Sourcefire VRT Rules Update

Date: 2012-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23634 <-> DISABLED <-> BOTNET-CNC Trojan.Kegotip variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23633 <-> ENABLED <-> BOTNET-CNC Trojan.Kegotip variant report to cnc-server attempt (botnet-cnc.rules)
 * 1:23632 <-> ENABLED <-> EXPLOIT HP Data Protector Express stack buffer overflow attempt (exploit.rules)
 * 1:23631 <-> ENABLED <-> EXPLOIT Apache Struts remote code execution attempt - POST parameter (exploit.rules)
 * 1:23630 <-> DISABLED <-> BOTNET-CNC Trojan.YMrelay variant connect to cnc-server attempt (botnet-cnc.rules)
 * 1:23629 <-> DISABLED <-> BLACKLIST DNS request for known malware domain in.ingoogle.in (blacklist.rules)
 * 1:23628 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Pincav variant outbound connection attempt (botnet-cnc.rules)
 * 1:23627 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user agent - PoisonIvy RAT (blacklist.rules)
 * 1:23626 <-> ENABLED <-> WEB-IIS cmd.exe access (web-iis.rules)
 * 1:23625 <-> DISABLED <-> WEB-CLIENT Mozilla Firefox resource URL handling directory traversal attempt (web-client.rules)
 * 1:23624 <-> ENABLED <-> WEB-CLIENT Ubisoft Uplay browser plugin backdoor attempt (web-client.rules)
 * 1:23623 <-> DISABLED <-> FILE-OTHER Apple QuickTime VR Track Header Atom heap corruption attempt (file-other.rules)
 * 1:23622 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page request - tkr (specific-threats.rules)
 * 1:23621 <-> ENABLED <-> INDICATOR-OBFUSCATION known packer routine with secondary obfuscation (indicator-obfuscation.rules)
 * 1:23620 <-> ENABLED <-> SPECIFIC-THREATS Malvertising network attempted redirect (specific-threats.rules)
 * 1:23619 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch broken (specific-threats.rules)
 * 1:23618 <-> ENABLED <-> SPECIFIC-THREATS Malvertising redirection attempt (specific-threats.rules)

Modified Rules:


 * 1:12629 <-> DISABLED <-> WEB-MISC Microsoft Office SharePoint cross site scripting attempt (web-misc.rules)
 * 1:15876 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:15909 <-> DISABLED <-> FILE-OTHER Apple QuickTime VR Track Header Atom heap corruption attempt (file-other.rules)
 * 1:21011 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file magic detected (file-identify.rules)
 * 1:23222 <-> ENABLED <-> SPECIFIC-THREATS RedKit Landing Page Received - applet and 5digit jar (specific-threats.rules)
 * 1:23407 <-> DISABLED <-> WEB-MISC Apple iChat url format string exploit attempt (web-misc.rules)
 * 1:23611 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf (file-pdf.rules)
 * 1:23612 <-> ENABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf (file-pdf.rules)
 * 1:3193 <-> DISABLED <-> WEB-IIS .cmd executable file parsing attack (web-iis.rules)
 * 1:3194 <-> DISABLED <-> WEB-IIS .bat executable file parsing attack (web-iis.rules)