Sourcefire VRT Rules Update
Date: 2012-09-27
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
New Rules:
* 1:24262 <-> ENABLED <-> MALWARE-OTHER Lanman2.dll download attempt (malware-other.rules) * 1:24261 <-> ENABLED <-> MALWARE-OTHER Lanman2.dll download attempt (malware-other.rules) * 1:24260 <-> ENABLED <-> MALWARE-OTHER PwDump7.exe download attempt (malware-other.rules) * 1:24259 <-> ENABLED <-> MALWARE-OTHER PwDump7.exe download attempt (malware-other.rules) * 1:24258 <-> ENABLED <-> MALWARE-OTHER mygeeksmail.dll download attempt (malware-other.rules) * 1:24257 <-> ENABLED <-> MALWARE-OTHER mygeeksmail.dll download attempt (malware-other.rules) * 1:24256 <-> ENABLED <-> WEB-PHP phpMyAdmin server_sync.php backdoor access attempt (web-php.rules) * 1:24255 <-> ENABLED <-> MALWARE-CNC Sality logo.gif URLs (malware-cnc.rules) * 1:24254 <-> DISABLED <-> INDICATOR-COMPROMISE Page with only IP redirect - document.location, possible compromised site (indicator-compromise.rules) * 1:24253 <-> DISABLED <-> INDICATOR-COMPROMISE Page with only IP redirect - http-equiv=refresh, possible compromised site (indicator-compromise.rules) * 1:24252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags (browser-ie.rules) * 1:24251 <-> DISABLED <-> MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic (malware-cnc.rules)
