Sourcefire VRT Rules Update

Date: 2012-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:24957 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24963 <-> DISABLED <-> BROWSER-PLUGINS Microsoft DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24969 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24970 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:24974 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:24975 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:24976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:24977 <-> ENABLED <-> EXPLOIT-KIT ProPack Exploit Kit outbound connection attempt (exploit-kit.rules)
 * 1:24978 <-> ENABLED <-> EXPLOIT-KIT ProPack Exploit Kit outbound payload request (exploit-kit.rules)
 * 1:24979 <-> ENABLED <-> EXPLOIT-KIT ProPack Exploit Kit outbound connection (exploit-kit.rules)
 * 1:24967 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24965 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24964 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24962 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24959 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24918 <-> DISABLED <-> MALWARE-CNC Win.Spy.Turspy variant outbound connection (malware-cnc.rules)
 * 1:24956 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt (browser-ie.rules)
 * 1:24955 <-> ENABLED <-> FILE-MULTIMEDIA AVI file chunk length integer overflow attempt (file-multimedia.rules)
 * 1:24916 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:24917 <-> DISABLED <-> MALWARE-CNC Win.Spy.Turspy variant outbound connection (malware-cnc.rules)
 * 1:24961 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24958 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24960 <-> DISABLED <-> BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access (browser-plugins.rules)
 * 1:24966 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 1:24968 <-> DISABLED <-> FILE-OFFICE Microsoft Office dpnet.dll DirectPlay CFixedPool-Get clsid access (file-office.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)
 * 3:24971 <-> ENABLED <-> EXPLOIT Microsoft Windows ATMFD Adobe font driver reserved command denial of service attempt (exploit.rules)

Modified Rules:


 * 1:21610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Refroso.azyg outbound connection (malware-cnc.rules)
 * 1:21511 <-> DISABLED <-> MALWARE-CNC Trojan.Vaxpy outbound connection (malware-cnc.rules)
 * 1:21495 <-> DISABLED <-> MALWARE-CNC Trojan.Vilsel outbound connection (malware-cnc.rules)
 * 1:21497 <-> DISABLED <-> MALWARE-CNC Trojan.Saeeka outbound connection (malware-cnc.rules)
 * 1:21454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra.vec outbound connection (malware-cnc.rules)
 * 1:21474 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lancafdo.A outbound connection (malware-cnc.rules)
 * 1:21403 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Vobfus.DL outbound connection (malware-cnc.rules)
 * 1:21404 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Vobfus.DL outbound connection cont (malware-cnc.rules)
 * 1:21402 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ponfoy.A outbound connection (malware-cnc.rules)
 * 1:21252 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sirefef.P outbound connection (malware-cnc.rules)
 * 1:21251 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sirefef.P outbound connection (malware-cnc.rules)
 * 1:19977 <-> DISABLED <-> MALWARE-CNC Trojan.LooksLike.Zaplot outbound connection (malware-cnc.rules)
 * 1:21168 <-> ENABLED <-> FILE-MULTIMEDIA AVI file chunk length integer overflow attempt (file-multimedia.rules)
 * 1:19975 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Crypt.vb outbound connection (malware-cnc.rules)
 * 1:19976 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Koobface.hy outbound connection (malware-cnc.rules)
 * 1:19973 <-> DISABLED <-> MALWARE-CNC Worm.Win.Trojan.Nebuler.D outbound connection (malware-cnc.rules)
