Sourcefire VRT Rules Update

Date: 2013-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26580 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan (blacklist.rules)
 * 1:26578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent (malware-cnc.rules)
 * 1:26577 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent Opera 10 (blacklist.rules)
 * 1:26579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent (malware-cnc.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site (malware-cnc.rules)
 * 1:26574 <-> ENABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26575 <-> DISABLED <-> DOS MIT Kerberos kdb_ldap plugin kinit operation denial of service attempt (dos.rules)
 * 1:26573 <-> ENABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26581 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan (blacklist.rules)
 * 1:26582 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan (blacklist.rules)
 * 1:26583 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan (blacklist.rules)

Modified Rules:


 * 1:14764 <-> DISABLED <-> BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26321 <-> DISABLED <-> NETBIOS SMB named pipe bruteforce attempt (netbios.rules)
 * 1:26529 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked backdoor command attempt (indicator-compromise.rules)
 * 1:26558 <-> ENABLED <-> BLACKLIST User-Agent known Malicious user agent Brutus AET (blacklist.rules)