Sourcefire VRT Rules Update

Date: 2013-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Likseput variant connection attempt (malware-cnc.rules)
 * 1:27631 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Aumlib outbound connection attempt (malware-cnc.rules)
 * 1:27630 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Aumlib outbound connection attempt (malware-cnc.rules)
 * 1:27632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hidatabase.cn - Worm.Silly (blacklist.rules)
 * 1:27628 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.documents.myPicture.info (blacklist.rules)
 * 1:27626 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info (blacklist.rules)
 * 1:27627 <-> ENABLED <-> BLACKLIST DNS request for known malware domain info.xxuz.com (blacklist.rules)
 * 1:27638 <-> ENABLED <-> SERVER-WEBAPP Hedgehog-CMS Directory traversal attempt (server-webapp.rules)
 * 1:27625 <-> ENABLED <-> BLACKLIST DNS request for known malware domain documents.myPicture.info (blacklist.rules)
 * 1:27639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Epipenwa variant connection attempt (malware-cnc.rules)
 * 1:27629 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Aumlib outbound connection attempt (malware-cnc.rules)
 * 1:27633 <-> ENABLED <-> MALWARE-CNC Worm.Silly outbound connection (malware-cnc.rules)
 * 1:27634 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel FngGroupCount record overflow attempt (file-office.rules)
 * 1:27640 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chekafe variant connection attempt (malware-cnc.rules)
 * 1:27641 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meilat variant connection attempt (malware-cnc.rules)
 * 1:27642 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downbot variant connection attempt (malware-cnc.rules)
 * 1:27643 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant connection attempt (malware-cnc.rules)
 * 1:27635 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Record Code Execution attempt (file-office.rules)
 * 1:27637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syhcmd variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:25461 <-> ENABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:25463 <-> ENABLED <-> FILE-PDF OpenType parsing buffer overflow attempt (file-pdf.rules)
 * 1:27015 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string iexplorer (blacklist.rules)
 * 1:27533 <-> ENABLED <-> MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg (malware-cnc.rules)
 * 1:27596 <-> ENABLED <-> MALWARE-CNC Win.Redyms outbound connection (malware-cnc.rules)
 * 1:15256 <-> ENABLED <-> SERVER-ORACLE BPEL process manager XSS injection attempt (server-oracle.rules)
 * 1:22051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava (blacklist.rules)
 * 1:23181 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework xbap DataObject object pointer attempt (file-executable.rules)
 * 1:23394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vbvoleur.a variant outbound connection (malware-cnc.rules)
 * 1:25557 <-> ENABLED <-> SERVER-OTHER RaySharp CCTV derivative command injection attempt (server-other.rules)
 * 1:25376 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:26460 <-> DISABLED <-> FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt (file-other.rules)
 * 1:26290 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.RootSmart outbound communication attempt (os-mobile.rules)
 * 1:16034 <-> ENABLED <-> SERVER-SAMBA Samba spools RPC smb_io_notify_option_type_data request handling buffer overflow attempt (server-samba.rules)
 * 1:24890 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:26462 <-> DISABLED <-> FILE-OTHER Shadow Stream Recorder asx file buffer overflow attempt (file-other.rules)
 * 1:24893 <-> ENABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:27601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant connection attempt (malware-cnc.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27534 <-> ENABLED <-> BLACKLIST DNS request for known malware domain claimcrazy.us - Win.Kraziomel Trojan (blacklist.rules)
 * 1:25247 <-> ENABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules)
 * 1:25248 <-> ENABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Gif logical height overflow attempt (file-image.rules)
 * 1:27160 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Gif logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27535 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mainenbha.com - Win.Kraziomel Trojan (blacklist.rules)
 * 1:25379 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25377 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)
 * 1:25378 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt (file-multimedia.rules)