Sourcefire VRT Rules Update

Date: 2013-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27544 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected (malware-cnc.rules)
 * 1:27545 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Janicab outbound communication (malware-cnc.rules)
 * 1:27535 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mainenbha.com - Win.Kraziomel Trojan (blacklist.rules)
 * 1:27554 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound URI request (exploit-kit.rules)
 * 1:27533 <-> ENABLED <-> MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg (malware-cnc.rules)
 * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS outbound down attempt (app-detect.rules)
 * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS outbound up attempt (app-detect.rules)
 * 1:27546 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Janicab outbound communication (malware-cnc.rules)
 * 1:27534 <-> DISABLED <-> BLACKLIST DNS request for known malware domain claimcrazy.us - Win.Kraziomel Trojan (blacklist.rules)
 * 1:27557 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound URI request (exploit-kit.rules)
 * 1:27547 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Janicab outbound communication (malware-cnc.rules)
 * 1:27539 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 234 buffer overflow attempt (server-other.rules)
 * 1:27537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan (blacklist.rules)
 * 1:27542 <-> ENABLED <-> FILE-IDENTIFY Python bytecode file magic detected (file-identify.rules)
 * 1:27536 <-> DISABLED <-> APP-DETECT TCP over DNS response attempt (app-detect.rules)
 * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules)
 * 1:27548 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:27549 <-> ENABLED <-> MALWARE-OTHER Osx.Trojan.Janicab file download attempt (malware-other.rules)
 * 1:27550 <-> ENABLED <-> MALWARE-OTHER Compromised website response - leads to Exploit Kit (malware-other.rules)
 * 1:27551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lorapu variant outbound connection (malware-cnc.rules)
 * 1:27552 <-> ENABLED <-> OS-MOBILE Android Exploit Extra_Field APK file download (os-mobile.rules)
 * 1:27553 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound URI request (exploit-kit.rules)
 * 1:27543 <-> ENABLED <-> FILE-IDENTIFY Python bytecode file magic detected (file-identify.rules)
 * 1:27555 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound URI request (exploit-kit.rules)
 * 1:27556 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound URI request (exploit-kit.rules)

Modified Rules:


 * 1:25518 <-> DISABLED <-> OS-MOBILE Apple iPod User-Agent detected (os-mobile.rules)
 * 1:25521 <-> DISABLED <-> OS-MOBILE Android User-Agent detected (os-mobile.rules)
 * 1:26638 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt (browser-ie.rules)
 * 1:25520 <-> DISABLED <-> OS-MOBILE Apple iPhone User-Agent detected (os-mobile.rules)
 * 1:19943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page in.php base64 uri (exploit-kit.rules)
 * 1:25969 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:25523 <-> DISABLED <-> OS-MOBILE Samsung User-Agent detected (os-mobile.rules)
 * 1:25519 <-> DISABLED <-> OS-MOBILE Apple iPad User-Agent detected (os-mobile.rules)
 * 1:26940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt (malware-cnc.rules)
 * 1:25524 <-> DISABLED <-> OS-MOBILE Kindle User-Agent detected (os-mobile.rules)
 * 1:26968 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data (malware-cnc.rules)
 * 1:25522 <-> DISABLED <-> OS-MOBILE Nokia User-Agent detected (os-mobile.rules)
 * 3:17700 <-> ENABLED <-> WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt (web-client.rules)
 * 3:15857 <-> ENABLED <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length (web-client.rules)
 * 3:13790 <-> ENABLED <-> WEB-CLIENT Microsoft Word malformed css remote code execution attempt (web-client.rules)