Sourcefire VRT Rules Update

Date: 2013-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.0.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:25219 <-> DISABLED <-> BLACKLIST DNS request for known malware domain xeeypppxswpquvrf.ru (blacklist.rules)
 * 1:25218 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wiombejwxrddpkkx.ru (blacklist.rules)
 * 1:25217 <-> DISABLED <-> BLACKLIST DNS request for known malware domain wejungvnykczyjam.ru (blacklist.rules)
 * 1:25216 <-> DISABLED <-> BLACKLIST DNS request for known malware domain vmibswhnpqhqwyih.ru (blacklist.rules)
 * 1:25215 <-> DISABLED <-> BLACKLIST DNS request for known malware domain venrfhmthwpqlqge.ru (blacklist.rules)
 * 1:25214 <-> DISABLED <-> BLACKLIST DNS request for known malware domain uqspvdwyltgcyhft.ru (blacklist.rules)
 * 1:25213 <-> DISABLED <-> BLACKLIST DNS request for known malware domain upmqpwyndzwzmmwy.ru (blacklist.rules)
 * 1:25212 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ummxjwieppswcnrg.ru (blacklist.rules)
 * 1:25211 <-> DISABLED <-> BLACKLIST DNS request for known malware domain uitjsdpvrfgfdhff.ru (blacklist.rules)
 * 1:25210 <-> DISABLED <-> BLACKLIST DNS request for known malware domain tdsorylshsxjeawf.ru (blacklist.rules)
 * 1:25209 <-> DISABLED <-> BLACKLIST DNS request for known malware domain sqwlonyduvpowdgy.ru (blacklist.rules)
 * 1:25208 <-> DISABLED <-> BLACKLIST DNS request for known malware domain somaliaonfloor.ru (blacklist.rules)
 * 1:25207 <-> DISABLED <-> BLACKLIST DNS request for known malware domain shderldqiqdtdcmu.ru (blacklist.rules)
 * 1:25206 <-> DISABLED <-> BLACKLIST DNS request for known malware domain sectantes-x.ru (blacklist.rules)
 * 1:25205 <-> DISABLED <-> BLACKLIST DNS request for known malware domain rxupwhkznihnxzqx.ru (blacklist.rules)
 * 1:25204 <-> DISABLED <-> BLACKLIST DNS request for known malware domain qtmyeslmsoxkjbku.ru (blacklist.rules)
 * 1:25203 <-> DISABLED <-> BLACKLIST DNS request for known malware domain qhibjmjlnpyovmbn.ru (blacklist.rules)
 * 1:25202 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pwyloytoagndnrex.ru (blacklist.rules)
 * 1:25201 <-> DISABLED <-> BLACKLIST DNS request for known malware domain publicatorian.ru (blacklist.rules)
 * 1:25200 <-> DISABLED <-> BLACKLIST DNS request for known malware domain podarunoki.ru (blacklist.rules)
 * 1:25199 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pitoniamason.ru (blacklist.rules)
 * 1:25256 <-> ENABLED <-> MALWARE-CNC Win.Worm.Gamarue outbound connection (malware-cnc.rules)
 * 1:25255 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit redirection attempt (exploit-kit.rules)
 * 1:25254 <-> DISABLED <-> BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25253 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (file-executable.rules)
 * 1:25252 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (file-executable.rules)
 * 1:25251 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:25250 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt (server-iis.rules)
 * 1:25249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basutra variant outbound connection (malware-cnc.rules)
 * 1:25248 <-> ENABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules)
 * 1:25247 <-> ENABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules)
 * 1:25246 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:25245 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - me0hoi (blacklist.rules)
 * 1:25244 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:25243 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - 04/XP (blacklist.rules)
 * 1:25242 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Duapz variant outbound connection (malware-cnc.rules)
 * 1:25241 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetTrash variant outbound connection (malware-cnc.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:25239 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBot variant outbound connection (malware-cnc.rules)
 * 1:25238 <-> DISABLED <-> SERVER-WEBAPP OpenX server file upload PHP code execution attempt (server-webapp.rules)
 * 1:25237 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Firelog variant outbound connection (malware-cnc.rules)
 * 1:25236 <-> DISABLED <-> SERVER-WEBAPP WikkaWikki php code injection attempt (server-webapp.rules)
 * 1:25235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:25233 <-> DISABLED <-> BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt (browser-firefox.rules)
 * 1:25232 <-> DISABLED <-> BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt (browser-firefox.rules)
 * 1:25231 <-> DISABLED <-> MALWARE-CNC Win.Spy.Banker variant outbound connection (malware-cnc.rules)