 * 1:19974 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Small.bwj outbound connection (malware-cnc.rules)
 * 1:19970 <-> DISABLED <-> MALWARE-CNC W32.Smalltroj.MHYR outbound connection (malware-cnc.rules)
 * 1:19971 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mudrop.lj outbound connection (malware-cnc.rules)
 * 1:19968 <-> DISABLED <-> MALWARE-CNC Trojan.PSW.Win32.QQPass.amx outbound connection (malware-cnc.rules)
 * 1:19969 <-> DISABLED <-> MALWARE-CNC Trojan.Crypt.CY outbound connection (malware-cnc.rules)
 * 1:19905 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Small.jog outbound connection (malware-cnc.rules)
 * 1:19967 <-> DISABLED <-> MALWARE-CNC Trojan-PSW.Win32.Papras.dm outbound connection (malware-cnc.rules)
 * 1:19855 <-> DISABLED <-> MALWARE-CNC W32.Sality.AM outbound connection (malware-cnc.rules)
 * 1:19895 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Delf.jwh outbound connection (malware-cnc.rules)
 * 1:19854 <-> DISABLED <-> MALWARE-CNC W32.Sality.AM outbound connection (malware-cnc.rules)
 * 1:19850 <-> DISABLED <-> MALWARE-CNC Worm.Win32.AutoRun.qgg outbound connection (malware-cnc.rules)
 * 1:19851 <-> DISABLED <-> MALWARE-CNC Worm.Win32.AutoRun.qgg outbound connection (malware-cnc.rules)
 * 1:19834 <-> DISABLED <-> MALWARE-CNC Trojan.Spy.ZBot.RD outbound connection (malware-cnc.rules)
 * 1:19833 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload.bda outbound connection (malware-cnc.rules)
 * 1:19831 <-> DISABLED <-> MALWARE-CNC Trojan.Spy.Zbot.SO outbound connection (malware-cnc.rules)
 * 1:19832 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Veslorn.gen.A outbound connection (malware-cnc.rules)
 * 1:19829 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rbot.gen outbound connection (malware-cnc.rules)
 * 1:19830 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poebot.BP outbound connection (malware-cnc.rules)
 * 1:19824 <-> DISABLED <-> MALWARE-CNC Gen-Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:19828 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SpyAgent.B outbound connection (malware-cnc.rules)
 * 1:19821 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Bagle.gen.C outbound connection (malware-cnc.rules)
 * 1:19822 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload.HH outbound connection (malware-cnc.rules)
 * 1:19820 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ertfor.A outbound connection (malware-cnc.rules)
 * 1:19819 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ertfor.A outbound connection (malware-cnc.rules)
 * 1:19784 <-> DISABLED <-> MALWARE-CNC Worm.Win32.AutoRun.sde outbound connection (malware-cnc.rules)
 * 1:19776 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent2.guy dropper outbound connection (malware-cnc.rules)
 * 1:19783 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload.agcw outbound connection (malware-cnc.rules)
 * 1:19773 <-> DISABLED <-> MALWARE-CNC Virus.Win32.Parite.B outbound connection (malware-cnc.rules)
 * 1:19774 <-> DISABLED <-> MALWARE-CNC Gen-Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:19742 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.atff outbound connection (malware-cnc.rules)
 * 1:19743 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.eqlo outbound connection (malware-cnc.rules)
 * 1:19739 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Apptom outbound connection (malware-cnc.rules)
 * 1:19596 <-> DISABLED <-> MALWARE-CNC Poison Ivy outbound connection (malware-cnc.rules)
 * 1:19597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.cws outbound connection (malware-cnc.rules)
 * 1:19568 <-> DISABLED <-> MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger outbound connection (malware-cnc.rules)
 * 1:19572 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FFSearch.A outbound connection (malware-cnc.rules)
