Sourcefire VRT Rules Update

Date: 2013-05-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26561 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26557 <-> ENABLED <-> SERVER-WEBAPP Wordpress brute-force login attempt (server-webapp.rules)
 * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules)
 * 1:26551 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26552 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26553 <-> ENABLED <-> PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt (pua-adware.rules)
 * 1:26546 <-> DISABLED <-> BROWSER-PLUGINS SafeNet ActiveX clsid access (browser-plugins.rules)
 * 1:26550 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26549 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26547 <-> ENABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt (server-webapp.rules)
 * 1:26548 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM webappmon.exe buffer overflow attempt (server-webapp.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit successful redirection (exploit-kit.rules)
 * 1:26545 <-> DISABLED <-> BROWSER-PLUGINS SafeNet ActiveX clsid access (browser-plugins.rules)
 * 1:26544 <-> DISABLED <-> BROWSER-PLUGINS SafeNet ActiveX clsid access (browser-plugins.rules)
 * 1:26540 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26542 <-> DISABLED <-> SERVER-OTHER Autonomy Ultraseek cs.html url parameter with url - possible malicious redirection attempt (server-other.rules)
 * 1:26543 <-> DISABLED <-> BROWSER-PLUGINS SafeNet ActiveX clsid access (browser-plugins.rules)
 * 1:26539 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit pdf download detection (exploit-kit.rules)
 * 1:26538 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit landing page received (exploit-kit.rules)
 * 1:26559 <-> ENABLED <-> OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi (os-other.rules)
 * 1:26537 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit jar download detection (exploit-kit.rules)
 * 1:26532 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Cdorked download attempt (malware-other.rules)
 * 1:26533 <-> DISABLED <-> MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0 (malware-cnc.rules)
 * 1:26535 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit landing page - specific structure (exploit-kit.rules)
 * 1:26536 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit landing page (exploit-kit.rules)
 * 1:26528 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt (indicator-compromise.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit Kit portable executable download (exploit-kit.rules)
 * 1:26531 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Cdorked download attempt (malware-other.rules)
 * 1:26527 <-> ENABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 1:26529 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked backdoor command attempt (indicator-compromise.rules)
 * 1:26530 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt (indicator-compromise.rules)
 * 1:26526 <-> ENABLED <-> EXPLOIT-KIT Portable Executable downloaded with bad DOS stub (exploit-kit.rules)
 * 1:26560 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data (malware-cnc.rules)
 * 1:26558 <-> DISABLED <-> BLACKLIST User-Agent known Malicious user agent Brutus AET (blacklist.rules)

Modified Rules:


 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit redirection structure (exploit-kit.rules)
 * 1:3653 <-> DISABLED <-> SERVER-MAIL SAML overflow attempt (server-mail.rules)
 * 1:10188 <-> DISABLED <-> PROTOCOL-FTP Ipswitch Ws_ftp XMD5 overflow attempt (protocol-ftp.rules)
 * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:16300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt (browser-ie.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
 * 1:17086 <-> ENABLED <-> BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt (browser-plugins.rules)
 * 1:18520 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt (browser-ie.rules)
 * 1:18999 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM webappmon.exe buffer overflow attempt (server-webapp.rules)
 * 1:21347 <-> ENABLED <-> EXPLOIT-KIT URI possible Blackhole URL - .php?page= (exploit-kit.rules)
 * 1:21845 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - redirect received (malware-other.rules)
 * 1:26494 <-> DISABLED <-> FILE-IDENTIFY KingView KingMessage log file attachment detected (file-identify.rules)
 * 1:21846 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - request in.cgi (malware-other.rules)
 * 1:21848 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS (malware-other.rules)
 * 1:21849 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS (malware-other.rules)
 * 1:21850 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - request hi.cgi (malware-other.rules)
 * 1:21851 <-> ENABLED <-> MALWARE-OTHER TDS Sutra - redirect received (malware-other.rules)
 * 1:23147 <-> ENABLED <-> EXPLOIT-KIT Suspicious taskkill script - StrReverse (exploit-kit.rules)
 * 1:23148 <-> ENABLED <-> EXPLOIT-KIT Suspicious StrReverse - Shell (exploit-kit.rules)
 * 1:23149 <-> ENABLED <-> EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject (exploit-kit.rules)
 * 1:23224 <-> ENABLED <-> EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html (exploit-kit.rules)
 * 1:25041 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent flowbit set (exploit-kit.rules)
 * 1:25287 <-> DISABLED <-> SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt (server-other.rules)
 * 1:25288 <-> DISABLED <-> SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt (server-other.rules)
 * 1:26484 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:26490 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:25317 <-> DISABLED <-> POLICY-OTHER RedHat JBOSS JNDI service naming (policy-other.rules)
 * 1:26466 <-> DISABLED <-> FILE-IDENTIFY XUL file attachment detected (file-identify.rules)
 * 1:26485 <-> ENABLED <-> FILE-OTHER Oracle Java JRE reflection types public final field overwrite attempt (file-other.rules)
 * 1:3654 <-> DISABLED <-> SERVER-MAIL SOML overflow attempt (server-mail.rules)
 * 1:3655 <-> DISABLED <-> SERVER-MAIL SEND overflow attempt (server-mail.rules)
 * 1:26105 <-> DISABLED <-> SERVER-OTHER BigAnt IM Server buffer overflow attempt (server-other.rules)
 * 1:3656 <-> DISABLED <-> SERVER-MAIL MDaemon 6.5.1 and prior versions MAIL overflow attempt (server-mail.rules)
 * 1:26462 <-> DISABLED <-> FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt (file-other.rules)
 * 1:26323 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit redirection page (exploit-kit.rules)
 * 1:26457 <-> ENABLED <-> FILE-IDENTIFY Stream redirector file attachment detected (file-identify.rules)
 * 1:26461 <-> DISABLED <-> FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt (file-other.rules)
 * 1:26252 <-> ENABLED <-> EXPLOIT-KIT Impact exploit kit landing page (exploit-kit.rules)