Sourcefire VRT Rules Update

Date: 2012-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame (blacklist.rules)
 * 1:23033 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nvidiastream.info - Flame (blacklist.rules)
 * 1:23031 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame (blacklist.rules)
 * 1:23030 <-> ENABLED <-> BLACKLIST DNS request for known malware domain localgateway.info - Flame (blacklist.rules)
 * 1:23029 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flashupdates.info - Flame (blacklist.rules)
 * 1:23027 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsportal.info - Flame (blacklist.rules)
 * 1:23028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsupdate.info - Flame (blacklist.rules)
 * 1:23025 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnslocation.info - Flame (blacklist.rules)
 * 1:23026 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsmask.info - Flame (blacklist.rules)
 * 1:23024 <-> ENABLED <-> BLACKLIST DNS request for known malware domain autosync.info - Flame (blacklist.rules)
 * 1:23019 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user agent - Flame malware (blacklist.rules)
 * 1:23021 <-> ENABLED <-> BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame (blacklist.rules)
 * 1:23023 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quick-net.info - Flame (blacklist.rules)
 * 1:23043 <-> ENABLED <-> FILE-PDF Unknown malicious PDF - CreationDate (file-pdf.rules)
 * 1:23020 <-> ENABLED <-> BLACKLIST DNS request for known malware domain traffic-spot.com - Flame (blacklist.rules)
 * 1:23045 <-> ENABLED <-> FILE-PDF Unknown malicious PDF - Title (file-pdf.rules)
 * 1:23022 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart-access.net - Flame (blacklist.rules)
 * 1:23037 <-> ENABLED <-> BLACKLIST DNS request for known malware domain syncstream.info - Flame (blacklist.rules)
 * 1:23034 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pingserver.info - Flame (blacklist.rules)
 * 1:23035 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rendercodec.info - Flame (blacklist.rules)
 * 1:23036 <-> ENABLED <-> BLACKLIST DNS request for known malware domain syncdomain.info - Flame (blacklist.rules)
 * 1:23041 <-> ENABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:23044 <-> ENABLED <-> FILE-PDF Unknown malicious PDF - CreationDate (file-pdf.rules)
 * 1:23042 <-> ENABLED <-> FILE-PDF Unknown malicious PDF - CreationDate (file-pdf.rules)
 * 1:23038 <-> ENABLED <-> BLACKLIST DNS request for known malware domain videosync.info - Flame (blacklist.rules)
 * 3:23040 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)
 * 3:23039 <-> ENABLED <-> DNS Multiple vendor DNS message decompression denial of service attempt (dos.rules)

Modified Rules:


 * 1:17059 <-> DISABLED <-> FTP Vermillion 1.31 vftpd port command memory corruption (ftp.rules)
 * 1:22097 <-> DISABLED <-> WEB-PHP PHP-CGI command injection attempt (web-php.rules)