Sourcefire VRT Rules Update

Date: 2013-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27054 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes outbound connection (malware-cnc.rules)
 * 1:27049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dokstormac outbound connection (malware-cnc.rules)
 * 1:27053 <-> DISABLED <-> MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt (malware-other.rules)
 * 1:27048 <-> DISABLED <-> DELETED FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (deleted.rules)
 * 1:27057 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalbot outbound connection (malware-cnc.rules)
 * 1:27045 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Blocker Download attempt (malware-cnc.rules)
 * 1:27058 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.HackBack outbound connection (malware-cnc.rules)
 * 1:27044 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string pb - Htbot (blacklist.rules)
 * 1:27047 <-> DISABLED <-> INDICATOR-COMPROMISE Unknown ?1 redirect (indicator-compromise.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT - iodine dns tunnelling handshake server ACK (app-detect.rules)
 * 1:27056 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Yakes download attempt (malware-other.rules)
 * 1:27043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain memo-stat.com - Htbot (blacklist.rules)
 * 1:27040 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection jorg (exploit-kit.rules)
 * 1:27039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection (malware-cnc.rules)
 * 1:27042 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection jovf (exploit-kit.rules)
 * 1:27055 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Yakes download attempt (malware-other.rules)
 * 1:27051 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Dokstormac file download (malware-other.rules)
 * 1:27066 <-> DISABLED <-> BLACKLIST DNS request for known malware domain androfox.tk - Andr.Trojan.Obad (blacklist.rules)
 * 1:27041 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection jlnp (exploit-kit.rules)
 * 1:27038 <-> ENABLED <-> OS-MOBILE Android Vidro / EClips device information leakage (os-mobile.rules)
 * 1:27059 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.HackBack file download attempt (malware-other.rules)
 * 1:27035 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Transhell file download (malware-other.rules)
 * 1:27034 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Transhell file download (malware-other.rules)
 * 1:27037 <-> ENABLED <-> OS-MOBILE Android Vidro / EClips sms send instructions (os-mobile.rules)
 * 1:27036 <-> ENABLED <-> SERVER-OTHER Novell NetIQ User Manager modifyAccounts policy bypass attempt (server-other.rules)
 * 1:27060 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.HackBack file upload attempt (malware-other.rules)
 * 1:27033 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Transhell outbound connection user-agent (malware-cnc.rules)
 * 1:27061 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:27062 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:27063 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer file type spoofing attempt (browser-ie.rules)
 * 1:27064 <-> ENABLED <-> OS-MOBILE Android Spy2Mobile device information leakage (os-mobile.rules)
 * 1:27065 <-> DISABLED <-> BLACKLIST DNS request for known malware domain androfox.com - Andr.Trojan.Obad (blacklist.rules)
 * 1:27067 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific structure (exploit-kit.rules)
 * 1:27068 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 malicious jar file download (exploit-kit.rules)
 * 1:27069 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 malicious portable executable download (exploit-kit.rules)
 * 1:27070 <-> DISABLED <-> DELETED EXPLOIT-KIT Blackholev2 exploit kit JNLP request (deleted.rules)
 * 1:27071 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:27072 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:27073 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules)
 * 1:27075 <-> ENABLED <-> SERVER-OTHER Novell NetIQ User Manager ldapagnt_eval remote code execution attempt (server-other.rules)
 * 1:27078 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:27076 <-> ENABLED <-> FILE-JAVA Oracle Java Applet disable security manager attempt (file-java.rules)
 * 1:27077 <-> ENABLED <-> FILE-JAVA Oracle Java Applet disable security manager attempt (file-java.rules)
 * 1:27052 <-> DISABLED <-> MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt (malware-other.rules)
 * 1:27074 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits (indicator-obfuscation.rules)
 * 1:27079 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit landing page stage 2 (exploit-kit.rules)
 * 1:27081 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn (exploit-kit.rules)
 * 1:27080 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn (exploit-kit.rules)
 * 1:27082 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:27084 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:27083 <-> ENABLED <-> EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn (exploit-kit.rules)
 * 1:27050 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Dokstormac file download (malware-other.rules)

Modified Rules:


 * 1:24795 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:27029 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt (server-webapp.rules)
 * 1:17276 <-> DISABLED <-> FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt (file-other.rules)
 * 1:24794 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:25519 <-> DISABLED <-> OS-OTHER Apple iPad User-Agent detected (os-other.rules)
 * 1:26634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:26940 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.TripleNine RAT beacon attempt (malware-cnc.rules)
 * 1:26635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits (indicator-obfuscation.rules)
 * 1:25520 <-> DISABLED <-> OS-OTHER Apple iPhone User-Agent detected (os-other.rules)
 * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:26541 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit successful redirection (exploit-kit.rules)
 * 1:26203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gupd variant outbound connection (malware-cnc.rules)
 * 1:25518 <-> DISABLED <-> OS-OTHER Apple iPod User-Agent detected (os-other.rules)
 * 1:21258 <-> DISABLED <-> INDICATOR-SHELLCODE Feng-Shui heap grooming using Oleaut32 (indicator-shellcode.rules)
 * 1:27006 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt (server-webapp.rules)
 * 1:20622 <-> ENABLED <-> FILE-JAVA Oracle Java Applet remote code execution attempt (file-java.rules)
 * 1:24797 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:27010 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt (malware-cnc.rules)
 * 1:19551 <-> ENABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules)
 * 1:15726 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt (server-webapp.rules)
 * 1:27018 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt (server-webapp.rules)
 * 1:15578 <-> DISABLED <-> MALWARE-TOOLS Slowloris http DoS tool (malware-tools.rules)
 * 1:24796 <-> DISABLED <-> EXPLOIT-KIT Multiple Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:27019 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt (server-webapp.rules)
 * 1:27020 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt (server-webapp.rules)
 * 1:27028 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt (server-webapp.rules)
 * 1:27030 <-> ENABLED <-> SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt (server-webapp.rules)
 * 3:18063 <-> ENABLED <-> WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt (web-client.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)
 * 3:13666 <-> ENABLED <-> WEB-CLIENT Microsoft Windows GDI integer overflow attempt (web-client.rules)