Sourcefire VRT Rules Update

Date: 2012-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23796 <-> DISABLED <-> WEB-PHP exif invalid tag data buffer overflow attempt (web-php.rules)
 * 1:23795 <-> ENABLED <-> SPECIFIC-THREATS function urchin - known malware function name (specific-threats.rules)
 * 1:23794 <-> DISABLED <-> BOTNET-CNC known command and control traffic (botnet-cnc.rules)
 * 1:23793 <-> DISABLED <-> SMTP PHP use-after-free in substr_replace attempt (smtp.rules)
 * 1:23792 <-> DISABLED <-> WEB-PHP PHP use-after-free in substr_replace attempt (web-php.rules)
 * 1:23791 <-> DISABLED <-> WEB-PHP PHP use-after-free in substr_replace attempt (web-php.rules)

Modified Rules:


 * 1:19611 <-> DISABLED <-> BLACKLIST User-Agent known malicious User-Agent string INet - Win32.Virus.Jusabli.A (blacklist.rules)
 * 1:19589 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent string MacProtector (blacklist.rules)
 * 1:19482 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string ErrorFix (blacklist.rules)
 * 1:19480 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt (blacklist.rules)
 * 1:19440 <-> DISABLED <-> SQL 1 = 0 - possible sql injection attempt (sql.rules)
 * 1:19439 <-> DISABLED <-> SQL 1 = 1 - possible sql injection attempt (sql.rules)
 * 1:19434 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string ErrCode (blacklist.rules)
 * 1:19372 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string javasw - Trojan.Banload (blacklist.rules)
 * 1:19175 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent wget 3.0 (blacklist.rules)
 * 1:19165 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Microsoft Internet Explorer (blacklist.rules)
 * 1:18395 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Duckling/1.0 (blacklist.rules)
 * 1:18394 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string OCRecover (blacklist.rules)
 * 1:18393 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string vyre32 (blacklist.rules)
 * 1:18392 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string qixi (blacklist.rules)
 * 1:18391 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string MyLove (blacklist.rules)
 * 1:18390 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Delphi 5.x (blacklist.rules)
 * 1:18389 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string 3653Client (blacklist.rules)
 * 1:18388 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string RookIE/1.0 (blacklist.rules)
 * 1:18387 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string dwplayer (blacklist.rules)
 * 1:18386 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string AHTTPConnection (blacklist.rules)
 * 1:8854 <-> DISABLED <-> WEB-ACTIVEX Microsoft Agent v2.0 ActiveX function call access (web-activex.rules)
 * 1:8852 <-> DISABLED <-> WEB-ACTIVEX Microsoft Agent v2.0 ActiveX clsid access (web-activex.rules)
 * 1:8423 <-> DISABLED <-> WEB-ACTIVEX CEnroll.CEnroll.2 ActiveX function call access (web-activex.rules)
 * 1:7003 <-> DISABLED <-> WEB-ACTIVEX ADODB.Recordset ActiveX function call access (web-activex.rules)
 * 1:5805 <-> ENABLED <-> SPYWARE-PUT Trackware myway speedbar runtime detection - switch engines (spyware-put.rules)
 * 1:23786 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - Math.round catch (specific-threats.rules)
 * 1:23785 <-> ENABLED <-> SPECIFIC-THREATS Blackhole landing page with specific structure - Math.floor catch (specific-threats.rules)
 * 1:23627 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT (blacklist.rules)
 * 1:23019 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Flame malware (blacklist.rules)
 * 1:22939 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent RAbcLib (blacklist.rules)
 * 1:21965 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent VB WININET (blacklist.rules)
 * 1:21925 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BOT/0.1 (blacklist.rules)
 * 1:21639 <-> ENABLED <-> BLACKLIST User-Agent known Adware user agent mus - TDSS related (blacklist.rules)
 * 1:21636 <-> ENABLED <-> BLACKLIST User-Agent known Adware user agent gbot (blacklist.rules)
 * 1:21591 <-> ENABLED <-> BLACKLIST User-Agent known Adware user agent Gamevance tl_v (blacklist.rules)
 * 1:21526 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload (blacklist.rules)
 * 1:21488 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent GetRight (blacklist.rules)
 * 1:21476 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent YZF (blacklist.rules)
 * 1:21475 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string core-project (blacklist.rules)
 * 1:21469 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string 1234567890 (blacklist.rules)
