Sourcefire VRT Rules Update

Date: 2013-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25974 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:25973 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Boolflot variant outbound connection (malware-cnc.rules)
 * 1:25976 <-> DISABLED <-> POLICY-OTHER Adobe ColdFusion admin API access attempt (policy-other.rules)
 * 1:25975 <-> DISABLED <-> POLICY-OTHER Adobe ColdFusion admin interface access attempt (policy-other.rules)
 * 1:25977 <-> DISABLED <-> POLICY-OTHER Adobe ColdFusion component browser access attempt (policy-other.rules)
 * 1:25979 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lukprofin variant outbound connection (malware-cnc.rules)
 * 1:25980 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Pass (blacklist.rules)
 * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules)
 * 1:25978 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lukprofin variant outbound connection (malware-cnc.rules)
 * 1:25943 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25942 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25940 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25941 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25938 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25944 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25939 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25936 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25937 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25934 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25945 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25935 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25932 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25933 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25930 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25946 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C  (blacklist.rules)
 * 1:25931 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25928 <-> ENABLED <-> FILE-IDENTIFY Ogg file download request (file-identify.rules)
 * 1:25929 <-> ENABLED <-> FILE-IDENTIFY Ogg file attachment detected (file-identify.rules)
 * 1:25926 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25947 <-> DISABLED <-> APP-DETECT Ammyy remote access tool (app-detect.rules)
 * 1:25927 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25924 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25925 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25922 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25948 <-> ENABLED <-> EXPLOIT-KIT redirection to driveby download (exploit-kit.rules)
 * 1:25923 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25921 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25920 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25918 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC GzWaaa outbound data connection (malware-cnc.rules)
 * 1:25919 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25916 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25917 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25914 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25950 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25915 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25913 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25951 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25952 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25953 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25954 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25955 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25956 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25957 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25958 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25959 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25960 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit former location - has been removed (exploit-kit.rules)
 * 1:25961 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25962 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25963 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25964 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25965 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25966 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25967 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25969 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:25968 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25971 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit redirection (exploit-kit.rules)
 * 1:25970 <-> ENABLED <-> OS-WINDOWS TCP FIN sent to client (os-windows.rules)
 * 1:25972 <-> DISABLED <-> EXPLOIT-KIT Redkit Exploit Kit three number PDF Request (exploit-kit.rules)
 * 1:25909 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25912 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25911 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25910 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25908 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)

Modified Rules:


