Sourcefire VRT Rules Update

Date: 2013-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27958 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules)
 * 1:27961 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules)
 * 1:27960 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection attempt (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection attempt (malware-cnc.rules)
 * 1:27969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Updays variant connection attempt (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection attempt (malware-cnc.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Gh0st RAT outbound connection (malware-cnc.rules)
 * 1:27965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eupuds variant connection attempt (malware-cnc.rules)
 * 1:27962 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Storm botnet connection reset (malware-cnc.rules)
 * 1:27963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lolbot variant outbound connection (malware-cnc.rules)
 * 1:27957 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules)
 * 1:27956 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt (malware-other.rules)
 * 1:27970 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus dropper variant connection attempt (malware-cnc.rules)
 * 1:27971 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queiries.su (blacklist.rules)
 * 1:27972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tohk5ja.cc (blacklist.rules)
 * 1:27947 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 1:27948 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt (file-office.rules)
 * 1:27949 <-> DISABLED <-> BLACKLIST DNS request for known malware domain full-statistic.com (blacklist.rules)
 * 1:27950 <-> DISABLED <-> BLACKLIST DNS request for known malware domain fullstatistic.com (blacklist.rules)
 * 1:27951 <-> DISABLED <-> BLACKLIST DNS request for known malware domain service-stat.com (blacklist.rules)
 * 1:27973 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nmbc.cc (blacklist.rules)
 * 1:27952 <-> DISABLED <-> BLACKLIST DNS request for known malware domain service-statistic.com (blacklist.rules)
 * 1:27953 <-> DISABLED <-> BLACKLIST DNS request for known malware domain service-update.net (blacklist.rules)
 * 1:27954 <-> DISABLED <-> BLACKLIST DNS request for known malware domain updservice.net (blacklist.rules)
 * 1:27974 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eevootii.su (blacklist.rules)
 * 1:27955 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade outbound connection (malware-cnc.rules)
 * 1:27975 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thepohzi.su (blacklist.rules)
 * 1:27976 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oogagh.su (blacklist.rules)
 * 1:27977 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vosagu.su (blacklist.rules)
 * 1:27978 <-> ENABLED <-> BLACKLIST DNS request for known malware domain statinfo.cc (blacklist.rules)
 * 1:27979 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wsysinfonet.su (blacklist.rules)
 * 1:27980 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/adduser.php?uid= (blacklist.rules)
 * 1:27981 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/tasks.php?uid= (blacklist.rules)
 * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules)
 * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules)
 * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules)
 * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules)
 * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules)
 * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules)
 * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules)
 * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules)
 * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules)
 * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules)
 * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules)
 * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules)
 * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules)
 * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules)
 * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules)
 * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules)
 * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules)
 * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules)
 * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules)
 * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules)
 * 1:28002 <-> DISABLED <-> INDICATOR-SCAN UPnP WANPPPConnection (indicator-scan.rules)
 * 1:28003 <-> DISABLED <-> INDICATOR-SCAN UPnP WANIPConnection (indicator-scan.rules)
 * 1:28004 <-> DISABLED <-> MALWARE-CNC Win.Harbinger Rootkit variant outbound connection (malware-cnc.rules)
 * 1:28005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound command attempt (malware-cnc.rules)
 * 1:28006 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kuluoz outbound download request (malware-other.rules)
 * 1:28007 <-> ENABLED <-> MALWARE-CNC BLYPT installer startupkey outbound traffic (malware-cnc.rules)
 * 1:28008 <-> ENABLED <-> MALWARE-CNC BLYPT installer reuse outbound traffic (malware-cnc.rules)
 * 1:28009 <-> ENABLED <-> MALWARE-CNC BLYPT installer configkey outbound traffic (malware-cnc.rules)
 * 1:28010 <-> ENABLED <-> MALWARE-CNC BLYPT installer tserror outbound traffic (malware-cnc.rules)
 * 1:28011 <-> ENABLED <-> MALWARE-CNC BLYPT installer createproc outbound traffic (malware-cnc.rules)
 * 1:28012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:28013 <-> DISABLED <-> DELETED EXPLOIT-KIT Kore exploit kit redirection outbound attempt (deleted.rules)
 * 1:28014 <-> DISABLED <-> DELETED EXPLOIT-KIT Kore exploit kit redirection outbound attempt (deleted.rules)
 * 1:28015 <-> ENABLED <-> EXPLOIT-KIT g01pack exploit kit redirection attempt (exploit-kit.rules)
 * 1:28016 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28017 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28018 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28019 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28020 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28021 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
 * 1:28022 <-> ENABLED <-> EXPLOIT-KIT embedded iframe redirection - IFRAMEr injection tool (exploit-kit.rules)
 * 1:28024 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - seen in iframe injection (indicator-obfuscation.rules)
 * 1:28023 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:28025 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in iframe injection (indicator-obfuscation.rules)
 * 1:28026 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:28027 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit redirection embedding detected (exploit-kit.rules)
 * 1:27959 <-> DISABLED <-> MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt (malware-other.rules)
 * 1:28042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Caphaw outbound connection attempt (malware-cnc.rules)
 * 1:28041 <-> ENABLED <-> MALWARE-TOOLS Smoke Malware Loader HTTP response (malware-tools.rules)
 * 1:28040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:28038 <-> ENABLED <-> EXPLOIT-KIT Unknown exploit kit successful redirection (exploit-kit.rules)
 * 1:28037 <-> ENABLED <-> EXPLOIT-KIT Unknown exploit kit landing page (exploit-kit.rules)
 * 1:28036 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lealemon.xxuz.com  - Win.Ransomware.Urausy (blacklist.rules)
 * 1:28035 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackicemaccom.biz - Win.Ransomware.Urausy (blacklist.rules)
 * 1:28034 <-> ENABLED <-> BLACKLIST DNS request for known malware domain heftyzonealarm.info - Win.Ransomware.Urausy (blacklist.rules)
 * 1:28033 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Urausy variant outbound connection attempt (malware-cnc.rules)
 * 1:28030 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:28031 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:28032 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:28028 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt (exploit-kit.rules)
 * 1:28029 <-> ENABLED <-> EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request (exploit-kit.rules)

