Sourcefire VRT Rules Update

Date: 2013-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26376 <-> DISABLED <-> DELETED MISC bubbye too (deleted.rules)
 * 1:26375 <-> DISABLED <-> DELETED MISC bubbye (deleted.rules)
 * 1:26374 <-> ENABLED <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules)
 * 1:26373 <-> ENABLED <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules)
 * 1:26372 <-> ENABLED <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules)
 * 1:26371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST (malware-cnc.rules)
 * 1:26370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt (malware-cnc.rules)
 * 1:26369 <-> ENABLED <-> MALWARE-OTHER Double HTTP Server declared (malware-other.rules)
 * 1:26368 <-> DISABLED <-> EXPLOIT-KIT Egypack exploit kit landing page (exploit-kit.rules)
 * 1:26367 <-> DISABLED <-> EXPLOIT-KIT Egypack exploit kit outbound connection (exploit-kit.rules)
 * 1:26366 <-> DISABLED <-> EXPLOIT-KIT Egypack exploit kit landing page (exploit-kit.rules)
 * 1:26365 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26364 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26363 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26362 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26361 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26360 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26359 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26358 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26357 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26356 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26355 <-> DISABLED <-> BROWSER-PLUGINS Microsoft RDP ActiveX component mstscax use after free attempt (browser-plugins.rules)
 * 1:26354 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt (browser-ie.rules)
 * 1:26353 <-> DISABLED <-> INDICATOR-COMPROMISE IP address check to dyndns.org detected (indicator-compromise.rules)
 * 1:26352 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits (indicator-obfuscation.rules)
 * 1:26351 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:26350 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit successful redirection (exploit-kit.rules)
 * 1:26349 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit obfuscated portable executable (exploit-kit.rules)
 * 1:26348 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit delivery (exploit-kit.rules)
 * 1:26347 <-> DISABLED <-> DELETED EXPLOIT-KIT Redkit exploit kit java exploit request (deleted.rules)
 * 1:26346 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit payload requested (exploit-kit.rules)
 * 1:26345 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26344 <-> ENABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:26343 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:26342 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26341 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page (exploit-kit.rules)
 * 1:26340 <-> DISABLED <-> FILE-OTHER Corel WordPerfect document parsing buffer overflow attempt (file-other.rules)
 * 1:26339 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval - ff.php (exploit-kit.rules)
 * 1:26338 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26337 <-> ENABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:26336 <-> ENABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra snmp request buffer overflow attempt (server-other.rules)
 * 1:26335 <-> ENABLED <-> MALWARE-CNC FBI Ransom Trojan variant outbound connection (malware-cnc.rules)
 * 1:26334 <-> ENABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt (server-other.rules)
 * 1:26333 <-> ENABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:14230 <-> DISABLED <-> SERVER-WEBAPP SAP DB web server stack buffer overflow attempt (server-webapp.rules)
 * 1:16767 <-> DISABLED <-> BROWSER-PLUGINS AwingSoft Web3D Player SceneURL ActiveX clsid access (browser-plugins.rules)
 * 1:17390 <-> ENABLED <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:18210 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules)
 * 1:18211 <-> DISABLED <-> OS-WINDOWS Microsoft Movie Maker hhctrl.ocx dll-load attempt (os-windows.rules)
 * 1:21845 <-> DISABLED <-> MALWARE-CNC TDS Sutra - redirect received (malware-cnc.rules)
 * 1:21846 <-> DISABLED <-> MALWARE-CNC TDS Sutra - request in.cgi (malware-cnc.rules)
 * 1:21848 <-> DISABLED <-> MALWARE-CNC TDS Sutra - page redirecting to a SutraTDS (malware-cnc.rules)
 * 1:21849 <-> DISABLED <-> MALWARE-CNC TDS Sutra - HTTP header redirecting to a SutraTDS (malware-cnc.rules)
 * 1:21850 <-> DISABLED <-> MALWARE-CNC TDS Sutra - request hi.cgi (malware-cnc.rules)
 * 1:21851 <-> DISABLED <-> MALWARE-CNC TDS Sutra - redirect received (malware-cnc.rules)
 * 1:2338 <-> DISABLED <-> PROTOCOL-FTP LIST buffer overflow attempt (protocol-ftp.rules)
 * 1:23799 <-> ENABLED <-> BLACKLIST DNS request for known malware domain guest-access.net - Gauss  (blacklist.rules)
 * 1:23800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss  (blacklist.rules)
 * 1:23801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss  (blacklist.rules)
 * 1:23802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain datajunction.org - Gauss  (blacklist.rules)
 * 1:23803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secuurity.net - Gauss  (blacklist.rules)
 * 1:23804 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowin7.com - Gauss  (blacklist.rules)
 * 1:25051 <-> DISABLED <-> EXPLOIT-KIT Redkit landing page redirection (exploit-kit.rules)
 * 1:25052 <-> DISABLED <-> EXPLOIT-KIT Redkit Exploit Kit Java Exploit requested - 3 digit (exploit-kit.rules)
 * 1:25053 <-> DISABLED <-> EXPLOIT-KIT Redkit outbound class retrieval (exploit-kit.rules)
 * 1:25989 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit landing page (exploit-kit.rules)
 * 1:26321 <-> DISABLED <-> NETBIOS SMB named pipe bruteforce attempt (netbios.rules)
 * 1:26322 <-> DISABLED <-> NETBIOS SMB named pipe bruteforce attempt (netbios.rules)
 * 3:15734 <-> ENABLED <-> BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt (bad-traffic.rules)