:21204 <-> DISABLED <-> BOTNET-CNC Virus Win32.Induc.B outbound connection (botnet-cnc.rules)
 * 1:21205 <-> DISABLED <-> BOTNET-CNC Virus Win32.Induc.B outbound connection (botnet-cnc.rules)
 * 1:21206 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Aldi Bot (blacklist.rules)
 * 1:21207 <-> DISABLED <-> BACKDOOR Win32.Dekara.A outbound connection (backdoor.rules)
 * 1:21208 <-> DISABLED <-> BACKDOOR Win32.RShot.brw outbound connection (backdoor.rules)
 * 1:21209 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Enviserv.A outbound connection (botnet-cnc.rules)
 * 1:21210 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Rallovs.A outbound connection (botnet-cnc.rules)
 * 1:21211 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Banker.slrj outbound connection (botnet-cnc.rules)
 * 1:21212 <-> DISABLED <-> BACKDOOR Win32.Hupigon.nkor outbound connection (backdoor.rules)
 * 1:21213 <-> DISABLED <-> BOTNET-CNC Worm.Win32.Cridex.B outbound connection (botnet-cnc.rules)
 * 1:21214 <-> DISABLED <-> WEB-MISC Apache server mod_proxy reverse proxy bypass attempt (web-misc.rules)
 * 1:21215 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Banker.Am outbound connection (botnet-cnc.rules)
 * 1:21216 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Banker.Am outbound connection (botnet-cnc.rules)
 * 1:21217 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Banker.Am outbound connection (botnet-cnc.rules)
 * 1:21218 <-> DISABLED <-> BOTNET-CNC Trojan Win32.Sodager.C outbound connection (botnet-cnc.rules)
 * 1:21219 <-> DISABLED <-> BACKDOOR Win32.Sysckbc outbound connection (backdoor.rules)
 * 1:21220 <-> DISABLED <-> BACKDOOR Win32.Susnatache.A inbound connection (backdoor.rules)
 * 1:21221 <-> DISABLED <-> BACKDOOR Win32.Susnatache.A outbound connection (backdoor.rules)
 * 1:21222 <-> DISABLED <-> BOTNET-CNC Win32.Kcahneila.A outbound connection (botnet-cnc.rules)
 * 1:21223 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Gyplit.A outbound connection (botnet-cnc.rules)
 * 1:21224 <-> DISABLED <-> BOTNET-CNC Trojan.MacOS.DevilRobber.A outbound connection (botnet-cnc.rules)
 * 1:21225 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Flag (blacklist.rules)
 * 1:21226 <-> DISABLED <-> BOTNET-CNC Win32.Louisdreyfu.A outbound connection (botnet-cnc.rules)
 * 1:21227 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Bulknet.A outbound connection (botnet-cnc.rules)
 * 1:21228 <-> DISABLED <-> BOTNET-CNC Win32.Cerberat.A outbound connection (botnet-cnc.rules)
 * 1:21229 <-> DISABLED <-> BOTNET-CNC Win32.Synljdos.A outbound connection (botnet-cnc.rules)
 * 1:21230 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Betad.A outbound connection (botnet-cnc.rules)
 * 1:21231 <-> DISABLED <-> BOTNET-CNC Win32.Bedobot.B outbound connection (botnet-cnc.rules)
 * 1:21232 <-> DISABLED <-> MISC Remote Desktop Protocol brute force attempt (misc.rules)

Modified Rules:


 * 1:4986 <-> DISABLED <-> WEB-MISC Twiki view rev command injection attempt (web-misc.rules)
 * 1:5715 <-> DISABLED <-> WEB-MISC Apache malformed ipv6 uri overflow attempt (web-misc.rules)
 * 1:11259 <-> DISABLED <-> WEB-ACTIVEX BarcodeWiz ActiveX clsid access (web-activex.rules)
 * 1:11261 <-> DISABLED <-> WEB-ACTIVEX BarcodeWiz ActiveX function call access (web-activex.rules)
 * 1:11834 <-> ENABLED <-> WEB-MISC Microsoft Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)
 * 1:12058 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (specific-threats.rules)
 * 1:15938 <-> ENABLED <-> BOTNET-CNC SubSeven client connection to server (botnet-cnc.rules)
 * 1:15995 <-> ENABLED <-> EXPLOIT Microsoft Windows DirectX malformed avi file mjpeg compression arbitrary code execution attempt (exploit.rules)
 * 1:16194 <-> ENABLED <-> WEB-MISC Novell eDirectory HTTP request content-length heap buffer overflow attempt (web-misc.rules)
 * 1:16195 <-> ENABLED <-> WEB-MISC Novell eDirectory HTTP request content-length heap buffer overflow attempt (web-misc.rules)
 * 1:16495 <-> DISABLED <-> BOTNET-CNC Rustock botnet contact to C&C server attempt (botnet-cnc.rules)
 * 1:17496 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint malformed NamedShows record code execution attempt (specific-threats.rules)
 * 1:17497 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint malformed NamedShows record code execution attempt (specific-threats.rules)
 * 1:18514 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (specific-threats.rules)
 * 1:18515 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Visio VSD file icon memory corruption (specific-threats.rules)