 * 1:25014 <-> DISABLED <-> FILE-IDENTIFY Microsoft proxy autoconfig script file magic detected (file-identify.rules)
 * 1:23755 <-> ENABLED <-> FILE-IDENTIFY Cisco Webex Player .wrf file magic detected (file-identify.rules)
 * 1:23726 <-> ENABLED <-> FILE-IDENTIFY Portable Executable compact binary file magic detected (file-identify.rules)
 * 1:23748 <-> ENABLED <-> FILE-IDENTIFY TTF file magic detected (file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23710 <-> ENABLED <-> FILE-IDENTIFY Tiff big endian file magic detected (file-identify.rules)
 * 1:23679 <-> ENABLED <-> FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:23189 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:23650 <-> ENABLED <-> FILE-IDENTIFY Ogg Stream file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:23188 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:21868 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected (file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:21866 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected (file-identify.rules)
 * 1:21867 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected (file-identify.rules)
 * 1:21865 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected (file-identify.rules)
 * 1:21861 <-> ENABLED <-> FILE-IDENTIFY WRF file attachment detected (file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21862 <-> ENABLED <-> FILE-IDENTIFY WRF file attachment detected (file-identify.rules)
 * 1:21007 <-> DISABLED <-> FILE-IDENTIFY Microsoft Money file magic detected (file-identify.rules)
 * 1:20981 <-> ENABLED <-> FILE-IDENTIFY OTF file attachment detected (file-identify.rules)
 * 1:21444 <-> DISABLED <-> MALWARE-CNC WIN.Trojan.TDSS outbound connection (malware-cnc.rules)
 * 1:20991 <-> ENABLED <-> FILE-IDENTIFY TTF file magic detected (file-identify.rules)
 * 1:21113 <-> ENABLED <-> FILE-IDENTIFY Cisco Webex Player .wrf file magic detected (file-identify.rules)
 * 1:20978 <-> ENABLED <-> FILE-IDENTIFY TTE file attachment detected (file-identify.rules)
 * 1:20961 <-> ENABLED <-> FILE-IDENTIFY TTE file download request (file-identify.rules)
 * 1:20980 <-> ENABLED <-> FILE-IDENTIFY OTF file attachment detected (file-identify.rules)
 * 1:20962 <-> ENABLED <-> FILE-IDENTIFY OTF file download request (file-identify.rules)
 * 1:20979 <-> ENABLED <-> FILE-IDENTIFY TTE file attachment detected (file-identify.rules)
 * 1:20857 <-> ENABLED <-> FILE-IDENTIFY TwinVQ file attachment detected (file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20849 <-> ENABLED <-> FILE-IDENTIFY MAKI file attachment detected (file-identify.rules)
 * 1:20856 <-> ENABLED <-> FILE-IDENTIFY TwinVQ file attachment detected (file-identify.rules)
 * 1:20495 <-> ENABLED <-> FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected (file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20848 <-> ENABLED <-> FILE-IDENTIFY MAKI file attachment detected (file-identify.rules)
 * 1:19943 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:20743 <-> DISABLED <-> BROWSER-OTHER Multiple web browser window injection attempt (browser-other.rules)
 * 1:18675 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request (file-identify.rules)
 * 1:20462 <-> ENABLED <-> FILE-IDENTIFY Ogg Stream file magic detected (file-identify.rules)
 * 1:17113 <-> DISABLED <-> OS-WINDOWS Microsoft SilverLight ImageSource redefine flowbit (os-windows.rules)
 * 1:19224 <-> ENABLED <-> FILE-IDENTIFY Cisco Webex wrf file download request (file-identify.rules)
 * 1:17230 <-> ENABLED <-> FILE-IDENTIFY Tiff big endian file magic detected (file-identify.rules)
 * 1:19218 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:15921 <-> ENABLED <-> FILE-IDENTIFY Microsoft multimedia format file download request (file-identify.rules)
 * 1:15426 <-> ENABLED <-> FILE-IDENTIFY MAKI file download request (file-identify.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:16286 <-> ENABLED <-> FILE-IDENTIFY TrueType font file download request (file-identify.rules)
 * 1:15385 <-> ENABLED <-> FILE-IDENTIFY TwinVQ file download request (file-identify.rules)
 * 1:13797 <-> ENABLED <-> FILE-IDENTIFY Portable Executable compact binary file magic detected (file-identify.rules)
 * 1:14264 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Media Player playlist download (file-identify.rules)
 * 1:25803 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit kit jar file dropped (exploit-kit.rules)
 * 1:25774 <-> DISABLED <-> OS-WINDOWS TCP FIN handshake resource exhaustion attempt (os-windows.rules)
 * 1:25769 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:25627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound communication (malware-cnc.rules)
 * 1:25809 <-> ENABLED <-> MALWARE-CNC Sality logos.gif URLs (malware-cnc.rules)
 * 1:25508 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25507 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25505 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25326 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25857 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25859 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25033 <-> DISABLED <-> FILE-IDENTIFY Microsoft Silverlight application file attachment detected (file-identify.rules)
 * 1:3081 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect (malware-backdoor.rules)
 * 1:24825 <-> DISABLED <-> FILE-IDENTIFY RealPlayer skin file attachment detected (file-identify.rules)
 * 1:25325 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:24824 <-> DISABLED <-> FILE-IDENTIFY RealPlayer skin file download request (file-identify.rules)
 * 1:25308 <-> DISABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:25323 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25306 <-> DISABLED <-> FILE-IDENTIFY Adobe Audition Session file download request (file-identify.rules)
 * 1:2435 <-> ENABLED <-> FILE-IDENTIFY Microsoft emf file download request (file-identify.rules)
 * 1:24710 <-> DISABLED <-> FILE-IDENTIFY Netop Remote Control file attachment detected (file-identify.rules)
 * 1:24651 <-> DISABLED <-> FILE-IDENTIFY Microsoft proxy autoconfig script file download request (file-identify.rules)
 * 1:24708 <-> DISABLED <-> FILE-IDENTIFY Netop Remote Control file download request (file-identify.rules)
 * 1:24313 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Operations Agent request attempt (server-webapp.rules)
 * 1:25307 <-> DISABLED <-> FILE-IDENTIFY Adobe Audition Session file attachment detected (file-identify.rules)
 * 1:24826 <-> DISABLED <-> FILE-IDENTIFY RealPlayer skin file attachment detected (file-identify.rules)
 * 1:25305 <-> DISABLED <-> FILE-IDENTIFY Adobe Audition Session file magic detected (file-identify.rules)
 * 1:24709 <-> DISABLED <-> FILE-IDENTIFY Netop Remote Control file attachment detected (file-identify.rules)
 * 1:25034 <-> DISABLED <-> FILE-IDENTIFY Microsoft Silverlight application file attachment detected (file-identify.rules)
 * 1:25032 <-> DISABLED <-> FILE-IDENTIFY Microsoft Silverlight application file download request (file-identify.rules)