Sourcefire VRT Rules Update

Date: 2012-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24607 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24606 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24605 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24604 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24603 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24602 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24601 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24600 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool suspicious file download (malware-other.rules)
 * 1:24599 <-> ENABLED <-> FILE-IDENTIFY Alt-N MDaemon IMAP Server (file-identify.rules)

Modified Rules:


 * 1:9418 <-> ENABLED <-> MALWARE-CNC bagle.a http notification detection (malware-cnc.rules)
 * 1:7840 <-> DISABLED <-> PUA-TOOLBARS Hijacker instafinder initial configuration detection (pua-toolbars.rules)
 * 1:7839 <-> DISABLED <-> PUA-TOOLBARS Hijacker rx toolbar runtime detection (pua-toolbars.rules)
 * 1:7581 <-> DISABLED <-> PUA-TOOLBARS Hijacker flashbar runtime detection - user-agent (pua-toolbars.rules)
 * 1:7567 <-> DISABLED <-> PUA-TOOLBARS Trackware funwebproducts mywebsearchtoolbar-funtools runtime detection (pua-toolbars.rules)
 * 1:7554 <-> DISABLED <-> PUA-ADWARE Adware hxdl runtime detection - hxdownload user-agent (pua-adware.rules)
 * 1:7550 <-> DISABLED <-> PUA-ADWARE Adware adroar runtime detection (pua-adware.rules)
 * 1:7532 <-> DISABLED <-> PUA-ADWARE Adware piolet runtime detection - user-agent (pua-adware.rules)
 * 1:7518 <-> DISABLED <-> PUA-TOOLBARS Trackware earthlink toolbar runtime detection - get up-to-date news info (pua-toolbars.rules)
 * 1:7050 <-> DISABLED <-> PUA-TOOLBARS Hijacker freecruise toolbar runtime detection (pua-toolbars.rules)
 * 1:6365 <-> DISABLED <-> MALWARE-OTHER Sony rootkit runtime detection (malware-other.rules)
 * 1:6360 <-> DISABLED <-> PUA-ADWARE Adware altnet runtime detection - update (pua-adware.rules)
 * 1:6357 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Need2Find (blacklist.rules)
 * 1:6354 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ProxyDown (blacklist.rules)
 * 1:6258 <-> DISABLED <-> PUA-ADWARE Adware searchsquire runtime detection - get engine file (pua-adware.rules)
 * 1:5901 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - AdTools (blacklist.rules)
 * 1:5835 <-> DISABLED <-> PUA-ADWARE Adware gamespy_arcade runtime detection (pua-adware.rules)
 * 1:5800 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyWay (blacklist.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:5789 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ActMon (blacklist.rules)
 * 1:5749 <-> DISABLED <-> PUA-TOOLBARS Trackware alexa runtime detection (pua-toolbars.rules)
 * 1:541 <-> DISABLED <-> POLICY-SOCIAL ICQ access (policy-social.rules)
 * 1:24568 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Mozilla/00 (blacklist.rules)
 * 1:24555 <-> ENABLED <-> FILE-IDENTIFY Apple QuickTime PICT v2.0 Image header (file-identify.rules)
 * 1:24554 <-> ENABLED <-> FILE-IDENTIFY Apple QuickTime PICT v2.0 Image header (file-identify.rules)
 * 1:24552 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:24551 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:23616 <-> DISABLED <-> APP-DETECT Amazon Kindle 3.0 User-Agent string requested (app-detect.rules)
 * 1:23135 <-> DISABLED <-> FILE-FLASH Adobe Flash Player flash.DisplayObject memory corruption attempt (file-flash.rules)
 * 1:23133 <-> DISABLED <-> FILE-FLASH Adobe Flash Player flash.display.BitmapData constuctor overflow attempt (file-flash.rules)
 * 1:22000 <-> DISABLED <-> MALWARE-CNC Worm.VB.amna outbound connection A (malware-cnc.rules)
 * 1:21761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:21514 <-> DISABLED <-> MALWARE-CNC Trojan.Banbra connect to server (malware-cnc.rules)
 * 1:21488 <-> ENABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules)
 * 1:21436 <-> ENABLED <-> MALWARE-CNC Trojan.Startpage variant outbound connection (malware-cnc.rules)
 * 1:21335 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode type confusion null dereference attempt (file-flash.rules)
