Sourcefire VRT Rules Update

Date: 2013-01-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25512 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.SMSsend variant outbound connection (malware-cnc.rules)
 * 1:25524 <-> DISABLED <-> OS-OTHER Kindle User-Agent detected (os-other.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:25518 <-> DISABLED <-> OS-OTHER Apple iPod User-Agent detected (os-other.rules)
 * 1:25519 <-> DISABLED <-> OS-OTHER Apple iPad User-Agent detected (os-other.rules)
 * 1:25520 <-> DISABLED <-> OS-OTHER Apple iPhone User-Agent detected (os-other.rules)
 * 1:25522 <-> DISABLED <-> OS-OTHER Nokia User-Agent detected (os-other.rules)
 * 1:25523 <-> DISABLED <-> OS-OTHER Samsung User-Agent detected (os-other.rules)
 * 1:25521 <-> DISABLED <-> OS-OTHER Android User-Agent detected (os-other.rules)
 * 1:25525 <-> DISABLED <-> OS-OTHER Nintendo User-Agent detected (os-other.rules)
 * 1:25526 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - setup.exe (exploit-kit.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)

Modified Rules:


 * 1:23256 <-> DISABLED <-> FILE-EXECUTABLE Armadillo v1.71 packer file magic detected (file-executable.rules)
 * 1:25510 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25506 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25479 <-> DISABLED <-> POLICY-SOCIAL IRC K-line active (policy-social.rules)
 * 1:25505 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25386 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - about.exe (exploit-kit.rules)
 * 1:25478 <-> DISABLED <-> POLICY-SOCIAL IRC G-line active (policy-social.rules)
 * 1:25385 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - calc.exe (exploit-kit.rules)
 * 1:25383 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.exe (exploit-kit.rules)
 * 1:25384 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - contacts.exe (exploit-kit.rules)
 * 1:25328 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25326 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25327 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25324 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page detected (exploit-kit.rules)
 * 1:25325 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:11192 <-> DISABLED <-> FILE-EXECUTABLE download of executable content (file-executable.rules)
 * 1:25509 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25322 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:16313 <-> DISABLED <-> FILE-EXECUTABLE download of executable content (file-executable.rules)
 * 1:15306 <-> DISABLED <-> FILE-EXECUTABLE Portable Executable binary file magic detected (file-executable.rules)
 * 1:25042 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit (exploit-kit.rules)
 * 1:16362 <-> ENABLED <-> MALWARE-CNC SpyForms malware call home attempt (malware-cnc.rules)
 * 1:25323 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:21945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection (malware-cnc.rules)
 * 1:25507 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit pdf exploit retrieval (exploit-kit.rules)
 * 1:25382 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit malicious jar file dropped (exploit-kit.rules)
 * 1:25387 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit Payload detection - readme.exe (exploit-kit.rules)
 * 1:25508 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:23246 <-> ENABLED <-> PUA-ADWARE Wajam Monitizer url outbound connection - post install (pua-adware.rules)
 * 1:21946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection (malware-cnc.rules)
 * 1:23247 <-> ENABLED <-> PUA-ADWARE Wajam Monitizer outbound connection - post install (pua-adware.rules)