Sourcefire VRT Rules Update

Date: 2013-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27929 <-> DISABLED <-> APP-DETECT Splashtop communication attempt (app-detect.rules)
 * 1:27928 <-> DISABLED <-> APP-DETECT Splashtop connection attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:27930 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.com (app-detect.rules)
 * 1:27919 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration attempt (malware-cnc.rules)
 * 1:27910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant connection attempt (malware-cnc.rules)
 * 1:27911 <-> ENABLED <-> EXPLOIT-KIT X2O exploit kit landing page (exploit-kit.rules)
 * 1:27912 <-> ENABLED <-> EXPLOIT-KIT X2O exploit kit landing page (exploit-kit.rules)
 * 1:27913 <-> ENABLED <-> PUA-ADWARE Vittalia adware - get ads (pua-adware.rules)
 * 1:27914 <-> ENABLED <-> PUA-ADWARE Vittalia adware - post install (pua-adware.rules)
 * 1:27931 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain splashtop.net (app-detect.rules)
 * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:27918 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:27916 <-> ENABLED <-> PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install (pua-toolbars.rules)
 * 1:27915 <-> ENABLED <-> PUA-ADWARE Vittalia adware outbound connection - pre install (pua-adware.rules)
 * 1:27938 <-> DISABLED <-> PROTOCOL-DNS IPv6 host name enumeration (protocol-dns.rules)
 * 1:27917 <-> ENABLED <-> PUA-TOOLBARS Vittalia adware outbound connection - offers (pua-toolbars.rules)
 * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in Cookiebomb attack (indicator-obfuscation.rules)
 * 1:27925 <-> DISABLED <-> APP-DETECT Splashtop Personal download attempt (app-detect.rules)
 * 1:27924 <-> DISABLED <-> APP-DETECT Splashtop Streamer download attempt (app-detect.rules)
 * 1:27926 <-> DISABLED <-> APP-DETECT Splashtop Streamer certificate server connect attempt (app-detect.rules)
 * 1:27932 <-> DISABLED <-> APP-DETECT DNS request for Splashtop domain devicevm.com (app-detect.rules)
 * 1:27935 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page (exploit-kit.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:27936 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download (exploit-kit.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:17203 <-> DISABLED <-> FILE-OTHER Adobe Director file file rcsL overflow attempt (file-other.rules)
 * 1:25137 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:25790 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt (browser-ie.rules)
 * 1:25791 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt (browser-ie.rules)
 * 1:26027 <-> DISABLED <-> FILE-OTHER Adobe Director file file rcsL overflow attempt (file-other.rules)
 * 1:26106 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26526 <-> ENABLED <-> EXPLOIT-KIT Portable Executable downloaded with bad DOS stub (exploit-kit.rules)
 * 1:26926 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:26989 <-> DISABLED <-> FILE-OTHER Multiple products ZIP archive virus detection bypass attempt (file-other.rules)
 * 1:27679 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection (malware-cnc.rules)
 * 1:27708 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection attempt (malware-cnc.rules)