Sourcefire VRT Rules Update

Date: 2013-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.3.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26331 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Qhost variant outbound connection (malware-cnc.rules)
 * 1:26329 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel format record code execution attempt (file-office.rules)
 * 1:26322 <-> DISABLED <-> NETBIOS SMB named pipe bruteforce attempt (netbios.rules)
 * 1:26321 <-> DISABLED <-> NETBIOS SMB named pipe bruteforce attempt (netbios.rules)
 * 1:26324 <-> ENABLED <-> DOS ISC BIND NAPTR record regular expression handling denial of service attempt (dos.rules)
 * 1:26323 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit redirection page (exploit-kit.rules)
 * 1:26325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules)
 * 1:26326 <-> ENABLED <-> MALWARE-BACKDOOR DarkSeoul related wiper (malware-backdoor.rules)
 * 1:26327 <-> DISABLED <-> MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection (malware-cnc.rules)
 * 1:26332 <-> ENABLED <-> MALWARE-BACKDOOR Jokra dropper download (malware-backdoor.rules)
 * 1:26328 <-> ENABLED <-> MALWARE-BACKDOOR Windows vernot download (malware-backdoor.rules)
 * 1:26320 <-> ENABLED <-> SERVER-WEBAPP Redmine SCM rev parameter command injection attempt (server-webapp.rules)
 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Bancos Trojan (malware-cnc.rules)
 * 1:26330 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:17303 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt (browser-ie.rules)
 * 1:16675 <-> DISABLED <-> BROWSER-PLUGINS CA BrightStor ListCtrl ActiveX control access (browser-plugins.rules)
 * 1:14656 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt (browser-ie.rules)
 * 1:24788 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit PDF Exploit request structure (exploit-kit.rules)
 * 1:20233 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Virut outbound connection (malware-cnc.rules)
 * 1:7638 <-> DISABLED <-> MALWARE-BACKDOOR Win.Exploit.Backdoor ncph runtime detection - initial connection (malware-backdoor.rules)
 * 1:26270 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:24789 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit PDF Exploit download (exploit-kit.rules)
 * 1:19552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel format record code execution attempt (file-office.rules)
 * 1:13971 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt (file-office.rules)
 * 1:26268 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:24790 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Portable Executable request (exploit-kit.rules)
 * 1:24791 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:21492 <-> DISABLED <-> EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:24908 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL user enumeration attempt (server-mysql.rules)
 * 1:21377 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt (server-webapp.rules)
 * 1:25046 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java V6 exploit download (exploit-kit.rules)
 * 1:25047 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java V7 exploit download (exploit-kit.rules)
 * 1:25048 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit PDF Library exploit download (exploit-kit.rules)
 * 1:24787 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java Exploit download (exploit-kit.rules)
 * 1:25971 <-> DISABLED <-> EXPLOIT-KIT Redkit exploit kit redirection (exploit-kit.rules)
 * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules)
 * 1:24786 <-> ENABLED <-> EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure (exploit-kit.rules)
 * 1:26124 <-> ENABLED <-> SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt (server-webapp.rules)
 * 1:6692 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt (file-image.rules)
 * 1:26096 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:26266 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:26267 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:26269 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules)
 * 1:18767 <-> DISABLED <-> TFTP Multiple TFTP product buffer overflow attempt (tftp.rules)
 * 1:26271 <-> ENABLED <-> MALWARE-CNC Zeus v3 DGA DNS query detected (malware-cnc.rules)
 * 1:1948 <-> DISABLED <-> DNS zone transfer UDP (dns.rules)
 * 1:26284 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Surok variant outbound connection (malware-cnc.rules)
 * 3:17251 <-> ENABLED <-> SMTP Outlook RTF remote code execution attempt (smtp.rules)
 * 3:13921 <-> ENABLED <-> IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (imap.rules)
 * 3:13308 <-> ENABLED <-> WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability (web-misc.rules)
 * 3:15009 <-> ENABLED <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected (netbios.rules)
 * 3:14253 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14252 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:14254 <-> ENABLED <-> MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (multimedia.rules)
 * 3:15847 <-> ENABLED <-> NETBIOS Telnet-based NTLM replay attack attempt (netbios.rules)
 * 3:17693 <-> ENABLED <-> SMTP MailEnable NTLM Authentication buffer overflow attempt (smtp.rules)
 * 3:15959 <-> ENABLED <-> DOS Microsoft ASP.NET viewstate DoS attempt (dos.rules)
 * 3:17697 <-> ENABLED <-> SMTP GnuPG Message Packet Length overflow attempt (smtp.rules)
 * 3:15124 <-> ENABLED <-> NETBIOS Web-based NTLM replay attack attempt (netbios.rules)
 * 3:15453 <-> ENABLED <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (netbios.rules)