Sourcefire VRT Rules Update

Date: 2013-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26773 <-> DISABLED <-> MALWARE-BACKDOOR Trojan.Midwgif.A runtime detection (malware-backdoor.rules)
 * 1:26772 <-> ENABLED <-> SERVER-OTHER Apache Struts2 skillName remote code execution attempt (server-other.rules)
 * 1:26771 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:26770 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:26769 <-> DISABLED <-> DOS MIT Kerberos kpasswd process_chpw_request denial of service attempt (dos.rules)
 * 1:26768 <-> ENABLED <-> MALWARE-CNC Android Fakedoc device information leakage (malware-cnc.rules)
 * 1:26767 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java Web Start control launchapp embed access (browser-plugins.rules)
 * 1:26766 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access (browser-plugins.rules)
 * 1:26765 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX function call access (browser-plugins.rules)
 * 1:26764 <-> DISABLED <-> BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access (browser-plugins.rules)
 * 1:26763 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:26762 <-> DISABLED <-> MALWARE-CNC Potential Bancos Trojan - HTTP Header Structure Anomaly v2.0 (malware-cnc.rules)
 * 1:26761 <-> ENABLED <-> MALWARE-CNC Android Fakeinst device information leakage (malware-cnc.rules)
 * 1:26760 <-> ENABLED <-> MALWARE-CNC Android Fakeinst device information leakage (malware-cnc.rules)
 * 1:26759 <-> DISABLED <-> DOS MIT Kerberos libkdb_ldap principal name handling denial of service attempt (dos.rules)
 * 1:26758 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Elefin variant outbound connection (malware-cnc.rules)
 * 1:26757 <-> DISABLED <-> MALWARE-CNC Win.Dropper.Datcaen variant outbound connection (malware-cnc.rules)
 * 1:26756 <-> DISABLED <-> MALWARE-CNC Win.Dropper.Datcaen variant outbound connection (malware-cnc.rules)
 * 1:26755 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:26754 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt (browser-ie.rules)
 * 1:26753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt (browser-ie.rules)
 * 1:26752 <-> ENABLED <-> MALWARE-CNC Harbinger rootkit click fraud HTTP response (malware-cnc.rules)
 * 1:26751 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - msctls_progress32 (blacklist.rules)
 * 1:26750 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc full command (malware-cnc.rules)
 * 1:26749 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command (malware-cnc.rules)
 * 1:26748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command (malware-cnc.rules)
 * 1:26747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command (malware-cnc.rules)
 * 1:26746 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc download command (malware-cnc.rules)
 * 1:26745 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc ftp command (malware-cnc.rules)
 * 1:26744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc range command (malware-cnc.rules)
 * 1:26743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command (malware-cnc.rules)
 * 1:26742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc resolve command (malware-cnc.rules)
 * 1:26741 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc exec command (malware-cnc.rules)
 * 1:26740 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc dns command (malware-cnc.rules)
 * 1:26739 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc connect command (malware-cnc.rules)
 * 1:26738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc dataget command (malware-cnc.rules)
 * 1:26737 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command (malware-cnc.rules)
 * 1:26736 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc icmp command (malware-cnc.rules)
 * 1:26735 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc data command (malware-cnc.rules)
 * 1:26734 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command (malware-cnc.rules)
 * 1:26733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc udp command (malware-cnc.rules)
 * 1:26732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc syn command (malware-cnc.rules)
 * 1:26731 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc datapost command (malware-cnc.rules)
 * 1:26730 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command (malware-cnc.rules)
 * 1:26729 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc simple command (malware-cnc.rules)
 * 1:26728 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc sleep command (malware-cnc.rules)
 * 1:26727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc die command (malware-cnc.rules)
 * 1:26726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc stop command (malware-cnc.rules)
 * 1:26725 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev cnc http command (malware-cnc.rules)
 * 1:26724 <-> ENABLED <-> FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt (file-multimedia.rules)
 * 1:26723 <-> ENABLED <-> MALWARE-CNC Trojan Downloader7 (malware-cnc.rules)

Modified Rules:


 * 1:26715 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic (malware-cnc.rules)
 * 1:26638 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML array element with negative length memory corruption attempt (browser-ie.rules)
 * 1:26714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic (malware-cnc.rules)
 * 1:26636 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26637 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt (browser-ie.rules)
 * 1:26629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt (browser-ie.rules)
 * 1:26633 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer html reload loop attempt (browser-ie.rules)
 * 1:26611 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection (malware-backdoor.rules)
 * 1:26618 <-> ENABLED <-> SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site (server-webapp.rules)
 * 1:26609 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Dockster variant outbound connection (malware-cnc.rules)
 * 1:26610 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection (malware-backdoor.rules)
 * 1:26607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korlia variant outbound connection (malware-cnc.rules)
 * 1:26608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rocra variant outbound connection (malware-cnc.rules)
 * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sosork variant outbound connection (malware-cnc.rules)
 * 1:26602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt (file-office.rules)
 * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules)
 * 1:26596 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected (indicator-obfuscation.rules)
 * 1:26601 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:26595 <-> DISABLED <-> INDICATOR-OBFUSCATION javascript hex character extraction routine detected (indicator-obfuscation.rules)
 * 1:26588 <-> ENABLED <-> FILE-OTHER Oracle Java runtime JMX findclass sandbox breach attempt (file-other.rules)
 * 1:26590 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt (file-executable.rules)
 * 1:26584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt (browser-ie.rules)
 * 1:26587 <-> ENABLED <-> FILE-OTHER Oracle Java runtime JMX findclass sandbox breach attempt (file-other.rules)
 * 1:21162 <-> DISABLED <-> FILE-PDF Adobe Acrobat file extension overflow attempt (file-pdf.rules)
 * 1:24632 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - 1 (blacklist.rules)
 * 1:18484 <-> ENABLED <-> FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt (file-multimedia.rules)
 * 1:17227 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt (file-office.rules)
 * 1:17633 <-> ENABLED <-> FILE-OTHER RealNetworks RealPlayer SWF frame handling buffer overflow attempt (file-other.rules)
 * 1:16655 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Lbl record stack overflow attempt (file-office.rules)
 * 1:15105 <-> ENABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules)