Sourcefire VRT Rules Update

Date: 2012-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21541 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus connect to server attempt (botnet-cnc.rules)
 * 1:21540 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus application download attempt (botnet-cnc.rules)
 * 1:21542 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus firefox extension download attempt (botnet-cnc.rules)
 * 1:21539 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific header (specific-threats.rules)
 * 1:21538 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound payload request (botnet-cnc.rules)
 * 1:21537 <-> ENABLED <-> SPECIFIC-THREATS Possible malicious pdf cve-2010-0188 string (specific-threats.rules)
 * 1:21543 <-> DISABLED <-> BOTNET-CNC Trojan.Buzus html page download attempt (botnet-cnc.rules)
 * 1:21545 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .ru (botnet-cnc.rules)
 * 1:21544 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .eu (botnet-cnc.rules)
 * 1:21546 <-> DISABLED <-> BOTNET-CNC Possible host infection - excessive DNS queries for .cn (botnet-cnc.rules)
 * 1:21547 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.Kazy variant outbound connection attempt (botnet-cnc.rules)
 * 1:21548 <-> ENABLED <-> BOTNET-CNC Cutwail landing page connection attempt (botnet-cnc.rules)
 * 1:21550 <-> ENABLED <-> BACKDOOR ToolsPack PHP Backdoor access (backdoor.rules)
 * 1:21549 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific header (specific-threats.rules)

Modified Rules:


 * 1:17276 <-> DISABLED <-> WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt (web-misc.rules)
 * 1:20669 <-> DISABLED <-> BLACKLIST URI request for known malicious URI - w.php?f= (blacklist.rules)
 * 1:21195 <-> DISABLED <-> BACKDOOR Win32.Protux.B outbound connection (backdoor.rules)
 * 1:21492 <-> DISABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - catch (specific-threats.rules)