 * 1:20756 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jorik variant outbound connection (malware-cnc.rules)
 * 1:20229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jinchodz variant outbound connection (malware-cnc.rules)
 * 1:20201 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - meterpreter (blacklist.rules)
 * 1:20181 <-> ENABLED <-> FILE-FLASH Adobe Flash Speex-encoded audio buffer underflow attempt (file-flash.rules)
 * 1:20143 <-> DISABLED <-> PUA-ADWARE Adware mightymagoo/playpickle/livingplay - User-Agent (pua-adware.rules)
 * 1:20106 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - darkness (blacklist.rules)
 * 1:20105 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - IPHONE (blacklist.rules)
 * 1:20104 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - InfoBot (blacklist.rules)
 * 1:20103 <-> DISABLED <-> PUA-ADWARE Adware playsushi - User-Agent (pua-adware.rules)
 * 1:20101 <-> DISABLED <-> PUA-ADWARE Adware Arcade Web - User-Agent (pua-adware.rules)
 * 1:19703 <-> ENABLED <-> MALWARE-CNC Worm Win.Trojan.Dusta.br outbound connnection (malware-cnc.rules)
 * 1:19249 <-> DISABLED <-> FILE-FLASH Adobe Universal3D meshes.removeItem exploit attempt (file-flash.rules)
 * 1:19247 <-> DISABLED <-> FILE-IMAGE Adobe jpeg 2000 image exploit attempt (file-image.rules)
 * 1:19083 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19018 <-> ENABLED <-> MALWARE-CNC MacBack Win.Trojan.outbound connection (malware-cnc.rules)
 * 1:19017 <-> ENABLED <-> MALWARE-CNC MacBack Win.Trojan.outbound connection (malware-cnc.rules)
 * 1:19016 <-> ENABLED <-> MALWARE-CNC MacBack Win.Trojan.outbound connection (malware-cnc.rules)
 * 1:18805 <-> ENABLED <-> FILE-FLASH Adobe Flash Player undefined tag exploit attempt (file-flash.rules)
 * 1:18604 <-> DISABLED <-> MALWARE-OTHER lizamoon script injection (malware-other.rules)
 * 1:18543 <-> ENABLED <-> FILE-FLASH embedded Shockwave dropper download (file-flash.rules)
 * 1:17808 <-> ENABLED <-> FILE-FLASH Adobe Flash authplay.dll memory corruption attempt (file-flash.rules)
 * 1:17606 <-> ENABLED <-> FILE-FLASH Adobe Flash ASnative command execution attempt (file-flash.rules)
 * 1:17142 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt (file-flash.rules)
 * 1:17141 <-> ENABLED <-> FILE-FLASH Adobe Flash invalid data precision arbitrary code execution exploit attempt (file-flash.rules)
 * 1:16493 <-> ENABLED <-> MALWARE-CNC TT-bot botnet variant outbound connection (malware-cnc.rules)
 * 1:16442 <-> DISABLED <-> MALWARE-CNC Possible Zeus User-Agent - Mozilla (malware-cnc.rules)
 * 1:16441 <-> DISABLED <-> MALWARE-CNC Possible Zeus User-Agent - Download (malware-cnc.rules)
 * 1:16440 <-> DISABLED <-> MALWARE-CNC Possible Zeus User-Agent - ie (malware-cnc.rules)
 * 1:16439 <-> DISABLED <-> MALWARE-CNC Possible Zeus User-Agent - _TEST_ (malware-cnc.rules)
 * 1:15478 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid object reference code execution attempt (file-flash.rules)
 * 1:14066 <-> DISABLED <-> PUA-ADWARE Adware winsecuredisc runtime detection (pua-adware.rules)
 * 1:13762 <-> DISABLED <-> PUA-ADWARE Adware system defender runtime detection (pua-adware.rules)
 * 1:13663 <-> ENABLED <-> SERVER-MAIL Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt (server-mail.rules)
 * 1:13515 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime user agent (file-multimedia.rules)
 * 1:13503 <-> DISABLED <-> PUA-TOOLBARS Hijacker dealio toolbar runtime detection user-agent detected (pua-toolbars.rules)
 * 1:13502 <-> DISABLED <-> PUA-ADWARE Adware contravirus runtime detection - update (pua-adware.rules)
 * 1:13488 <-> DISABLED <-> PUA-TOOLBARS Hijacker people pal toolbar runtime detection - automatic upgrade (pua-toolbars.rules)
 * 1:13487 <-> DISABLED <-> PUA-ADWARE Adware elite protector runtime detection (pua-adware.rules)
 * 1:13484 <-> DISABLED <-> PUA-TOOLBARS Hijacker baidu toolbar runtime detection - updates automatically (pua-toolbars.rules)
 * 1:13242 <-> DISABLED <-> PUA-ADWARE Adware netpumper 1.26 runtime detection (pua-adware.rules)
 * 1:12370 <-> DISABLED <-> PUA-TOOLBARS Hijacker imesh mediabar runtime detection - auto update (pua-toolbars.rules)
 * 1:12122 <-> DISABLED <-> PUA-TOOLBARS Trackware spynova runtime detection (pua-toolbars.rules)