Sourcefire VRT Rules Update

Date: 2013-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26250 <-> ENABLED <-> BROWSER-PLUGINS Google Apps mailto URI argument injection attempt (browser-plugins.rules)
 * 1:26249 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Sonide variant outbound connection (malware-cnc.rules)
 * 1:26248 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent cibabam (blacklist.rules)
 * 1:26247 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.PremiumSMS APK file download (malware-other.rules)
 * 1:26246 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.PremiumSMS APK file download (malware-other.rules)
 * 1:26245 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:26244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Troll variant outbound connection (malware-cnc.rules)
 * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
 * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
 * 1:26241 <-> DISABLED <-> BROWSER-PLUGINS ActivePDF WebGrabber APWebGrb.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:26240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Vkeikooc variant outbound connection (malware-cnc.rules)
 * 1:26239 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Stehlox variant outbound connection (malware-cnc.rules)
 * 1:26238 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Snopexy variant outbound connection (malware-cnc.rules)
 * 1:26237 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit initial redirection (exploit-kit.rules)
 * 1:26236 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file download (exploit-kit.rules)
 * 1:26235 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file download (exploit-kit.rules)
 * 1:26234 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file download (exploit-kit.rules)
 * 1:26233 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26232 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26231 <-> ENABLED <-> FILE-PDF PDF version 1.1 with FlateDecode embedded - seen in exploit kits (file-pdf.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 1:26229 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit MyApplet class retrieval (exploit-kit.rules)
 * 1:26228 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit redirection page (exploit-kit.rules)
 * 1:26227 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:26226 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit redirection attempt (exploit-kit.rules)
 * 1:26225 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26224 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26223 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26222 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26219 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26218 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:26212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (malware-cnc.rules)
 * 1:26211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eldorado variant outbound connection (malware-cnc.rules)
 * 1:26210 <-> DISABLED <-> FILE-OTHER CyberLink Power2Go name parameter overflow attempt (file-other.rules)
 * 1:26209 <-> DISABLED <-> FILE-OTHER CyberLink Power2Go name parameter overflow attempt (file-other.rules)
 * 1:26208 <-> ENABLED <-> FILE-IDENTIFY CyberLink Power2Go file attachment detected (file-identify.rules)
 * 1:26207 <-> ENABLED <-> FILE-IDENTIFY CyberLink Power2Go file attachment detected (file-identify.rules)
 * 1:26206 <-> ENABLED <-> FILE-IDENTIFY CyberLink Power2Go file download request (file-identify.rules)
 * 3:26215 <-> ENABLED <-> MISC g01 exploit kit dns request - dynalias.com (misc.rules)
 * 3:26214 <-> ENABLED <-> MISC g01 exploit kit dns request - dnsalias.com (misc.rules)
 * 3:26213 <-> ENABLED <-> MISC g01 exploit kit dns request - doesntexist.com (misc.rules)

Modified Rules:


 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:26205 <-> ENABLED <-> MALWARE-CNC Android Fakenetflix email password upload (malware-cnc.rules)
 * 1:25764 <-> ENABLED <-> MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt (malware-other.rules)
 * 1:25769 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt (browser-ie.rules)
 * 1:25644 <-> DISABLED <-> FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt (file-other.rules)
 * 1:25648 <-> DISABLED <-> FILE-OTHER Apple QuickTime TeXML style sub-element buffer overflow attempt (file-other.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:2349 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt (netbios.rules)
 * 1:22972 <-> ENABLED <-> FILE-IDENTIFY m3u playlist file file attachment detected (file-identify.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt (browser-ie.rules)
 * 1:19166 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file magic detected (file-identify.rules)
 * 1:17262 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt (browser-ie.rules)
 * 1:16725 <-> DISABLED <-> BROWSER-PLUGINS ActivePDF WebGrabber APWebGrb.ocx GetStatus method overflow attempt (browser-plugins.rules)
 * 1:16035 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt (browser-ie.rules)
 * 1:16384 <-> DISABLED <-> DOS VMware Server ISAPI Extension remote denial of service attempt (dos.rules)
 * 1:17098 <-> ENABLED <-> BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt (browser-plugins.rules)
 * 1:17261 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt (browser-ie.rules)
 * 1:16690 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt (browser-ie.rules)
 * 3:15521 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt (web-client.rules)
 * 3:14260 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (web-client.rules)
 * 3:13897 <-> ENABLED <-> EXPLOIT Apple Quicktime crgn atom parsing stack buffer overflow attempt (exploit.rules)