 * 1:25230 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant outbound connection (malware-cnc.rules)
 * 1:25229 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant inbound connection (malware-cnc.rules)
 * 1:25228 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt (browser-firefox.rules)
 * 1:25227 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt (browser-firefox.rules)
 * 1:25226 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:25225 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal (browser-ie.rules)
 * 1:25224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer (malware-cnc.rules)
 * 1:25223 <-> DISABLED <-> BLACKLIST DNS request for known malware domain zfyafrjmmajqfvbh.ru (blacklist.rules)
 * 1:25222 <-> DISABLED <-> BLACKLIST DNS request for known malware domain zatiscwwtipqlycd.ru (blacklist.rules)
 * 1:25221 <-> DISABLED <-> BLACKLIST DNS request for known malware domain yayfefhrwawquwcw.ru (blacklist.rules)
 * 1:25220 <-> DISABLED <-> BLACKLIST DNS request for known malware domain xmwettbvtbhvrjuo.ru (blacklist.rules)
 * 1:25198 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pelamutrika.ru (blacklist.rules)
 * 1:25197 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pchgijctfprxhnje.ru (blacklist.rules)
 * 1:25196 <-> DISABLED <-> BLACKLIST DNS request for known malware domain panamechkis.ru (blacklist.rules)
 * 1:25195 <-> DISABLED <-> BLACKLIST DNS request for known malware domain owekhoeuhmdiehrw.ru (blacklist.rules)
 * 1:25194 <-> DISABLED <-> BLACKLIST DNS request for known malware domain opldkflyvlkywuec.ru (blacklist.rules)
 * 1:25193 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ogrtlmpkqtwmweff.ru (blacklist.rules)
 * 1:25192 <-> DISABLED <-> BLACKLIST DNS request for known malware domain oblcasnhxbbocpfj.ru (blacklist.rules)
 * 1:25191 <-> DISABLED <-> BLACKLIST DNS request for known malware domain noqzuukouyfuyrmd.ru (blacklist.rules)
 * 1:25190 <-> DISABLED <-> BLACKLIST DNS request for known malware domain mouwwvcwwlilnxub.ru (blacklist.rules)
 * 1:25189 <-> DISABLED <-> BLACKLIST DNS request for known malware domain lfbovcaitdrjmkbe.ru (blacklist.rules)
 * 1:25188 <-> DISABLED <-> BLACKLIST DNS request for known malware domain leberiasun.ru (blacklist.rules)
 * 1:25187 <-> DISABLED <-> BLACKLIST DNS request for known malware domain lavvckpordclbduy.ru (blacklist.rules)
 * 1:25186 <-> DISABLED <-> BLACKLIST DNS request for known malware domain kzxrowftdocgyghs.ru (blacklist.rules)
 * 1:25185 <-> DISABLED <-> BLACKLIST DNS request for known malware domain knauycqgsdhgbwjo.ru (blacklist.rules)
 * 1:25184 <-> DISABLED <-> BLACKLIST DNS request for known malware domain jrkjelzwleadyxsd.ru (blacklist.rules)
 * 1:25183 <-> DISABLED <-> BLACKLIST DNS request for known malware domain imjosxuhbcdonrco.ru (blacklist.rules)
 * 1:25182 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ifrhgnqeeotnzrmz.ru (blacklist.rules)
 * 1:25181 <-> DISABLED <-> BLACKLIST DNS request for known malware domain iekiyvsbtyozmmwy.ru (blacklist.rules)
 * 1:25180 <-> DISABLED <-> BLACKLIST DNS request for known malware domain iblpdiqdmmsbnuxb.ru (blacklist.rules)
 * 1:25179 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hvuwhwqtoyidfrjg.ru (blacklist.rules)
 * 1:25178 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hfveiooumeyrpchg.ru (blacklist.rules)
 * 1:25177 <-> DISABLED <-> BLACKLIST DNS request for known malware domain haqmuqqukywrcxfa.ru (blacklist.rules)
 * 1:25176 <-> DISABLED <-> BLACKLIST DNS request for known malware domain gmokuosvnbkshdtd.ru (blacklist.rules)
 * 1:25175 <-> DISABLED <-> BLACKLIST DNS request for known malware domain genevaonline.ru (blacklist.rules)
 * 1:25174 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ganalionomka.ru (blacklist.rules)
 * 1:25173 <-> DISABLED <-> BLACKLIST DNS request for known malware domain fzsirujgdbvabrjm.ru (blacklist.rules)
 * 1:25172 <-> DISABLED <-> BLACKLIST DNS request for known malware domain fufsbovwfzjumtle.ru (blacklist.rules)
 * 1:25171 <-> DISABLED <-> BLACKLIST DNS request for known malware domain francese.ru (blacklist.rules)
 * 1:25170 <-> DISABLED <-> BLACKLIST DNS request for known malware domain febcbuyswmishvpl.ru (blacklist.rules)
 * 1:25169 <-> DISABLED <-> BLACKLIST DNS request for known malware domain eyxejlabqaytqmjx.ru (blacklist.rules)
 * 1:25168 <-> DISABLED <-> BLACKLIST DNS request for known malware domain elxegvkalqvkyoxc.ru (blacklist.rules)
 * 1:25167 <-> DISABLED <-> BLACKLIST DNS request for known malware domain eilqnjkoytyjuchn.ru (blacklist.rules)
 * 1:25166 <-> DISABLED <-> BLACKLIST DNS request for known malware domain eefysywrvkgxuqdf.ru (blacklist.rules)
 * 1:25165 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dujovshpvbxgrikw.ru (blacklist.rules)
