Sourcefire VRT Rules Update

Date: 2013-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26721 <-> ENABLED <-> MALWARE-CNC Pushdo Spiral Traffic (malware-cnc.rules)
 * 1:26722 <-> ENABLED <-> MALWARE-CNC Bancos fake JPG encrypted config file download (malware-cnc.rules)
 * 1:26716 <-> ENABLED <-> FILE-OTHER Oracle Java font rendering remote code execution attempt (file-other.rules)
 * 1:26720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kbot variant outbound connection (malware-cnc.rules)
 * 1:26718 <-> ENABLED <-> BLACKLIST DNS request for known malware domain - Backdoor Rbot (blacklist.rules)
 * 1:26719 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kbot variant outbound connection (malware-cnc.rules)
 * 1:26715 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev  rev 3 outbound traffic (malware-cnc.rules)
 * 1:26717 <-> ENABLED <-> FILE-OTHER Oracle Java font rendering remote code execution attempt (file-other.rules)
 * 1:26714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic (malware-cnc.rules)
 * 1:26711 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed ftCMO record remote code execution attempt (file-office.rules)
 * 1:26712 <-> ENABLED <-> MALWARE-CNC Kazy Trojan check-in (malware-cnc.rules)
 * 1:26713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic (malware-cnc.rules)

Modified Rules:


 * 1:23891 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:25596 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)
 * 1:16495 <-> DISABLED <-> MALWARE-CNC Rustock botnet variant outbound connection (malware-cnc.rules)
 * 1:16655 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Lbl record stack overflow attempt (file-office.rules)
 * 1:23892 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:23890 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:8448 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel colinfo XF record overflow attempt (file-office.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:17400 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules)
 * 1:25471 <-> ENABLED <-> MALWARE-CNC Pushdo Spiral Traffic (malware-cnc.rules)
 * 1:19943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:25593 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:15697 <-> DISABLED <-> INDICATOR-OBFUSCATION rename of javascript unescape function detected (indicator-obfuscation.rules)
 * 1:23889 <-> ENABLED <-> FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:26659 <-> DISABLED <-> BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-trusted source (browser-firefox.rules)
 * 1:8415 <-> DISABLED <-> PROTOCOL-FTP SIZE overflow attempt (protocol-ftp.rules)
 * 1:25969 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:22954 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed SELECTION Record Code Execution attempt (file-office.rules)