Sourcefire VRT Rules Update

Date: 2012-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23921 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23919 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23920 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23917 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23918 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23915 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23916 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23913 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23914 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23912 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23911 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23933 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23906 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23905 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23931 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23932 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23930 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23908 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23909 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23910 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23907 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23922 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23924 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23923 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23926 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23925 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23928 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23929 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23927 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)

Modified Rules:


 * 1:20742 <-> DISABLED <-> WEB-CLIENT Mozilla PLUGINSPAGE javascript execution attempt (web-client.rules)
 * 1:23341 <-> ENABLED <-> BACKDOOR Backdoor.Win32.Tinrot.A runtime detection (backdoor.rules)
 * 1:23159 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure (specific-threats.rules)