Sourcefire VRT Rules Update

Date: 2013-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26786 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26785 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qrmon variant outbound connection (malware-cnc.rules)
 * 1:26780 <-> ENABLED <-> MALWARE-CNC cridex HTTP Response - default0.js (malware-cnc.rules)
 * 1:26784 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules)
 * 1:26781 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan (blacklist.rules)
 * 1:26779 <-> ENABLED <-> MALWARE-CNC cridex encrypted POST check-in (malware-cnc.rules)
 * 1:26775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure (malware-cnc.rules)
 * 1:26782 <-> ENABLED <-> BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan (blacklist.rules)
 * 1:26783 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Opfake APK file download (malware-other.rules)
 * 1:26776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blocker outbound connection POST (malware-cnc.rules)
 * 1:26778 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Kazy download attempt (malware-other.rules)
 * 1:26774 <-> ENABLED <-> MALWARE-CNC Win.Worm.Luder outbound connection (malware-cnc.rules)
 * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:26809 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection (malware-cnc.rules)
 * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS information disclosure attempt (malware-other.rules)
 * 1:26798 <-> ENABLED <-> SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt (server-webapp.rules)
 * 1:26802 <-> DISABLED <-> MALWARE-OTHER WIN.Worm.Beagle.AZ SMTP propagation detection (malware-other.rules)
 * 1:26805 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit encrypted binary download (exploit-kit.rules)
 * 1:26797 <-> ENABLED <-> SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt (server-webapp.rules)
 * 1:26804 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26801 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style handling overflow attempt (file-office.rules)
 * 1:26793 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact (malware-cnc.rules)
 * 1:26799 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style handling overflow attempt (file-office.rules)
 * 1:26800 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style handling overflow attempt (file-office.rules)
 * 1:26788 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26792 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vbula variant outbound connection (malware-cnc.rules)
 * 1:26795 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.ZertSecurity apk download (malware-other.rules)
 * 1:26796 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak (malware-other.rules)
 * 1:26789 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26794 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt (server-webapp.rules)
 * 1:26787 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26790 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26791 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26806 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit short JNLP request (exploit-kit.rules)
 * 1:26808 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit short jar request (exploit-kit.rules)
 * 1:26807 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)

Modified Rules:


 * 1:10504 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25642 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:10505 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25641 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25643 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules)
 * 1:18529 <-> ENABLED <-> FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt (file-other.rules)
 * 1:26769 <-> DISABLED <-> DOS MIT Kerberos kpasswd process_chpw_request denial of service attempt (dos.rules)
 * 1:18952 <-> ENABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:20436 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20437 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20438 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20439 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:21927 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style handling overflow attempt (file-office.rules)
 * 1:22076 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:22078 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:22954 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed SELECTION Record Code Execution attempt (file-office.rules)
 * 1:23605 <-> DISABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:23883 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:23884 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 encoding invalid symbol in dictionary segment (file-pdf.rules)
 * 1:24062 <-> DISABLED <-> MALWARE-CNC W32.Trojan.Hufysk variant outbound connection (malware-cnc.rules)
 * 1:24255 <-> ENABLED <-> MALWARE-CNC Sality logo.gif URLs (malware-cnc.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:25274 <-> ENABLED <-> SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt (server-iis.rules)
 * 1:25512 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.SMSsend variant outbound connection (malware-cnc.rules)
 * 1:25517 <-> DISABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:26648 <-> ENABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:26649 <-> ENABLED <-> FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt (file-other.rules)
 * 1:26650 <-> ENABLED <-> FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt (file-pdf.rules)
 * 1:26762 <-> DISABLED <-> MALWARE-CNC Potential Bancos Trojan - HTTP Header Structure Anomaly v2.0 (malware-cnc.rules)
 * 1:26659 <-> DISABLED <-> BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source (browser-firefox.rules)
 * 1:494 <-> ENABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:25639 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25636 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25637 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25635 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25640 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)
 * 1:25638 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoded shellcode (indicator-shellcode.rules)