Sourcefire VRT Rules Update

Date: 2013-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.4.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:26518 <-> ENABLED <-> FILE-IDENTIFY maplet bin file attachment detected (file-identify.rules)
 * 1:26517 <-> ENABLED <-> FILE-IDENTIFY maplet bin file download attempt (file-identify.rules)
 * 1:26516 <-> ENABLED <-> FILE-IDENTIFY maplet file attachment detected (file-identify.rules)
 * 1:26525 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26523 <-> ENABLED <-> SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt (server-webapp.rules)
 * 1:26524 <-> ENABLED <-> BROWSER-PLUGINS Java security warning bypass through JWS attempt (browser-plugins.rules)
 * 1:26521 <-> DISABLED <-> FILE-OTHER Maple Maplet File Creation and Command Execution attempt (file-other.rules)
 * 1:26522 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB (blacklist.rules)
 * 1:26520 <-> DISABLED <-> FILE-OTHER Maple Maplet File Creation and Command Execution attempt (file-other.rules)
 * 1:26519 <-> ENABLED <-> FILE-IDENTIFY maplet bin file attachment detected (file-identify.rules)
 * 1:26515 <-> ENABLED <-> FILE-IDENTIFY maplet file attachment detected (file-identify.rules)
 * 1:26514 <-> ENABLED <-> FILE-IDENTIFY maplet file download attempt (file-identify.rules)

Modified Rules:


 * 1:26506 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit jar file redirection (exploit-kit.rules)
 * 1:26509 <-> ENABLED <-> EXPLOIT-KIT Multiple Exploit Kit java payload detection (exploit-kit.rules)
 * 1:26510 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit pdf payload detection (exploit-kit.rules)
 * 1:26511 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit redirection structure (exploit-kit.rules)
 * 1:24577 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - MyApp (blacklist.rules)
 * 1:2337 <-> DISABLED <-> TFTP PUT filename overflow attempt (tftp.rules)
 * 1:23141 <-> ENABLED <-> EXPLOIT-KIT Fake transaction redirect page to exploit kit (exploit-kit.rules)
 * 1:23177 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway timer.php cross site scripting attempt (server-webapp.rules)
 * 1:21510 <-> ENABLED <-> EXPLOIT-KIT Sakura exploit kit logo transfer (exploit-kit.rules)
 * 1:21099 <-> ENABLED <-> EXPLOIT-KIT Crimepack exploit kit malicious pdf request (exploit-kit.rules)
 * 1:21218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sodager.C outbound connection (malware-cnc.rules)
 * 1:21096 <-> ENABLED <-> EXPLOIT-KIT Crimepack exploit kit control panel access (exploit-kit.rules)
 * 1:21098 <-> ENABLED <-> EXPLOIT-KIT Crimepack exploit kit landing page (exploit-kit.rules)
 * 1:1941 <-> ENABLED <-> TFTP GET filename overflow attempt (tftp.rules)
 * 1:16910 <-> DISABLED <-> BLACKLIST DNS request for known malware domain pattern - 0-0-0-0-0-0-0.info (blacklist.rules)
 * 1:18767 <-> DISABLED <-> TFTP Multiple TFTP product buffer overflow attempt (tftp.rules)
 * 1:26056 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:26052 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26048 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:26512 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit java payload detection (exploit-kit.rules)
 * 1:26507 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin pack attack vector attempt (exploit-kit.rules)
 * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin pack attack vector attempt (exploit-kit.rules)
 * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin pack attack vector attempt (exploit-kit.rules)
 * 1:23041 <-> DISABLED <-> FILE-PDF EmbeddedFile contained within a PDF (file-pdf.rules)
 * 1:21097 <-> ENABLED <-> EXPLOIT-KIT Crimepack exploit kit post-exploit download request (exploit-kit.rules)
 * 1:26046 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:26033 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 iframe redirection attempt (exploit-kit.rules)
 * 1:26051 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:26049 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:26054 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26055 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26053 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:26227 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin pack attack vector attempt (exploit-kit.rules)
 * 1:24793 <-> ENABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Java Class download (exploit-kit.rules)
 * 1:24794 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24795 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24796 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24797 <-> DISABLED <-> EXPLOIT-KIT KaiXin Exploit Kit Class download attempt (exploit-kit.rules)
 * 1:24860 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24861 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:24862 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24863 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:24864 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page - specific-structure (exploit-kit.rules)
 * 1:24865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 landing page in an email (exploit-kit.rules)
 * 1:25568 <-> ENABLED <-> EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval (exploit-kit.rules)
 * 1:25590 <-> ENABLED <-> EXPLOIT-KIT Blackhole v2 landing page - specific structure (exploit-kit.rules)
 * 1:25591 <-> ENABLED <-> EXPLOIT-KIT Blackhole landing page - specific structure (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit pdf request (exploit-kit.rules)
 * 1:25800 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit Javascript request (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit jar file request (exploit-kit.rules)
 * 1:25802 <-> DISABLED <-> EXPLOIT-KIT Stamp Exploit Kit encoded portable executable request (exploit-kit.rules)
 * 1:25857 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25858 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit Java exploit download (exploit-kit.rules)
 * 1:25859 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25860 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25861 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25862 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit java exploit retrieval (exploit-kit.rules)
 * 1:25950 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit PDF exploit (exploit-kit.rules)
 * 1:25951 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25952 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25953 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit landing page (exploit-kit.rules)
 * 1:25954 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25955 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious jar file download (exploit-kit.rules)
 * 1:25956 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25957 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25958 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25959 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25960 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit Kit former location - has been removed (exploit-kit.rules)
 * 1:25962 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit EOT file download (exploit-kit.rules)
 * 1:25963 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:25964 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25965 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25966 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25967 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit malicious class file download (exploit-kit.rules)
 * 1:25968 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit Portable Executable download (exploit-kit.rules)
 * 1:26031 <-> ENABLED <-> EXPLOIT-KIT Blackholev2 exploit kit landing page (exploit-kit.rules)
 * 1:26050 <-> DISABLED <-> EXPLOIT-KIT Cool Exploit Kit SWF file download (exploit-kit.rules)
 * 1:26254 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit redirection page (exploit-kit.rules)
 * 1:26228 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit redirection page (exploit-kit.rules)
 * 1:26229 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit MyApplet class retrieval (exploit-kit.rules)
 * 1:26256 <-> ENABLED <-> EXPLOIT-KIT Cool exploit kit malicious jar download (exploit-kit.rules)
 * 1:26047 <-> ENABLED <-> EXPLOIT-KIT Cool Exploit kit redirection structure (exploit-kit.rules)