Sourcefire VRT Rules Update

Date: 2012-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:21576 <-> DISABLED <-> POLICY Microsoft Visual Studio .addin file access (policy.rules)
 * 1:21575 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio addin file attachment detected (file-identify.rules)
 * 1:21574 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio addin file attachment detected (file-identify.rules)
 * 1:21573 <-> ENABLED <-> FILE-IDENTIFY Microsoft Visual Studio addin file download request (file-identify.rules)
 * 1:21572 <-> DISABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 1:21571 <-> DISABLED <-> EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (exploit.rules)
 * 1:21570 <-> DISABLED <-> MISC Microsoft Windows RemoteDesktop new session flood attempt (misc.rules)
 * 1:21569 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer toStaticHTML XSS attempt (web-client.rules)
 * 1:21568 <-> DISABLED <-> DOS RDP RST denial of service attempt (dos.rules)
 * 1:21567 <-> DISABLED <-> WEB-CLIENT Microsoft Expression Design wintab32.dll dll-load exploit attempt (web-client.rules)
 * 1:21566 <-> DISABLED <-> NETBIOS Microsoft Expression Design wintab32.dll dll-load exploit attempt (netbios.rules)
 * 1:21565 <-> ENABLED <-> BOTNET-CNC Trojan.Kelihos variant outbound connection (botnet-cnc.rules)
 * 1:21564 <-> ENABLED <-> BOTNET-CNC Trojan.Kelihos variant outbound connection (botnet-cnc.rules)
 * 1:21563 <-> ENABLED <-> BOTNET-CNC Trojan.Kelihos variant outbound connection (botnet-cnc.rules)
 * 1:21562 <-> DISABLED <-> BOTNET-CNC Trojan.Bredolab variant outbound connection (botnet-cnc.rules)
 * 1:21561 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Antivirus ActiveX function call access (web-activex.rules)
 * 1:21560 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Antivirus ActiveX clsid access (web-activex.rules)
 * 1:21559 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Antivirus ActiveX clsid access (web-activex.rules)
 * 1:21558 <-> DISABLED <-> WEB-ACTIVEX Symantec Norton Antivirus ActiveX clsid access (web-activex.rules)
 * 1:21557 <-> DISABLED <-> WEB-CLIENT Apple OSX ZIP archive shell script execution attempt (web-client.rules)
 * 1:21556 <-> DISABLED <-> POLICY Windows 98 User-Agent string (policy.rules)
 * 1:21555 <-> ENABLED <-> BACKDOOR Horde javascript.php href backdoor (backdoor.rules)
 * 1:21554 <-> DISABLED <-> BOTNET-CNC Trojan.Waledac.exe download attempt (botnet-cnc.rules)
 * 1:21553 <-> DISABLED <-> BOTNET-CNC Trojan.Agent.cpze connect to server attempt (botnet-cnc.rules)
 * 1:21552 <-> ENABLED <-> BOTNET-CNC Trojan.Kahn variant outbound connection (botnet-cnc.rules)
 * 1:21551 <-> ENABLED <-> BOTNET-CNC Trojan.Kahn outbound connection (botnet-cnc.rules)

Modified Rules:


 * 1:9843 <-> DISABLED <-> WEB-CLIENT Adobe Acrobat Plugin JavaScript parameter double free attempt (web-client.rules)
 * 1:21440 <-> ENABLED <-> BOTNET-CNC Win32.Trojan.Murofet variant outbound connection (botnet-cnc.rules)
 * 1:9842 <-> DISABLED <-> WEB-CLIENT Adobe Acrobat Plugin Universal cross-site scripting attempt (web-client.rules)
 * 1:20558 <-> ENABLED <-> BLACKLIST URI request for known malicious URI /stat2.php (blacklist.rules)
 * 1:20814 <-> DISABLED <-> WEB-CLIENT Mozilla favicon href javascript execution attempt (web-client.rules)
 * 1:18467 <-> DISABLED <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules)
 * 1:19954 <-> DISABLED <-> BACKDOOR Hack Style RAT outbound connection (backdoor.rules)
 * 1:17764 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Excel PtgName invalid index exploit attempt (specific-threats.rules)
 * 1:18466 <-> DISABLED <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules)
 * 1:15719 <-> DISABLED <-> SCADA DNP3 link service not supported (scada.rules)
 * 1:16642 <-> DISABLED <-> POLICY file URI scheme attempt (policy.rules)
 * 1:12221 <-> DISABLED <-> WEB-PHP file upload GLOBAL variable overwrite attempt (web-php.rules)
 * 1:13949 <-> DISABLED <-> DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (dns.rules)
 * 1:10387 <-> DISABLED <-> WEB-ACTIVEX McAfee Site Manager ActiveX clsid access (web-activex.rules)
 * 1:10389 <-> DISABLED <-> WEB-ACTIVEX McAfee Site Manager ActiveX function call access (web-activex.rules)