Sourcefire VRT Rules Update

Date: 2014-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:29394 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt (browser-webkit.rules)
 * 1:29393 <-> DISABLED <-> DOS ntp monlist denial of service attempt (dos.rules)
 * 1:29392 <-> ENABLED <-> SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt (server-webapp.rules)
 * 1:29391 <-> ENABLED <-> SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt (server-webapp.rules)
 * 1:29390 <-> ENABLED <-> SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt (server-webapp.rules)
 * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules)
 * 1:29388 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ziriolo.sytes.net (blacklist.rules)
 * 1:29387 <-> ENABLED <-> SERVER-WEBAPP Synology DiskStation Manager SLICEUPLOAD remote command execution attempt (server-webapp.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (file-identify.rules)
 * 1:29383 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29382 <-> DISABLED <-> APP-DETECT VPN Over DNS application download attempt (app-detect.rules)
 * 1:29381 <-> DISABLED <-> APP-DETECT VPN Over DNS outbound traffic attempt (app-detect.rules)
 * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules)
 * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules)
 * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules)
 * 1:29377 <-> DISABLED <-> BLACKLIST DNS request for known malware domain voxility.net - Win.Trojan.Dropper (blacklist.rules)
 * 1:29376 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoLocker.B connection test attempt (malware-cnc.rules)
 * 1:29375 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29374 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain loveisland.com (blacklist.rules)
 * 1:29372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain w1.certdownload.com (blacklist.rules)
 * 1:29371 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Dluca (blacklist.rules)
 * 1:29370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent.ADJI variant outbound connection (malware-cnc.rules)
 * 1:29369 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brilliantcock.com (blacklist.rules)
 * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules)
 * 1:29367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant outbound connection (malware-cnc.rules)
 * 1:29366 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.jlnle.com (blacklist.rules)
 * 1:29365 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.lijnl.com (blacklist.rules)
 * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules)
 * 1:29363 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pacbootini variant outbound connection (malware-cnc.rules)
 * 1:29362 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules)
 * 1:29361 <-> ENABLED <-> EXPLOIT-KIT Goon exploit kit landing page (exploit-kit.rules)
 * 1:29360 <-> ENABLED <-> EXPLOIT-KIT Goon exploit kit encrypted binary download (exploit-kit.rules)

Modified Rules:


 * 1:29062 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules)
 * 1:29063 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JBIG2 decode segment null pointer crash attempt (file-pdf.rules)