Sourcefire VRT Rules Update

Date: 2013-12-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:29128 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit plugin detection page (exploit-kit.rules)
 * 1:29133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Goobraz variant outbound connection (malware-cnc.rules)
 * 1:29134 <-> ENABLED <-> BLACKLIST DNS request for known malware domain takos.sytes.net (blacklist.rules)
 * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules)
 * 1:29136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound communication attempt (malware-cnc.rules)
 * 1:29138 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mojap variant outbound connection (malware-cnc.rules)
 * 1:29066 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit XOR'ed payload download attempt (exploit-kit.rules)
 * 1:29067 <-> DISABLED <-> BLACKLIST DNS request for known malware domain - mmzo.dyndns.org (blacklist.rules)
 * 1:29068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tapazom variant outbound connection (malware-cnc.rules)
 * 1:29127 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:29126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jiang-zem.in - Win.Trojan.Zeus (blacklist.rules)
 * 1:29130 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit malicious payload download attempt (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:29129 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure (exploit-kit.rules)
 * 1:29070 <-> DISABLED <-> BLACKLIST DNS request for known malware domain - filedc.ygto.com (blacklist.rules)
 * 1:29069 <-> DISABLED <-> BLACKLIST DNS request for known malware domain - newfile.ocry.com (blacklist.rules)
 * 1:29071 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wcvalep variant outbound connection (malware-cnc.rules)
 * 1:29072 <-> DISABLED <-> BLACKLIST DNS request for known malware domain kid1232-nbteam.rhcloud.com (blacklist.rules)
 * 1:29073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maetdik variant initial outbound connection (malware-cnc.rules)
 * 1:29075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Firefly outbound communcation attempt (malware-cnc.rules)
 * 1:29074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maetdik variant outbound connection (malware-cnc.rules)
 * 1:29076 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Epixed outbound communication attempt (malware-cnc.rules)
 * 1:29077 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Platidium outbound communication attempt (malware-cnc.rules)
 * 1:29078 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hackboomteam.100webspace.net (blacklist.rules)
 * 1:29080 <-> ENABLED <-> BLACKLIST DNS request for known malware ftp.nirnbuzz.ugig.ir (blacklist.rules)
 * 1:29079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Inftob variant outbound connection (malware-cnc.rules)
 * 1:29081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Budir initial outbound connection (malware-cnc.rules)
 * 1:29082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ldmon outbound communication attempt (malware-cnc.rules)
 * 1:29083 <-> ENABLED <-> BLACKLIST DNS request for known malware domain a01.jackposegood.info (blacklist.rules)
 * 1:29084 <-> DISABLED <-> BLACKLIST DNS request for known malware domain silence.phdns01.com (blacklist.rules)
 * 1:29085 <-> DISABLED <-> BLACKLIST DNS request for known malware domain cpnet.phmail.us (blacklist.rules)
 * 1:29086 <-> DISABLED <-> BLACKLIST DNS request for known malware domain imlang.phmail.org (blacklist.rules)
 * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy outbound connection (malware-cnc.rules)
 * 1:29088 <-> DISABLED <-> BLACKLIST DNS request for known malware domain iframe.ip138.com (blacklist.rules)
 * 1:29089 <-> DISABLED <-> BLACKLIST DNS request for known malware domain newip.zgpmsj.com (blacklist.rules)
 * 1:29090 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com (indicator-compromise.rules)
 * 1:29091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Choxy variant outbound connection (malware-cnc.rules)
 * 1:29092 <-> DISABLED <-> SERVER-WEBAPP ABB Test Signal Viewer CWGraph3D ActiveX arbitrary file creation attempt (server-webapp.rules)
 * 1:29093 <-> DISABLED <-> BLACKLIST DNS request for known malware domain musicbox.servemp3.com (blacklist.rules)
 * 1:29094 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Shatekrat variant initial outbound connection (malware-backdoor.rules)
 * 1:29095 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fotip FTP file upload outbound connection (malware-cnc.rules)
 * 1:29096 <-> ENABLED <-> MALWARE-TOOLS Browser Password Decryptor - Password List sent via FTP (malware-tools.rules)
 * 1:29097 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:29098 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX function call access (browser-plugins.rules)
 * 1:29099 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:29100 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:29101 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:29102 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX function call access (browser-plugins.rules)
 * 1:29103 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korhigh variant outbound connection (malware-cnc.rules)
 * 1:29104 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Iniptad outbound connection (malware-cnc.rules)
 * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUpload arbitrary file upload attempt (server-webapp.rules)
 * 1:29106 <-> ENABLED <-> BLACKLIST DNS request for known malware domain related to Win.Trojan.SixMuch variant (blacklist.rules)
 * 1:29107 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 666t.com (blacklist.rules)
 * 1:29108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SixMuch variant outbound connection (malware-cnc.rules)
 * 1:29109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drafukey variant outbound connection attempt (malware-cnc.rules)
 * 1:29110 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway save.do cross site request forgery attempt (server-webapp.rules)
 * 1:29111 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.free-screensaver.co.uk (blacklist.rules)
 * 1:29112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drafukey variant outbound connection (malware-cnc.rules)
 * 1:29113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conrec variant outbound connection (malware-cnc.rules)
 * 1:29114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sotark outbound communication attempt (malware-cnc.rules)
 * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset outbound communication attempt (malware-cnc.rules)
 * 1:29116 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 003iuayt.com (blacklist.rules)
 * 1:29137 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mop.cocente.net (blacklist.rules)
 * 1:29117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tyaui variant outbound connection (malware-cnc.rules)
 * 1:29118 <-> DISABLED <-> SERVER-WEBAPP Novell Groupwise Messenger Server process memory information disclosure attempt (server-webapp.rules)
 * 1:29119 <-> DISABLED <-> BLACKLIST DNS request for known malware domain counter.yadro.ru (blacklist.rules)
 * 1:29123 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.InstallMonster outbound connection (malware-other.rules)
 * 1:29132 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.moderntip.com.tr (blacklist.rules)
 * 1:29125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Valden outbound connection (malware-cnc.rules)
 * 1:29120 <-> DISABLED <-> BLACKLIST DNS request for known malware domain installmonster.ru (blacklist.rules)
 * 1:29121 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mode.narod.ru (blacklist.rules)
 * 1:29122 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ucoz.ru (blacklist.rules)
 * 1:29124 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.InstallMonster outbound connection (malware-other.rules)

Modified Rules:


 * 1:22097 <-> DISABLED <-> SERVER-WEBAPP PHP-CGI command injection attempt (server-webapp.rules)
 * 1:28364 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:26832 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt (file-office.rules)
 * 1:28363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:23285 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)
 * 1:28616 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit payload download attempt (exploit-kit.rules)
 * 1:20111 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint XSS vulnerability attempt (server-webapp.rules)
 * 1:22063 <-> ENABLED <-> SERVER-WEBAPP PHP-CGI remote file include attempt (server-webapp.rules)
 * 1:22064 <-> DISABLED <-> SERVER-WEBAPP PHP-CGI command injection attempt (server-webapp.rules)
 * 1:21796 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe onreadystatechange handler use after free attempt (browser-ie.rules)