 * 1:19488 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Failnum.A outbound connection (malware-cnc.rules)
 * 1:19479 <-> DISABLED <-> MALWARE-CNC Net-Worm.Win32.Piloyd.m outbound connection - request html (malware-cnc.rules)
 * 1:19481 <-> DISABLED <-> MALWARE-CNC Email-Worm.Win32.Agent.bx outbound connection (malware-cnc.rules)
 * 1:19476 <-> DISABLED <-> MALWARE-CNC Exploit.Win32.SqlShell.r outbound connection (malware-cnc.rules)
 * 1:19456 <-> DISABLED <-> MALWARE-CNC Packed.Win32.Klone.bj outbound connection (malware-cnc.rules)
 * 1:19457 <-> DISABLED <-> MALWARE-CNC Trojan-Clicker.Win32.Vesloruki.ajb outbound connection (malware-cnc.rules)
 * 1:19053 <-> ENABLED <-> MALWARE-CNC Worm.Win32.Nusump.A outbound connection (malware-cnc.rules)
 * 1:19455 <-> DISABLED <-> MALWARE-CNC Worm.Win32.AutoRun.aw outbound connection (malware-cnc.rules)
 * 1:18978 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pasta.aoq outbound connection (malware-cnc.rules)
 * 1:18947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBot.FC outbound connection (malware-cnc.rules)
 * 1:18946 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBot.FC outbound connection (malware-cnc.rules)
 * 1:16385 <-> ENABLED <-> SERVER-MYSQL yaSSL library cert parsing stack overflow attempt (server-mysql.rules)
 * 1:16124 <-> DISABLED <-> MALWARE-CNC Trojan.nsis.agent.s outbound connection (malware-cnc.rules)
 * 1:16099 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.wdv outbound connection (malware-cnc.rules)
 * 1:16108 <-> DISABLED <-> MALWARE-CNC Win.Trojan.exchanger.gen2 outbound connection (malware-cnc.rules)
 * 1:15363 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt (indicator-obfuscation.rules)
 * 1:14086 <-> DISABLED <-> MALWARE-CNC Adware.Win32.Agent.BM outbound connection 1 (malware-cnc.rules)
 * 1:14087 <-> DISABLED <-> MALWARE-CNC Adware.Win32.Agent.BM outbound connection 2 (malware-cnc.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:13878 <-> DISABLED <-> MALWARE-CNC Win.Trojan.delf.uv outbound connection (malware-cnc.rules)
 * 1:13898 <-> DISABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13876 <-> DISABLED <-> MALWARE-CNC zlob.acc outbound connection (malware-cnc.rules)
 * 1:13877 <-> DISABLED <-> MALWARE-CNC Win.Trojan.delf.uv outbound connection (malware-cnc.rules)
 * 1:13856 <-> DISABLED <-> MALWARE-CNC Win.Trojan.wintrim.z outbound connection (malware-cnc.rules)
 * 1:13523 <-> DISABLED <-> BROWSER-PLUGINS Novell iPrint ActiveX clsid access (browser-plugins.rules)
 * 1:13815 <-> DISABLED <-> MALWARE-CNC zombget.03 outbound connection (malware-cnc.rules)
 * 1:12661 <-> DISABLED <-> MALWARE-CNC troll.a outbound connection (malware-cnc.rules)
 * 1:13508 <-> DISABLED <-> MALWARE-CNC xploit 1.4.5 outbound connection (malware-cnc.rules)
 * 1:13509 <-> DISABLED <-> MALWARE-CNC xploit 1.4.5 pc outbound connection (malware-cnc.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:16097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vvm outbound connection (malware-cnc.rules)
 * 1:16457 <-> DISABLED <-> MALWARE-CNC Trojan.Downloader.Win32.Cutwail.AI outbound connection (malware-cnc.rules)
 * 1:19454 <-> DISABLED <-> MALWARE-CNC Trojan.PWS.Win32.QQPass.IK outbound connection (malware-cnc.rules)
 * 1:19478 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Taterf.B outbound connection (malware-cnc.rules)
 * 1:19569 <-> DISABLED <-> MALWARE-CNC Trojan-Downloader.Win32.Perkesh outbound connection (malware-cnc.rules)
 * 1:19740 <-> DISABLED <-> MALWARE-CNC Worm.Win32.AutoRun.aczu outbound connection (malware-cnc.rules)
 * 1:19744 <-> DISABLED <-> MALWARE-CNC Worm.Win32.Deecee.a outbound connection (malware-cnc.rules)
 * 1:19745 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FraudLoad.dyl outbound connection (malware-cnc.rules)
 * 1:19746 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.biiw outbound connection (malware-cnc.rules)
