Sourcefire VRT Rules Update

Date: 2013-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25824 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit malicious payload retrieval (exploit-kit.rules)
 * 1:25823 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java V5 exploit download (exploit-kit.rules)
 * 1:25819 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable (file-pdf.rules)
 * 1:25815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt (file-flash.rules)
 * 1:25807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication (malware-cnc.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25814 <-> DISABLED <-> FILE-FLASH Adobe Flash Player nested SWF cross domain clickjacking attempt (file-flash.rules)
 * 1:25816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt (file-flash.rules)
 * 1:25817 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bolsilloner.es (blacklist.rules)
 * 1:25818 <-> ENABLED <-> FILE-PDF Adobe Reader known malicious variable (file-pdf.rules)
 * 1:25820 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt (exploit-kit.rules)
 * 1:25821 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt (exploit-kit.rules)
 * 1:25822 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit malicious PDF retrieval (exploit-kit.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25827 <-> DISABLED <-> SERVER-OTHER TLSv1.2 plaintext recovery attempt (server-other.rules)
 * 1:25828 <-> DISABLED <-> SERVER-OTHER SSLv3 plaintext recovery attempt (server-other.rules)
 * 1:25826 <-> DISABLED <-> SERVER-OTHER TLSv1.1 plaintext recovery attempt (server-other.rules)
 * 1:25809 <-> ENABLED <-> MALWARE-CNC Sality logos.gif URLs (malware-cnc.rules)
 * 1:25808 <-> ENABLED <-> EXPLOIT-KIT Unknown exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:25825 <-> DISABLED <-> SERVER-OTHER TLSv1.0 plaintext recovery attempt (server-other.rules)

Modified Rules:


 * 1:25803 <-> ENABLED <-> EXPLOIT-KIT Stamp Exploit kit jar file dropped (exploit-kit.rules)
 * 1:25788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe use after free attempt (browser-ie.rules)
 * 1:25773 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt (browser-ie.rules)
 * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules)
 * 1:24265 <-> ENABLED <-> MALWARE-OTHER Malicious UA detected on non-standard port (malware-other.rules)
 * 1:25789 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe use after free attempt (browser-ie.rules)
 * 3:16158 <-> ENABLED <-> WEB-CLIENT malformed ASF codec memory corruption attempt (web-client.rules)
 * 3:20825 <-> ENABLED <-> DOS generic web server hashing collision attack (dos.rules)
 * 3:17762 <-> ENABLED <-> WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt (web-client.rules)