 * 1:25164 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dpewaddpoewiycnj.ru (blacklist.rules)
 * 1:25163 <-> DISABLED <-> BLACKLIST DNS request for known malware domain dimarikanko.ru (blacklist.rules)
 * 1:25162 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ddkudnuklgiwtdyw.ru (blacklist.rules)
 * 1:25161 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ctolfpcqldrvxvml.ru (blacklist.rules)
 * 1:25160 <-> DISABLED <-> BLACKLIST DNS request for known malware domain cpittmwbqtjrjpql.ru (blacklist.rules)
 * 1:25159 <-> DISABLED <-> BLACKLIST DNS request for known malware domain cinemaallon.ru (blacklist.rules)
 * 1:25158 <-> DISABLED <-> BLACKLIST DNS request for known malware domain bkhyiqitpoxewhmt.ru (blacklist.rules)
 * 1:25157 <-> DISABLED <-> BLACKLIST DNS request for known malware domain bhujzorkulhkpwob.ru (blacklist.rules)
 * 1:25156 <-> DISABLED <-> BLACKLIST DNS request for known malware domain awoeionfpop.ru (blacklist.rules)
 * 1:25155 <-> DISABLED <-> BLACKLIST DNS request for known malware domain aviaonlolsio.ru (blacklist.rules)
 * 1:25154 <-> DISABLED <-> BLACKLIST DNS request for known malware domain atsihkcljrqlzvku.ru (blacklist.rules)
 * 1:25153 <-> DISABLED <-> BLACKLIST DNS request for known malware domain aseniakrol.ru (blacklist.rules)
 * 1:25152 <-> DISABLED <-> BLACKLIST DNS request for known malware domain apolinaklsit.ru (blacklist.rules)
 * 1:25151 <-> DISABLED <-> BLACKLIST DNS request for known malware domain apensiona.ru (blacklist.rules)
 * 1:25150 <-> DISABLED <-> BLACKLIST DNS request for known malware domain apendiksator.ru (blacklist.rules)
 * 1:25149 <-> DISABLED <-> BLACKLIST DNS request for known malware domain aofngppahgor.ru (blacklist.rules)
 * 1:25148 <-> DISABLED <-> BLACKLIST DNS request for known malware domain antariktika.ru (blacklist.rules)
 * 1:25147 <-> DISABLED <-> BLACKLIST DNS request for known malware domain anifkailood.ru (blacklist.rules)
 * 1:25146 <-> DISABLED <-> BLACKLIST DNS request for known malware domain angelaonfl.ru (blacklist.rules)
 * 1:25145 <-> DISABLED <-> BLACKLIST DNS request for known malware domain amnaosogo.ru (blacklist.rules)
 * 1:25144 <-> DISABLED <-> BLACKLIST DNS request for known malware domain aliamognoa.ru (blacklist.rules)
 * 1:25143 <-> DISABLED <-> BLACKLIST DNS request for known malware domain ahiontota.ru (blacklist.rules)
 * 1:25142 <-> DISABLED <-> BLACKLIST DNS request for known malware domain adanagenro.ru (blacklist.rules)
 * 1:25141 <-> DISABLED <-> BLACKLIST DNS request for known malware domain 85 (blacklist.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit exe outbound connection (exploit-kit.rules)
 * 1:25139 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit eot outbound connection (exploit-kit.rules)
 * 1:25138 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit pdf outbound connection (exploit-kit.rules)
 * 1:25137 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit jar outbound connection (exploit-kit.rules)
 * 1:25136 <-> ENABLED <-> EXPLOIT-KIT Styx Exploit Kit plugin detection connection (exploit-kit.rules)
 * 1:25135 <-> DISABLED <-> EXPLOIT-KIT Styx Exploit Kit outbound connection (exploit-kit.rules)

Modified Rules:


 * 1:4156 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player 7+ ActiveX object access (browser-plugins.rules)
 * 1:24837 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange initial landing page (exploit-kit.rules)
 * 1:25060 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags (indicator-obfuscation.rules)
 * 1:24140 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24138 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:24139 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed RTMP response attempt (file-flash.rules)
 * 1:23353 <-> DISABLED <-> BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX function call access attempt (browser-plugins.rules)
 * 1:23355 <-> DISABLED <-> SERVER-OTHER Trend Micro Control Manager AddTask stack buffer overflow attempt (server-other.rules)
 * 1:23157 <-> ENABLED <-> EXPLOIT-KIT URI Nuclear Pack exploit kit binary download (exploit-kit.rules)
 * 1:23352 <-> DISABLED <-> BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt (browser-plugins.rules)
 * 1:19998 <-> DISABLED <-> POLICY-OTHER IP address discosure to advertisement sites attempt (policy-other.rules)
 * 1:19710 <-> ENABLED <-> BROWSER-CHROME Google Chrome float rendering corruption attempt (browser-chrome.rules)
 * 1:17149 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 2 (file-multimedia.rules)
 * 1:17510 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows .NET Deploy file download request (file-identify.rules)
 * 1:15956 <-> DISABLED <-> SERVER-ORACLE http Server mod_access restriction bypass attempt (server-oracle.rules)