Sourcefire VRT Rules Update

Date: 2013-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.5.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26820 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Datash variant outbound connection (malware-cnc.rules)
 * 1:26821 <-> DISABLED <-> MALWARE-CNC Backdoor.Win32.Wolyx.A runtime detection (malware-cnc.rules)
 * 1:12784 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:12785 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:12786 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:25550 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25589 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25601 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25612 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25618 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25617 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25619 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25620 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25664 <-> ENABLED <-> SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt (server-other.rules)
 * 1:26810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec Stage Two traffic (malware-cnc.rules)
 * 1:26818 <-> DISABLED <-> MALWARE-CNC Win.Downloader.Zawat variant outbound connection (malware-cnc.rules)
 * 1:26811 <-> ENABLED <-> MALWARE-CNC XP Fake Antivirus Payment Page Request (malware-cnc.rules)
 * 1:26812 <-> ENABLED <-> MALWARE-CNC XP Fake Antivirus Check-in (malware-cnc.rules)
 * 1:26813 <-> ENABLED <-> MALWARE-CNC Trojan.Dapato CMS spambot check-in (malware-cnc.rules)
 * 1:26816 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.KitM outbound connection (malware-cnc.rules)
 * 1:26814 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign (exploit-kit.rules)
 * 1:26815 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent (malware-cnc.rules)
 * 1:26817 <-> DISABLED <-> FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt (file-pdf.rules)
 * 1:26819 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Datash variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:26735 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc data command (malware-cnc.rules)
 * 1:26739 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc connect command (malware-cnc.rules)
 * 1:26736 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc icmp command (malware-cnc.rules)
 * 1:26728 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc sleep command (malware-cnc.rules)
 * 1:26729 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc simple command (malware-cnc.rules)
 * 1:26745 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc ftp command (malware-cnc.rules)
 * 1:26738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc dataget command (malware-cnc.rules)
 * 1:26737 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command (malware-cnc.rules)
 * 1:26740 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc dns command (malware-cnc.rules)
 * 1:26741 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc exec command (malware-cnc.rules)
 * 1:24274 <-> ENABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:24275 <-> ENABLED <-> SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt (server-iis.rules)
 * 1:26742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc resolve command (malware-cnc.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26481 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crysis variant outbound connection (malware-cnc.rules)
 * 1:26670 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.KitM file download (malware-other.rules)
 * 1:26671 <-> ENABLED <-> MALWARE-OTHER OSX.Trojan.KitM file download (malware-other.rules)
 * 1:26725 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc http command (malware-cnc.rules)
 * 1:26743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command (malware-cnc.rules)
 * 1:26726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc stop command (malware-cnc.rules)
 * 1:26727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc die command (malware-cnc.rules)
 * 1:26746 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc download command (malware-cnc.rules)
 * 1:26748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command (malware-cnc.rules)
 * 1:26749 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command (malware-cnc.rules)
 * 1:26750 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc full command (malware-cnc.rules)
 * 1:26732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc syn command (malware-cnc.rules)
 * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS information disclosure attempt (malware-other.rules)
 * 1:26747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command (malware-cnc.rules)
 * 1:26731 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc datapost command (malware-cnc.rules)
 * 1:26744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc range command (malware-cnc.rules)
 * 1:26730 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command (malware-cnc.rules)
 * 1:26733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc udp command (malware-cnc.rules)
 * 1:26734 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command (malware-cnc.rules)