 * 1:21455 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string psi (blacklist.rules)
 * 1:21380 <-> DISABLED <-> BLACKLIST User-Agent Win.32.Sramler.A runtime traffic detected (blacklist.rules)
 * 1:21348 <-> ENABLED <-> BLACKLIST URI possible Blackhole URL - search.php?page= (blacklist.rules)
 * 1:21327 <-> ENABLED <-> BLACKLIST User-Agent ASafaWeb Scan (blacklist.rules)
 * 1:21278 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Google Bot (blacklist.rules)
 * 1:21266 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Morfeus Scanner (blacklist.rules)
 * 1:21246 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string DataCha0s (blacklist.rules)
 * 1:21239 <-> ENABLED <-> BOTNET-CNC W32.Kazy variant outbound connection (botnet-cnc.rules)
 * 1:21225 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Flag (blacklist.rules)
 * 1:21206 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Aldi Bot (blacklist.rules)
 * 1:21188 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string API Guide test program (blacklist.rules)
 * 1:21175 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Win32 Amti (blacklist.rules)
 * 1:21099 <-> ENABLED <-> SPECIFIC-THREATS Crimepack exploit kit malicious pdf request (specific-threats.rules)
 * 1:21071 <-> ENABLED <-> BLACKLIST Eleanore exploit kit post-exploit page request (blacklist.rules)
 * 1:21042 <-> ENABLED <-> BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f= (blacklist.rules)
 * 1:21041 <-> ENABLED <-> BLACKLIST URI possible Blackhole URL - main.php?page= (blacklist.rules)
 * 1:20988 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string ZmEu - vulnerability scanner (blacklist.rules)
 * 1:20558 <-> ENABLED <-> BLACKLIST URI request for known malicious URI /stat2.php (blacklist.rules)
 * 1:20293 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT (blacklist.rules)
 * 1:20231 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0 (blacklist.rules)
 * 1:20230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string 0pera 10 (blacklist.rules)
 * 1:20201 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string meterpreter (blacklist.rules)
 * 1:20106 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string darkness (blacklist.rules)
 * 1:20105 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string IPHONE (blacklist.rules)
 * 1:20104 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string InfoBot (blacklist.rules)
 * 1:20039 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Hardcore Software (blacklist.rules)
 * 1:20021 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Brontok (blacklist.rules)
 * 1:20012 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A (blacklist.rules)
 * 1:20009 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A (blacklist.rules)
 * 1:19934 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string MYURL (blacklist.rules)
 * 1:19756 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm (blacklist.rules)
 * 1:19637 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /install.asp?mac= (blacklist.rules)
 * 1:19636 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v (blacklist.rules)
 * 1:19627 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (blacklist.rules)
 * 1:19626 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /setup_b.asp?prj= (blacklist.rules)
 * 1:18385 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string HTTPCSDCENTER (blacklist.rules)
 * 1:18383 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string GPInstaller (blacklist.rules)
 * 1:18382 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string WMUpdate (blacklist.rules)
 * 1:18381 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Travel Update (blacklist.rules)
 * 1:18380 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string FPUpdater (blacklist.rules)
 * 1:18379 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string AskInstallChecker (blacklist.rules)
 * 1:18378 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string AutoHotkey (blacklist.rules)
 * 1:18377 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string malware (blacklist.rules)
 * 1:18376 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Trololo (blacklist.rules)
 * 1:18375 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string HTTP Wininet (blacklist.rules)
 * 1:18374 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string MSDN SurfBear (blacklist.rules)
 * 1:18373 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Installer (blacklist.rules)
 * 1:18371 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string QvodDown (blacklist.rules)
