Sourcefire VRT Rules Update

Date: 2013-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.6.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28053 <-> DISABLED <-> BLACKLIST DNS request for known malware domain sarmayebux.ir (blacklist.rules)
 * 1:28045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBKrypt variant connection attempt (malware-cnc.rules)
 * 1:28052 <-> DISABLED <-> SERVER-WEBAPP Linksys WRT110 ping.cgi remote command execution attempt (server-webapp.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28047 <-> DISABLED <-> SERVER-WEBAPP RaidSonic Multiple Products arbitrary command injection attempt (server-webapp.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28051 <-> DISABLED <-> SERVER-WEBAPP GLPI install.php arbitrary code injection attempt (server-webapp.rules)
 * 1:28056 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt (os-mobile.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28055 <-> DISABLED <-> OS-MOBILE Android ANDR.Trojan.FakeAV outbound communication attempt (os-mobile.rules)
 * 1:28049 <-> DISABLED <-> SERVER-WEBAPP GLPI install.php arbitrary code injection attempt (server-webapp.rules)
 * 1:28050 <-> DISABLED <-> SERVER-WEBAPP GLPI install.php arbitrary code injection attempt (server-webapp.rules)
 * 1:28048 <-> DISABLED <-> SERVER-WEBAPP GLPI install.php arbitrary code injection attempt (server-webapp.rules)
 * 1:28057 <-> ENABLED <-> OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt (os-mobile.rules)
 * 1:28067 <-> ENABLED <-> BLACKLIST DNS request for known malware domain level4-co1-as30912.su (blacklist.rules)
 * 1:28046 <-> ENABLED <-> OS-MOBILE Android fake iMessage app download (os-mobile.rules)
 * 1:28043 <-> ENABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:28058 <-> ENABLED <-> BLACKLIST DNS request for known malware domain erwbtkidthetcwerc.com (blacklist.rules)
 * 1:28059 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rterybrstutnrsbberve.com (blacklist.rules)
 * 1:28060 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rvbwtbeitwjeitv.com (blacklist.rules)
 * 1:28061 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intelcore.su (blacklist.rules)
 * 1:28062 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intelsecurity.su (blacklist.rules)
 * 1:28063 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intelsystems.su (blacklist.rules)
 * 1:28054 <-> ENABLED <-> FILE-OTHER VBScript potential executable write attempt (file-other.rules)
 * 1:28064 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intelbackupsrv.su (blacklist.rules)
 * 1:28065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain x2v9.com (blacklist.rules)
 * 1:28066 <-> ENABLED <-> BLACKLIST DNS request for known malware domain level4-co2-as30938.su (blacklist.rules)
 * 1:28044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoLocker variant connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:21587 <-> DISABLED <-> FILE-OTHER VisiWave VWR file parsing code execution attempt (file-other.rules)
 * 1:8066 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX clsid access (browser-plugins.rules)
 * 1:27865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request (exploit-kit.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:8064 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet.Typelib ActiveX clsid access (browser-plugins.rules)