 * 1:18719 <-> DISABLED <-> BOTNET-CNC Win32.IRCBot.CBY contact to server attempt (botnet-cnc.rules)
 * 1:18946 <-> DISABLED <-> BOTNET-CNC Win32.IRCBot.FC runtime detection (botnet-cnc.rules)
 * 1:18947 <-> DISABLED <-> BOTNET-CNC Win32.IRCBot.FC runtime detection (botnet-cnc.rules)
 * 1:19029 <-> DISABLED <-> BOTNET-CNC Win32.PcClient.AI outbound connection (botnet-cnc.rules)
 * 1:19034 <-> DISABLED <-> BOTNET-CNC Win32.Kbot.qd outbound connection (botnet-cnc.rules)
 * 1:19362 <-> ENABLED <-> BOTNET-CNC Win32.Dorkbot.B outbound conection (botnet-cnc.rules)
 * 1:19363 <-> ENABLED <-> BOTNET-CNC Win32.Dorkbot.B outbound connection (botnet-cnc.rules)
 * 1:19366 <-> ENABLED <-> BOTNET-CNC Win32.HXWAN.A outbound connection (botnet-cnc.rules)
 * 1:1941 <-> ENABLED <-> TFTP GET filename overflow attempt (tftp.rules)
 * 1:19608 <-> ENABLED <-> BOTNET-CNC Win32.Wisscmd.A outbound connection (botnet-cnc.rules)
 * 1:19701 <-> DISABLED <-> BOTNET-CNC Win32.Hassar.A outbound connection (botnet-cnc.rules)
 * 1:19873 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt (web-client.rules)
 * 1:19955 <-> DISABLED <-> BACKDOOR PaiN RAT 0.1 outbound connection (backdoor.rules)
 * 1:20008 <-> DISABLED <-> BOTNET-CNC Malware PDFMarca.A runtime traffic detected (botnet-cnc.rules)
 * 1:20280 <-> ENABLED <-> BOTNET-CNC Win32.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:20281 <-> ENABLED <-> BOTNET-CNC Win32.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:20528 <-> DISABLED <-> WEB-MISC Apache mod_proxy reverse proxy information disclosure (web-misc.rules)
 * 1:20529 <-> ENABLED <-> EXPLOIT Oracle Java trusted method chaining attempt (exploit.rules)
 * 1:20560 <-> ENABLED <-> EXPLOIT Adobe Flash Player salign null javascript access attempt (exploit.rules)
 * 1:20595 <-> ENABLED <-> BOTNET-CNC Win32.Ixeshe.F backdoor access attempt (botnet-cnc.rules)
 * 1:20605 <-> ENABLED <-> BOTNET-CNC Win32.R2d2.A contact to cnc server attempt (botnet-cnc.rules)
 * 1:20606 <-> ENABLED <-> BOTNET-CNC Win32.Domsingx.A contact to C&C server attempt (botnet-cnc.rules)
 * 1:20676 <-> ENABLED <-> BOTNET-CNC Win32.EggDrop.acn connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20677 <-> ENABLED <-> BOTNET-CNC Win32.EggDrop.acn connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20679 <-> ENABLED <-> BOTNET-CNC Win32.Syrutrk connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20685 <-> ENABLED <-> BOTNET-CNC Win32.Heloag.A connect to cnc-server attempt (botnet-cnc.rules)
 * 1:20686 <-> ENABLED <-> BOTNET-CNC Win32.Virut.BM connect to client attempt (botnet-cnc.rules)
 * 1:20694 <-> ENABLED <-> BOTNET-CNC Win32.SSonce.A backdoor access attempt (botnet-cnc.rules)
 * 1:20699 <-> ENABLED <-> EXPLOIT Microsoft Internet Explorer XSRF timing attack against XSS filter (exploit.rules)
 * 1:20720 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Publisher 2003 EscherStm memory corruption attempt (specific-threats.rules)
 * 1:20722 <-> ENABLED <-> WEB-CLIENT Microsoft Office PowerPoint invalid OfficeArtBlipDIB record exploit attempt (web-client.rules)
 * 1:20762 <-> ENABLED <-> BOTNET-CNC MacOS.Flashback.A outbound connection (botnet-cnc.rules)
 * 1:20853 <-> DISABLED <-> EXPLOIT DAZ Studio dangerous scripting method attempt (exploit.rules)
 * 1:20870 <-> DISABLED <-> EXPLOIT Autodesk 3D Studio Maxscript dangerous scripting method attempt (exploit.rules)
 * 1:20889 <-> ENABLED <-> EXPLOIT Video Spirit visprj buffer overflow (exploit.rules)
 * 1:20988 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string ZmEu - vulnerability scanner (blacklist.rules)
 * 1:21041 <-> ENABLED <-> BLACKLIST URI possible Blackhole URL - main.php?page= (blacklist.rules)
 * 1:21163 <-> DISABLED <-> WEB-CLIENT Microsoft Office Outlook VEVENT overflow attempt (web-client.rules)
 * 1:21177 <-> DISABLED <-> BACKDOOR Win32.Ganipin.A inbound connection (backdoor.rules)
 * 1:2337 <-> DISABLED <-> TFTP PUT filename overflow attempt (tftp.rules)
 * 1:8478 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file magic detection (file-identify.rules)
 * 1:4985 <-> DISABLED <-> WEB-MISC Twiki rdiff rev command injection attempt (web-misc.rules)
 * 1:4681 <-> DISABLED <-> WEB-MISC Symantec Antivirus admin scan interface negative Content-Length attempt (web-misc.rules)
 * 1:3130 <-> DISABLED <-> EXPLOIT Microsoft MSN Messenger png overflow (exploit.rules)
 * 1:4987 <-> DISABLED <-> WEB-MISC Twiki viewfile rev command injection attempt (web-misc.rules)