Sourcefire VRT Rules Update

Date: 2013-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26059 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file magic detected (file-identify.rules)
 * 1:26061 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected (file-identify.rules)
 * 1:26063 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file download request (file-identify.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (file-identify.rules)
 * 1:26055 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26052 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26056 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:26054 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26050 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:26053 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26047 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit redirection structure (exploit-kit.rules)
 * 1:26051 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:26045 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - setup (exploit-kit.rules)
 * 1:26049 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:26046 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:26048 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:26044 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - redirection attempt (exploit-kit.rules)
 * 1:26042 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - stats loaded (exploit-kit.rules)
 * 1:26043 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt (exploit-kit.rules)
 * 1:26040 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt (exploit-kit.rules)
 * 1:26037 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26041 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt (exploit-kit.rules)
 * 1:26039 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26038 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java exploit download (exploit-kit.rules)
 * 1:26035 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - java on (exploit-kit.rules)
 * 1:26032 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26036 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - Java Exploit (exploit-kit.rules)
 * 1:26030 <-> ENABLED <-> FILE-OTHER Known malicious jar archive download attempt (file-other.rules)
 * 1:26034 <-> ENABLED <-> EXPLOIT-KIT Crimeboss exploit kit - stats access (exploit-kit.rules)
 * 1:26031 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26033 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 iframe redirection attempt (exploit-kit.rules)
 * 1:26027 <-> ENABLED <-> FILE-OTHER Adobe Director file file rcsL overflow attempt (file-other.rules)
 * 1:26029 <-> ENABLED <-> FILE-OTHER Adobe Director remote code execution attempt (file-other.rules)
 * 1:26028 <-> ENABLED <-> FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt (file-other.rules)
 * 1:26025 <-> ENABLED <-> INDICATOR-COMPROMISE Java user-agent request to svchost.jpg (indicator-compromise.rules)
 * 1:26022 <-> DISABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:26026 <-> ENABLED <-> MALWARE-CNC Android Gmaster device information send (malware-cnc.rules)
 * 1:26024 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wecod variant outbound connection (malware-cnc.rules)
 * 1:26023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection (malware-cnc.rules)
 * 1:26068 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:26069 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:26066 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:26067 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:26064 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules)
 * 1:26065 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules)
 * 1:26060 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file download request (file-identify.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:26062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected (file-identify.rules)

Modified Rules:


 * 1:25963 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25968 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit jar file request (exploit-kit.rules)
 * 1:25800 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit Javascript request (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit pdf request (exploit-kit.rules)
 * 1:25587 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:26020 <-> ENABLED <-> EXPLOIT-KIT Sibhost exploit kit (exploit-kit.rules)
 * 1:24105 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a GIF file (malware-other.rules)
 * 1:23732 <-> ENABLED <-> FILE-IDENTIFY Microsoft Media Player .asf file magic detected (file-identify.rules)
 * 1:24107 <-> DISABLED <-> MALWARE-OTHER HTTP POST request to a BMP file (malware-other.rules)
 * 1:23724 <-> ENABLED <-> FILE-IDENTIFY Adobe Director Movie file magic detected (file-identify.rules)
 * 1:23041 <-> DISABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:21235 <-> ENABLED <-> SERVER-WEBAPP LOCK Webdav Stack Buffer Overflow attempt (server-webapp.rules)
 * 1:23701 <-> ENABLED <-> FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected (file-identify.rules)
 * 1:21953 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products HTML href shell attempt (browser-firefox.rules)
 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:20882 <-> ENABLED <-> FILE-OFFICE Microsoft Windows embedded packager object identifier (file-office.rules)
 * 1:17814 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of winzf32.dll (indicator-compromise.rules)
 * 1:17811 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of svchost.exe (indicator-compromise.rules)
 * 1:17812 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of iexplore.exe (indicator-compromise.rules)
 * 1:17801 <-> ENABLED <-> FILE-IDENTIFY Adobe Director Movie file magic detected (file-identify.rules)
 * 1:17813 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of iprinp.dll (indicator-compromise.rules)
 * 1:17245 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox image dragging exploit attempt (browser-firefox.rules)
 * 1:17810 <-> DISABLED <-> INDICATOR-COMPROMISE potential malware - download of server32.exe (indicator-compromise.rules)
 * 1:17042 <-> ENABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:17524 <-> DISABLED <-> SERVER-OTHER Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow (server-other.rules)
 * 1:16384 <-> ENABLED <-> DOS VMware Server ISAPI Extension remote denial of service attempt (dos.rules)
 * 1:15930 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules)
 * 1:15357 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:15358 <-> DISABLED <-> FILE-PDF Adobe Reader JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:13902 <-> ENABLED <-> SERVER-OTHER IBM Lotus Sametime multiplexer stack buffer overflow attempt (server-other.rules)
 * 1:15896 <-> DISABLED <-> DOS Firebird SQL op_connect_request denial of service attempt (dos.rules)
 * 1:13916 <-> DISABLED <-> SERVER-OTHER Alt-N SecurityGateway username buffer overflow attempt (server-other.rules)
 * 1:13572 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt (file-office.rules)
 * 1:12972 <-> ENABLED <-> FILE-IDENTIFY Microsoft Media Player asf/wmv/wma file magic detected (file-identify.rules)
 * 1:13585 <-> ENABLED <-> FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected (file-identify.rules)
 * 1:12592 <-> DISABLED <-> SERVER-MAIL Recipient arbitrary command injection attempt (server-mail.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3820 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:25927 <-> ENABLED <-> MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt (malware-tools.rules)
 * 1:25857 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25803 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit kit jar file dropped (exploit-kit.rules)
 * 1:25954 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25950 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25961 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:25802 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit encoded portable executable request (exploit-kit.rules)
 * 3:16156 <-> ENABLED <-> WEB-CLIENT Windows Media Player ASF marker object memory corruption attempt (web-client.rules)
 * 3:16320 <-> ENABLED <-> WEB-CLIENT Adobe PNG empty sPLT exploit attempt (web-client.rules)