 * 1:19747 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GGDoor.22 outbound connection (malware-cnc.rules)
 * 1:19748 <-> DISABLED <-> MALWARE-CNC Trojan.Crypt.ULPM.Gen IRC outbound connection (malware-cnc.rules)
 * 1:19772 <-> DISABLED <-> MALWARE-CNC Virus.Win32.Parite.B outbound connection (malware-cnc.rules)
 * 1:23214 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Waprox.A outbound connection (malware-cnc.rules)
 * 1:21976 <-> DISABLED <-> MALWARE-CNC Trojan-Downloader.Win32.Lapurd.D outbound connection (malware-cnc.rules)
 * 1:21947 <-> DISABLED <-> MALWARE-CNC Win.Trojan.VicSpy.A outbound connection (malware-cnc.rules)
 * 1:21769 <-> DISABLED <-> MALWARE-CNC Win.Trojan.LogonInvader.a outbound connection (malware-cnc.rules)
 * 1:21981 <-> DISABLED <-> MALWARE-CNC Trojan-Downloader.Win32.Selvice.vq outbound connection (malware-cnc.rules)
 * 1:22103 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coswid.klk outbound connection (malware-cnc.rules)
 * 1:21982 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Insain.mh outbound connection (malware-cnc.rules)
 * 1:23215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Waprox.A outbound connection (malware-cnc.rules)
 * 1:23255 <-> DISABLED <-> MALWARE-CNC Trojan.Duojeen outbound connection (malware-cnc.rules)
 * 1:23313 <-> DISABLED <-> FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt (file-executable.rules)
 * 1:23340 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nitol.B outbound connection (malware-cnc.rules)
 * 1:23377 <-> DISABLED <-> MALWARE-CNC Trojan.Sasfis outbound connection (malware-cnc.rules)
 * 1:23378 <-> DISABLED <-> MALWARE-CNC Trojan.Sasfis outbound connection (malware-cnc.rules)
 * 1:23388 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FakeMSN.I outbound connection (malware-cnc.rules)
 * 1:23391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hioles.C outbound connection (malware-cnc.rules)
 * 1:23446 <-> DISABLED <-> MALWARE-CNC Trojan.Sojax.A outbound connection (malware-cnc.rules)
 * 1:23615 <-> ENABLED <-> MALWARE-CNC ACAD.Medre.A outbound connection (malware-cnc.rules)
 * 1:23938 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ibabyfa.dldr outbound connection (malware-cnc.rules)
 * 1:23954 <-> ENABLED <-> MALWARE-OTHER Android SMSZombie APK file download (malware-other.rules)
 * 1:7183 <-> DISABLED <-> MALWARE-CNC Snoopware barok outbound connection (malware-cnc.rules)
 * 1:23987 <-> ENABLED <-> MALWARE-CNC Trojan.Kryptik.Kazy outbound connection (malware-cnc.rules)
 * 1:24082 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra outbound connection (malware-cnc.rules)
 * 1:24389 <-> DISABLED <-> INDICATOR-COMPROMISE itsoknoproblembro status check (indicator-compromise.rules)
 * 1:24779 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:21974 <-> DISABLED <-> MALWARE-CNC Worm.Expichu outbound connection (malware-cnc.rules)
 * 1:6291 <-> DISABLED <-> MALWARE-CNC justjoke v2.6 outbound connection (malware-cnc.rules)
 * 1:21975 <-> DISABLED <-> MALWARE-CNC Worm.Expichu outbound connection (malware-cnc.rules)
 * 1:24894 <-> DISABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:24839 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page - specific structure (exploit-kit.rules)
 * 1:24840 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange landing page - JAR redirection (exploit-kit.rules)
 * 1:24891 <-> DISABLED <-> FILE-FLASH Action InitArray stack overflow attempt (file-flash.rules)
 * 1:21635 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Phdet.gen.A outbound connection (malware-cnc.rules)
 * 1:24780 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit - PDF Exploit (exploit-kit.rules)
 * 1:24837 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange initial landing page (exploit-kit.rules)
 * 1:12166 <-> DISABLED <-> MALWARE-CNC lithium 1.02 outbound connection (malware-cnc.rules)
 * 1:12165 <-> DISABLED <-> MALWARE-CNC lithium 1.02 outbound connection (malware-cnc.rules)