Sourcefire VRT Rules Update

Date: 2012-09-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24228 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - Landing Page Received (exploit-kit.rules)
 * 1:24223 <-> DISABLED <-> EXPLOIT HP Data Protector client EXEC_CMD command execution attempt (exploit.rules)
 * 1:24221 <-> DISABLED <-> EXPLOIT HP Data Protector client EXEC_CMD command execution attempt (exploit.rules)
 * 1:24214 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seveto variant outbound connection attempt (malware-cnc.rules)
 * 1:24218 <-> ENABLED <-> FILE-IDENTIFY SMIL file magic detected (file-identify.rules)
 * 1:24220 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt (file-multimedia.rules)
 * 1:24215 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:24222 <-> DISABLED <-> EXPLOIT HP Data Protector client EXEC_CMD command execution attempt (exploit.rules)
 * 1:24224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication (malware-cnc.rules)
 * 1:24225 <-> ENABLED <-> MALWARE-OTHER malicious redirection attempt (malware-other.rules)
 * 1:24226 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page received (exploit-kit.rules)
 * 1:24227 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 - URI Structure (exploit-kit.rules)
 * 1:24219 <-> ENABLED <-> FILE-IDENTIFY SMIL file magic detected (file-identify.rules)
 * 1:24230 <-> DISABLED <-> FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt (file-other.rules)
 * 1:24217 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Spy variant outbound connection attempt (malware-cnc.rules)
 * 1:24229 <-> DISABLED <-> FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt (file-other.rules)
 * 1:24216 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Biloky variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:24212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt (browser-ie.rules)
 * 1:24210 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt (browser-ie.rules)
 * 3:17041 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:15683 <-> ENABLED <-> WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt (web-misc.rules)
 * 3:23182 <-> ENABLED <-> WEB-MISC SFVRT-1009 attack attempt (web-misc.rules)
 * 3:16227 <-> ENABLED <-> WEB-MISC Web Service on Devices API WSDAPI URL processing buffer corruption attempt (web-misc.rules)
 * 3:15470 <-> ENABLED <-> WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt (web-misc.rules)