Sourcefire VRT Rules Update

Date: 2013-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:26530 <-> ENABLED <-> INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt (indicator-compromise.rules)
 * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules)
 * 1:25854 <-> ENABLED <-> MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie (malware-cnc.rules)
 * 1:24007 <-> ENABLED <-> OS-WINDOWS SMB Microsoft Windows RAP API NetServerEnum2 long server name buffer overflow attempt (os-windows.rules)
 * 1:23724 <-> ENABLED <-> FILE-IDENTIFY Adobe Director Movie file magic detected (file-identify.rules)
 * 1:23705 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected (file-identify.rules)
 * 1:23704 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detected (file-identify.rules)
 * 1:21429 <-> ENABLED <-> FILE-PDF Possible unknown malicious PDF (file-pdf.rules)
 * 1:20999 <-> ENABLED <-> BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt (browser-webkit.rules)
 * 1:17801 <-> ENABLED <-> FILE-IDENTIFY Adobe Director Movie file magic detected (file-identify.rules)
 * 1:16621 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - security (indicator-compromise.rules)
 * 1:16615 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - upload (indicator-compromise.rules)
 * 1:16614 <-> DISABLED <-> INDICATOR-COMPROMISE c99shell.php command request - search (indicator-compromise.rules)
 * 1:16436 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v2.90 v2.93-v3.00 packed file magic detected (file-identify.rules)
 * 1:16435 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected (file-identify.rules)
 * 1:16434 <-> DISABLED <-> FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file magic detected (file-identify.rules)