Sourcefire VRT Rules Update

Date: 2014-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2946.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:29339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kishop variant initial runtime outbound connection (malware-cnc.rules)
 * 1:29314 <-> DISABLED <-> PROTOCOL-SCADA Modbus function scan (protocol-scada.rules)
 * 1:29336 <-> ENABLED <-> BLACKLIST DNS request for known malware domain duli.1dxc.com (blacklist.rules)
 * 1:29344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dondat variant outbound connection (malware-cnc.rules)
 * 1:29346 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt (server-webapp.rules)
 * 1:29347 <-> ENABLED <-> BLACKLIST DNS request for known malware domain W3.NICHIFAN.COM (blacklist.rules)
 * 1:29348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chifan variant outbound connection (malware-cnc.rules)
 * 1:29349 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection (malware-cnc.rules)
 * 1:29338 <-> DISABLED <-> BLACKLIST DNS request for known malware CNC domain buibala.org (blacklist.rules)
 * 1:29337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:29340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Plusau outbound communication attempt (malware-cnc.rules)
 * 1:29341 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent string CustomSpy - Win.Trojan.Etek (blacklist.rules)
 * 1:29342 <-> ENABLED <-> BLACKLIST DNS request for known malware CNC domain 55l1.3322.org (blacklist.rules)
 * 1:29343 <-> ENABLED <-> BLACKLIST DNS request for known malware CNC domain 14.7k.cc (blacklist.rules)
 * 1:29333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aokaspid outbound communication attempt using proxy server (malware-cnc.rules)
 * 1:29329 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record sdtX memory corruption attempt (file-office.rules)
 * 1:29332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aokaspid outbound communication attempt using lan (malware-cnc.rules)
 * 1:29331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aokaspid outbound communication attempt using modem (malware-cnc.rules)
 * 1:29330 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Piedacon variant outbound connection (malware-cnc.rules)
 * 1:29327 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxTrend sdtX memory corruption attempt (file-office.rules)
 * 1:29328 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record SerAuxErrBar sdtX memory corruption attempt (file-office.rules)
 * 1:29345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dondat variant outbound connection (malware-cnc.rules)
 * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound communication attempt (malware-cnc.rules)
 * 1:29326 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SERIES record sdtY memory corruption attempt (file-office.rules)
 * 1:29323 <-> DISABLED <-> BLACKLIST DNS request for Baidu IME keystroke logger (blacklist.rules)
 * 1:29324 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vivia variant outbound connection (malware-cnc.rules)
 * 1:29321 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29322 <-> DISABLED <-> APP-DETECT Baidu IME runtime detection - remote sync (app-detect.rules)
 * 1:29319 <-> DISABLED <-> PROTOCOL-SCADA Modbus invalid encapsulated interface request (protocol-scada.rules)
 * 1:29320 <-> DISABLED <-> APP-DETECT Baidu IME download attempt (app-detect.rules)
 * 1:29317 <-> DISABLED <-> PROTOCOL-SCADA Modbus invalid exception message (protocol-scada.rules)
 * 1:29318 <-> DISABLED <-> PROTOCOL-SCADA Modbus invalid encapsulated interface response (protocol-scada.rules)
 * 1:29316 <-> DISABLED <-> PROTOCOL-SCADA Modbus value scan (protocol-scada.rules)
 * 1:29315 <-> DISABLED <-> PROTOCOL-SCADA Modbus list scan (protocol-scada.rules)
 * 1:29334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aokaspid outbound communication attempt using other (malware-cnc.rules)
 * 1:29350 <-> ENABLED <-> BLACKLIST DNS request for known malware CNC domain downcompile.3322.org (blacklist.rules)
 * 1:29351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulilit variant outbound connection (malware-cnc.rules)
 * 1:29352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Typdec variant outbound connection (malware-cnc.rules)
 * 1:29353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeagle outbound communication attempt (malware-cnc.rules)
 * 1:29354 <-> DISABLED <-> APP-DETECT Foca file scanning attempt (app-detect.rules)
 * 1:29355 <-> ENABLED <-> BLACKLIST DNS request for known malware domain - compare-free.com (blacklist.rules)
 * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules)
 * 1:29358 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Mowfote (blacklist.rules)
 * 1:29357 <-> DISABLED <-> PUA-P2P Vuze BitTorrent client outbound connection (pua-p2p.rules)
 * 1:29335 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.CallMe variant outbound connection (malware-cnc.rules)
 * 1:29359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mowfote variant initial outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29205 <-> DISABLED <-> PROTOCOL-SCADA Modbus read input registers response invalid byte count (protocol-scada.rules)
 * 1:29206 <-> DISABLED <-> PROTOCOL-SCADA Modbus read write register response - invalid byte count (protocol-scada.rules)
 * 1:29200 <-> DISABLED <-> PROTOCOL-SCADA Modbus write single coil - invalid state (protocol-scada.rules)
 * 1:29204 <-> DISABLED <-> PROTOCOL-SCADA Modbus read holding register response - invalid byte count (protocol-scada.rules)
 * 1:29202 <-> DISABLED <-> PROTOCOL-SCADA Modbus read coil status response - too many coils (protocol-scada.rules)
 * 1:29203 <-> DISABLED <-> PROTOCOL-SCADA Modbus read fifo response invalid byte count (protocol-scada.rules)
 * 1:29199 <-> DISABLED <-> PROTOCOL-SCADA Modbus write multiple registers - too many registers (protocol-scada.rules)
 * 1:29201 <-> DISABLED <-> PROTOCOL-SCADA Modbus read coil status response - too many coils (protocol-scada.rules)
 * 1:29198 <-> DISABLED <-> PROTOCOL-SCADA Modbus read write multiple registers - too many writes (protocol-scada.rules)
 * 1:29195 <-> DISABLED <-> PROTOCOL-SCADA Modbus read input register - too many inputs (protocol-scada.rules)
 * 1:29196 <-> DISABLED <-> PROTOCOL-SCADA Modbus read input status - too many inputs (protocol-scada.rules)
 * 1:29197 <-> DISABLED <-> PROTOCOL-SCADA Modbus read write multiple registers - too many writes (protocol-scada.rules)
 * 1:28871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:29194 <-> DISABLED <-> PROTOCOL-SCADA Modbus read holding registers - too many inputs (protocol-scada.rules)
 * 1:29179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenad variant outbound connection (malware-cnc.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:28872 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28624 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:28870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28868 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28869 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28623 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:28867 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDProxy.sys privilege escalation attempt (os-windows.rules)
 * 1:28462 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:24507 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:24508 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:28461 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules)
 * 1:21960 <-> DISABLED <-> MALWARE-CNC LURK communication protocol connection to server (malware-cnc.rules)
 * 1:20446 <-> DISABLED <-> SERVER-WEBAPP DiskPulseServer GetServerInfo request buffer overflow (server-webapp.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:1842 <-> DISABLED <-> PROTOCOL-IMAP login buffer overflow attempt (protocol-imap.rules)
 * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules)
 * 3:16415 <-> ENABLED <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt (web-client.rules)
 * 3:15520 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel FtCbls remote code execution attempt (web-client.rules)