Sourcefire VRT Rules Update

Date: 2013-05-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26654 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan (blacklist.rules)
 * 1:26655 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.PCRat data upload (malware-backdoor.rules)
 * 1:26656 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Travnet Botnet data upload (malware-cnc.rules)
 * 1:26657 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Shiz outbound connection (malware-cnc.rules)
 * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules)
 * 1:26659 <-> DISABLED <-> BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-trusted source (browser-firefox.rules)
 * 1:26660 <-> ENABLED <-> MALWARE-OTHER Fake delivery information phishing attack (malware-other.rules)
 * 1:26661 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:26662 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:26663 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:26664 <-> DISABLED <-> FILE-IMAGE BMP extremely large xpos opcodes (file-image.rules)
 * 1:26665 <-> DISABLED <-> FILE-IMAGE BMP extremely large xpos opcodes (file-image.rules)
 * 1:26666 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ANIMATECOLOR SMIL access attempt (browser-ie.rules)
 * 1:26667 <-> ENABLED <-> FILE-MULTIMEDIA Apple iTunes playlist overflow attempt (file-multimedia.rules)
 * 1:26668 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:26669 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt (server-webapp.rules)
 * 1:26670 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.KitM file download (malware-other.rules)
 * 1:26671 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.KitM file download (malware-other.rules)
 * 1:26672 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt (file-office.rules)
 * 1:26673 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt (file-office.rules)
 * 1:26674 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt (file-office.rules)
 * 1:26675 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:26676 <-> ENABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:26677 <-> ENABLED <-> MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:26678 <-> ENABLED <-> MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:26679 <-> ENABLED <-> MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:26680 <-> ENABLED <-> MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:26681 <-> ENABLED <-> MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc (malware-cnc.rules)
 * 1:26682 <-> DISABLED <-> BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26683 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Shyape variant outbound connection (malware-cnc.rules)
 * 1:26684 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Neshax variant outbound connection (malware-cnc.rules)
 * 1:26685 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string J13A (blacklist.rules)
 * 1:26686 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Alina (blacklist.rules)
 * 1:26687 <-> ENABLED <-> FILE-FLASH Adobe SWF malformed HTML text null dereference attempt (file-flash.rules)
 * 1:26688 <-> ENABLED <-> FILE-FLASH Adobe SWF malformed HTML text null dereference attempt (file-flash.rules)
 * 1:26689 <-> ENABLED <-> MALWARE-CNC Android Denofow phone information exfiltration (malware-cnc.rules)
 * 1:26690 <-> ENABLED <-> MALWARE-CNC Miniduke server contact (malware-cnc.rules)
 * 1:26709 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26691 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UFRStealer variant outbound connection (malware-cnc.rules)
 * 1:26710 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26708 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26704 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory transversal attempt (server-webapp.rules)
 * 1:26707 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upero variant outbound connection (malware-cnc.rules)
 * 1:26692 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyremoav variant outbound connection (malware-cnc.rules)
 * 1:26693 <-> ENABLED <-> MALWARE-CNC Android Antammi device information exfiltration (malware-cnc.rules)
 * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Reader dll injection sandbox escape (file-pdf.rules)
 * 1:26695 <-> DISABLED <-> MALWARE-CNC Namihno Trojan CnC Request (malware-cnc.rules)
 * 1:26696 <-> DISABLED <-> MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers (malware-cnc.rules)
 * 1:26697 <-> ENABLED <-> MALWARE-CNC Cbeplay Ransomware outbound connection - POST Body (malware-cnc.rules)
 * 1:26698 <-> ENABLED <-> MALWARE-OTHER Compromised Website response - leads to Exploit Kit (malware-other.rules)
 * 1:26699 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:26700 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:26701 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:26702 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Win (blacklist.rules)
 * 1:26706 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26705 <-> ENABLED <-> MALWARE-CNC Android Ewalls device information exfiltration (malware-cnc.rules)

Modified Rules:


 * 1:26553 <-> ENABLED <-> PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt (pua-adware.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26362 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26364 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26564 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:26628 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt (file-office.rules)
 * 1:26633 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer html reload loop attempt (browser-ie.rules)
 * 1:26653 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:8416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language fill method overflow attempt (os-windows.rules)
 * 1:26640 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules)
 * 1:26647 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26646 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value (browser-ie.rules)
 * 1:26637 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:13572 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:16523 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:17301 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt (file-office.rules)
 * 1:13819 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt (server-webapp.rules)
 * 1:10115 <-> DISABLED <-> FILE-IMAGE Microsoft Windows WMF FILE-IMAGE attempt (file-image.rules)
 * 1:18174 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:18484 <-> ENABLED <-> FILE-MULTIMEDIA Apple iTunes playlist overflow attempt (file-multimedia.rules)
 * 1:16079 <-> DISABLED <-> SERVER-WEBAPP uselang code injection (server-webapp.rules)
 * 1:17250 <-> ENABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:17310 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt (file-office.rules)
 * 1:26361 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:21163 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook VEVENT overflow attempt (file-office.rules)
 * 1:17390 <-> ENABLED <-> FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt (file-image.rules)
 * 1:18175 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:23516 <-> ENABLED <-> FILE-PDF PDF with click-to-launch executable (file-pdf.rules)
 * 1:18514 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:23838 <-> DISABLED <-> OS-WINDOWS SMB NetServerEnum response host format string exploit attempt (os-windows.rules)
 * 1:18535 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:21086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption (browser-ie.rules)
 * 1:26359 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:25025 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Recslurp variant outbound connection (malware-cnc.rules)
 * 1:26365 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:23137 <-> DISABLED <-> BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt (browser-ie.rules)
 * 1:25669 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Selasloot variant outbound connection (malware-cnc.rules)
 * 1:23258 <-> DISABLED <-> SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory transversal attempt (server-webapp.rules)
 * 1:26357 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26356 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26363 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26372 <-> ENABLED <-> FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt (file-image.rules)
 * 1:26257 <-> DISABLED <-> MALWARE-BACKDOOR ANDR-WIN.MSIL variant PC-USB Malicious executable file download (malware-backdoor.rules)
 * 1:25985 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)
 * 1:26360 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:25984 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt (browser-ie.rules)
 * 1:26358 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:25587 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:26355 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:24551 <-> DISABLED <-> FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (file-image.rules)
 * 1:23878 <-> DISABLED <-> BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26525 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:23723 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:26022 <-> DISABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:26524 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26373 <-> ENABLED <-> FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt (file-image.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:26374 <-> ENABLED <-> FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt (file-image.rules)
 * 1:26535 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit landing page - specific structure (exploit-kit.rules)
 * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules)
 * 3:15365 <-> ENABLED <-> WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt (web-client.rules)