 * 1:18370 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Mozilla Windows MSIE (blacklist.rules)
 * 1:18369 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string iexp-get (blacklist.rules)
 * 1:18368 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Our_Agent (blacklist.rules)
 * 1:18367 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string FPRecover (blacklist.rules)
 * 1:18366 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string OCInstaller (blacklist.rules)
 * 1:18365 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Agentcc (blacklist.rules)
 * 1:18364 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string msndown (blacklist.rules)
 * 1:18363 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string GPRecover (blacklist.rules)
 * 1:18362 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Search Toolbar 1.1 (blacklist.rules)
 * 1:18361 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Downloader1.1 (blacklist.rules)
 * 1:18360 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Oncues (blacklist.rules)
 * 1:18359 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Shareaza (blacklist.rules)
 * 1:18358 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string NSIS_INETLOAD (blacklist.rules)
 * 1:18357 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Setup Factory (blacklist.rules)
 * 1:18356 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string random (blacklist.rules)
 * 1:18355 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Se2011 (blacklist.rules)
 * 1:18354 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string opera/8.11 (blacklist.rules)
 * 1:18353 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string SelectRebates (blacklist.rules)
 * 1:18352 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string PinballCorp-BSAI/VER_STR_COMMA (blacklist.rules)
 * 1:18351 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string GPUpdater (blacklist.rules)
 * 1:18350 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string GabPath (blacklist.rules)
 * 1:18349 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Flipopia (blacklist.rules)
 * 1:18348 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Opera/9.80 Pesto/2.2.15 (blacklist.rules)
 * 1:18347 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string AutoIt (blacklist.rules)
 * 1:18346 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string GPRecover (blacklist.rules)
 * 1:18345 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string Macrovision_DM_2.4.15 (blacklist.rules)
 * 1:18343 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string WSEnrichment (blacklist.rules)
 * 1:18342 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string NSIS_DOWNLOAD (blacklist.rules)
 * 1:18341 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string UtilMind HTTPGet (blacklist.rules)
 * 1:18340 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string ClickAdsByIE 0.7.5 (blacklist.rules)
 * 1:18338 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string NSISDL/1.2 (blacklist.rules)
 * 1:18337 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string iamx/3.11 (blacklist.rules)
 * 1:18336 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string gbot/2.3 (blacklist.rules)
 * 1:18247 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm (blacklist.rules)
 * 1:17601 <-> ENABLED <-> WEB-CLIENT Mozilla Firefox file type memory corruption attempt (web-client.rules)
 * 1:17535 <-> ENABLED <-> MISC Apple CUPS Text to PostScript Filter Integer Overflow attempt (misc.rules)
 * 1:16753 <-> ENABLED <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules)
 * 1:16574 <-> DISABLED <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode (web-activex.rules)
 * 1:15876 <-> DISABLED <-> SQL generic sql update injection attempt - POST parameter (sql.rules)
 * 1:15863 <-> ENABLED <-> WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call access (web-activex.rules)
 * 1:15861 <-> ENABLED <-> WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid access (web-activex.rules)
 * 1:15699 <-> ENABLED <-> SPECIFIC-THREATS Mozilla Firefox 3.5 unicode stack overflow attempt (specific-threats.rules)
 * 1:13366 <-> ENABLED <-> ORACLE Oracle database SYS.LT.FINDRICSET SQL injection attempt (oracle.rules)
 * 1:12452 <-> DISABLED <-> WEB-ACTIVEX MS Agent File Provider ActiveX clsid access (web-activex.rules)
 * 1:12450 <-> DISABLED <-> WEB-ACTIVEX Microsoft Agent Control ActiveX function call access (web-activex.rules)
 * 1:12448 <-> DISABLED <-> WEB-ACTIVEX Microsoft Agent Control ActiveX clsid access (web-activex.rules)