Modified Rules:


 * 1:17598 <-> ENABLED <-> SERVER-OTHER IBM DB2 Universal Database accsec command without rdbnam (server-other.rules)
 * 1:12283 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel xlw file magic detected (file-identify.rules)
 * 1:15469 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:27907 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt (exploit-kit.rules)
 * 1:17599 <-> DISABLED <-> SERVER-OTHER IBM DB2 Universal Database rdbname denial of service attempt (server-other.rules)
 * 1:19632 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid= (blacklist.rules)
 * 1:21376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Microjoin activity detected (malware-cnc.rules)
 * 1:21440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Murofet variant outbound connection (malware-cnc.rules)
 * 1:19633 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid= (blacklist.rules)
 * 1:21848 <-> DISABLED <-> MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS (malware-other.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
 * 1:23165 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt (server-other.rules)
 * 1:23697 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel xlw file magic detected (file-identify.rules)
 * 1:23556 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit plugin detection connection (exploit-kit.rules)
 * 1:25592 <-> ENABLED <-> INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection (indicator-obfuscation.rules)
 * 1:26834 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri (exploit-kit.rules)
 * 1:26806 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit short JNLP request (exploit-kit.rules)
 * 1:26935 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:26936 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:26937 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer image download spoofing attempt (browser-ie.rules)
 * 1:27229 <-> ENABLED <-> MALWARE-OTHER IFRAMEr Tool code injection attack (malware-other.rules)
 * 1:27733 <-> DISABLED <-> EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - generic structure (exploit-kit.rules)
 * 1:27734 <-> ENABLED <-> EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - specific structure (exploit-kit.rules)
 * 1:27735 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage (indicator-obfuscation.rules)
 * 1:27736 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:27813 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit landing page with payload (exploit-kit.rules)
 * 1:27816 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file download attempt (exploit-kit.rules)
 * 1:27920 <-> ENABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack (indicator-obfuscation.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 1:27943 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:27944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules)
 * 1:17363 <-> ENABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption (file-other.rules)
 * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules)
 * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules)