Sourcefire VRT Rules Update

Date: 2012-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23604 <-> ENABLED <-> SCAN Skipfish scan iPhone agent string (scan.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:23602 <-> ENABLED <-> SCAN Skipfish scan Firefox agent string (scan.rules)
 * 1:23603 <-> ENABLED <-> SCAN Skipfish scan MSIE agent string (scan.rules)
 * 1:23600 <-> DISABLED <-> BOTNET-CNC Trojan-Downloader.Gamarue.F outbound connection attempt (botnet-cnc.rules)
 * 1:23601 <-> ENABLED <-> SCAN Skipfish scan default agent string (scan.rules)
 * 1:23598 <-> DISABLED <-> BOTNET-CNC Win32.Slagent outgoing connection attempt (botnet-cnc.rules)
 * 1:23599 <-> DISABLED <-> BOTNET-CNC Win32.Slagent outgoing connection attempt (botnet-cnc.rules)
 * 1:23596 <-> DISABLED <-> INDICATOR-COMPROMISE iframe before DOCTYPE possible malicious redirect attempt (indicator-compromise.rules)
 * 1:23597 <-> DISABLED <-> BOTNET-CNC Trojan.VB.DHD connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23594 <-> DISABLED <-> BOTNET-CNC Trojan.Papras variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23595 <-> DISABLED <-> BOTNET-CNC Trojan.Papras variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23593 <-> DISABLED <-> BOTNET-CNC Trojan.Smoaler variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23615 <-> ENABLED <-> SPYWARE-PUT ACAD.Medre.A runtime detection (spyware-put.rules)
 * 1:23611 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf (file-pdf.rules)
 * 1:23612 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf (file-pdf.rules)
 * 1:23613 <-> DISABLED <-> WEB-PHP Arbitrary file location upload attempt (web-php.rules)
 * 1:23617 <-> DISABLED <-> POLICY Amazon Kindle chrome-scriptable-plugin attempt (policy.rules)
 * 1:23616 <-> DISABLED <-> POLICY Amazon Kindle 3.0 User-Agent string requested (policy.rules)
 * 1:23606 <-> DISABLED <-> BOTNET-CNC Trojan.Sofacy.A outbound communication attempt (botnet-cnc.rules)
 * 1:23607 <-> DISABLED <-> BOTNET-CNC Trojan.Sofacy.A outbound communication attempt (botnet-cnc.rules)
 * 1:23614 <-> ENABLED <-> WEB-CLIENT JavaScript heap exploitation library usage attempt (web-client.rules)
 * 1:23610 <-> DISABLED <-> BOTNET-CNC Worm.Crass.A outbound connection attempt (botnet-cnc.rules)
 * 1:23609 <-> DISABLED <-> WEB-CLIENT Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (web-client.rules)
 * 3:23608 <-> ENABLED <-> BAD-TRAFFIC dns zone transfer with zero-length rdata attempt (bad-traffic.rules)

Modified Rules:


 * 1:21133 <-> ENABLED <-> BACKDOOR Mulcishell web shell encoder page (backdoor.rules)
 * 1:21139 <-> ENABLED <-> BACKDOOR Mulcishell web shell spread shell page (backdoor.rules)
 * 1:21140 <-> ENABLED <-> BACKDOOR Mulcishell web shell kill shell page (backdoor.rules)
 * 1:17194 <-> ENABLED <-> EXPLOIT Adobe Director file tSAC tag exploit attempt (exploit.rules)
 * 1:13972 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt (file-office.rules)
 * 1:15541 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SST record remote code execution attempt (file-office.rules)
 * 1:21131 <-> ENABLED <-> BACKDOOR Mulcishell web shell domain lookup page (backdoor.rules)
 * 1:21129 <-> ENABLED <-> BACKDOOR Mulcishell web shell (backdoor.rules)
 * 1:21130 <-> ENABLED <-> BACKDOOR Mulcishell web shell enumeration page (backdoor.rules)
 * 1:21132 <-> ENABLED <-> BACKDOOR Mulcishell web shell sql interaction page (backdoor.rules)
 * 1:21135 <-> ENABLED <-> BACKDOOR Mulcishell web shell password cracking page (backdoor.rules)
 * 1:21436 <-> ENABLED <-> BOTNET-CNC Trojan.Startpage variant outbound connection (botnet-cnc.rules)
 * 1:21136 <-> ENABLED <-> BACKDOOR Mulcishell web shell security bypass page (backdoor.rules)
 * 1:21137 <-> ENABLED <-> BACKDOOR Mulcishell web shell tools page (backdoor.rules)
 * 1:23361 <-> DISABLED <-> WEB-IIS tilde character file name discovery attempt (web-iis.rules)
 * 1:21138 <-> ENABLED <-> BACKDOOR Mulcishell web shell database parsing page (backdoor.rules)
 * 1:21484 <-> DISABLED <-> WEB-CLIENT ZIP file name overflow attempt (web-client.rules)
 * 1:21134 <-> ENABLED <-> BACKDOOR Mulcishell web shell security information page (backdoor.rules)
 * 1:21965 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user agent VB WININET (blacklist.rules)
 * 1:23124 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer html table column span width increase memory corruption attempt (web-client.rules)
 * 1:23179 <-> DISABLED <-> INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt (indicator-compromise.rules)