Sourcefire VRT Rules Update

Date: 2013-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25575 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25559 <-> ENABLED <-> EXPLOIT-KIT JDB Exploit kit landing page retrieval (exploit-kit.rules)
 * 1:25564 <-> DISABLED <-> FILE-PDF Adobe Reader heap-based buffer overflow attempt (file-pdf.rules)
 * 1:25573 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25574 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25571 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Medialabs outbound connection (malware-cnc.rules)
 * 1:25570 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Medialabs outbound connection (malware-cnc.rules)
 * 1:25569 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 Exploit Kit landing page (exploit-kit.rules)
 * 1:25567 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - POST request (os-windows.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control directory traversal attempt (browser-plugins.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control directory traversal attempt (browser-plugins.rules)
 * 1:25563 <-> DISABLED <-> FILE-PDF Adobe Reader heap-based buffer overflow attempt (file-pdf.rules)
 * 1:25553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
 * 1:25554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor (blacklist.rules)
 * 1:25555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor (blacklist.rules)
 * 1:25556 <-> DISABLED <-> SERVER-OTHER RaySharp CCTV derivative user credential retrieval attempt (server-other.rules)
 * 1:25557 <-> ENABLED <-> SERVER-OTHER RaySharp CCTV derivative command injection attempt (server-other.rules)
 * 1:25558 <-> DISABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection (exploit-kit.rules)
 * 1:25560 <-> ENABLED <-> EXPLOIT-KIT JDB Exploit kit landing page (exploit-kit.rules)
 * 1:25568 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:25572 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Virut variant outbound connection (malware-cnc.rules)
 * 1:25576 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25562 <-> ENABLED <-> FILE-OTHER Oracle Java obfuscated jar file download attempt (file-other.rules)
 * 1:25561 <-> ENABLED <-> EXPLOIT-KIT JDB Exploit Kit landing page (exploit-kit.rules)

Modified Rules:


 * 1:17204 <-> ENABLED <-> FILE-OTHER Adobe Director file mmap overflow attempt (file-other.rules)
 * 1:19665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop web access cross site scripting attempt - GET request (os-windows.rules)
 * 1:21024 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21025 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt (browser-plugins.rules)
 * 1:21026 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21027 <-> DISABLED <-> BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt (browser-plugins.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:23319 <-> DISABLED <-> FILE-IDENTIFY TAR file download request (file-identify.rules)
 * 1:23320 <-> DISABLED <-> FILE-IDENTIFY TAR file attachment detected (file-identify.rules)
 * 1:23321 <-> DISABLED <-> FILE-IDENTIFY TAR file attachment detected (file-identify.rules)
 * 1:25326 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25510 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)