Sourcefire VRT Rules Update

Date: 2012-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21445 <-> DISABLED <-> DOS vsFTPd denial of service attempt (dos.rules)
 * 1:21438 <-> ENABLED <-> SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet (specific-threats.rules)
 * 1:21439 <-> DISABLED <-> SPECIFIC-THREATS Microsoft Windows GDI+ arbitrary code execution attempt (specific-threats.rules)
 * 1:21441 <-> ENABLED <-> BOTNET-CNC Win32.Delf variant outbound connection (botnet-cnc.rules)
 * 1:21444 <-> ENABLED <-> BOTNET-CNC TDSS outbound connection (botnet-cnc.rules)
 * 1:21446 <-> DISABLED <-> POLICY ActiveX FileSystemObject clsid access (policy.rules)
 * 1:21447 <-> ENABLED <-> POLICY ActiveX FileSystemObject function call (policy.rules)
 * 1:21448 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Webmoner.zu connect to server attempt (botnet-cnc.rules)
 * 1:21450 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Obitel connect to cnc server attempt (botnet-cnc.rules)
 * 1:21449 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Win32.Obitel install attempt (botnet-cnc.rules)
 * 1:21443 <-> ENABLED <-> BOTNET-CNC TDSS outbound connection (botnet-cnc.rules)
 * 1:21440 <-> DISABLED <-> BOTNET-CNC Win32.Trojan.Murofet variant outbound connection (botnet-cnc.rules)
 * 1:21452 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Agent.djvk connect to server attempt (botnet-cnc.rules)
 * 1:21442 <-> DISABLED <-> BLACKLIST URI request for known malicious URI - base64 encoded (blacklist.rules)
 * 1:21451 <-> DISABLED <-> BOTNET-CNC Trojan.Win32.Agent.djvk malicious hosts file download attempt (botnet-cnc.rules)

Modified Rules:


 * 1:15477 <-> DISABLED <-> EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt (exploit.rules)
 * 1:11185 <-> DISABLED <-> DOS CA eTrust key handling dos via username attempt (dos.rules)
 * 1:20237 <-> DISABLED <-> WEB-CLIENT MultiMedia Jukebox playlist file handling heap overflow attempt (web-client.rules)
 * 1:16739 <-> DISABLED <-> WEB-CLIENT MultiMedia Jukebox playlist file handling heap overflow attempt (web-client.rules)
 * 1:21327 <-> ENABLED <-> BLACKLIST USER-AGENT ASafaWeb Scan (blacklist.rules)
 * 3:16329 <-> ENABLED <-> EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt (exploit.rules)
 * 3:16180 <-> ENABLED <-> WEB-CLIENT Windows CryptoAPI common name spoofing attempt (web-client.rules)