Sourcefire VRT Rules Update

Date: 2013-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.5.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:27909 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:27908 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt (browser-ie.rules)
 * 1:27907 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt (exploit-kit.rules)
 * 1:27905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helauto variant connection attempt (malware-cnc.rules)
 * 1:27904 <-> DISABLED <-> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt (protocol-voip.rules)
 * 1:27903 <-> DISABLED <-> PROTOCOL-VOIP Ghost call attack attempt (protocol-voip.rules)
 * 1:27902 <-> DISABLED <-> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt (protocol-voip.rules)
 * 1:27901 <-> DISABLED <-> PROTOCOL-VOIP Ghost call attack attempt (protocol-voip.rules)
 * 1:27900 <-> DISABLED <-> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt (protocol-voip.rules)
 * 1:27899 <-> DISABLED <-> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt (protocol-voip.rules)
 * 1:27898 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Payload detection - readme.dll (exploit-kit.rules)
 * 1:27897 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Payload detection - calc.dll (exploit-kit.rules)
 * 1:27896 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.dll (exploit-kit.rules)
 * 1:27895 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll (exploit-kit.rules)
 * 1:27894 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Payload detection - about.dll (exploit-kit.rules)
 * 1:27893 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27892 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:27890 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:27889 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27888 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27887 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27886 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:27884 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit outbound connection post compromise (exploit-kit.rules)
 * 1:27883 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Oracle Java (exploit-kit.rules)
 * 1:27882 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player (exploit-kit.rules)
 * 1:27881 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player (exploit-kit.rules)
 * 1:27880 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 9 (exploit-kit.rules)
 * 1:27879 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 8 (exploit-kit.rules)
 * 1:27878 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit landing page (exploit-kit.rules)
 * 1:27877 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit landing page (exploit-kit.rules)
 * 1:27876 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download (exploit-kit.rules)
 * 1:27875 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit landing page (exploit-kit.rules)
 * 1:27874 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit possibly malicious iframe embedded into a webpage (exploit-kit.rules)
 * 1:27873 <-> ENABLED <-> EXPLOIT-KIT Kore exploit kit outbound payload download attempt (exploit-kit.rules)
 * 1:27872 <-> ENABLED <-> BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt (browser-plugins.rules)
 * 1:27871 <-> ENABLED <-> BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt (browser-plugins.rules)
 * 1:27870 <-> ENABLED <-> BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt (browser-plugins.rules)
 * 1:27869 <-> ENABLED <-> BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt (browser-plugins.rules)
 * 1:27868 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - dt12012 (blacklist.rules)
 * 1:27867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound communication attempt (malware-cnc.rules)
 * 1:27866 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page (exploit-kit.rules)
 * 1:27865 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request (exploit-kit.rules)
 * 1:27864 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinowal variant connection attempt (malware-cnc.rules)
 * 3:27906 <-> ENABLED <-> EXPLOIT MIT Kerberos KDC prep_reprocess_req null pointer dereference attempt (exploit.rules)

Modified Rules:


 * 1:27851 <-> ENABLED <-> FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt (file-office.rules)
 * 1:6343 <-> DISABLED <-> PUA-ADWARE Adware targetsaver runtime detection (pua-adware.rules)
 * 1:27841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 MutationEvent use after free attempt (browser-ie.rules)
 * 1:27850 <-> ENABLED <-> FILE-OFFICE Microsoft Office SDTI signed integer underflow attempt (file-office.rules)
 * 1:27784 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt (exploit-kit.rules)
 * 1:27785 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit outbound request format (exploit-kit.rules)
 * 1:27779 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27780 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27679 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection (malware-cnc.rules)
 * 1:27778 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port (exploit-kit.rules)
 * 1:27138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:27137 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt (browser-ie.rules)
 * 1:26997 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Morcut outbound connection attempt (malware-cnc.rules)
 * 1:27113 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:26851 <-> ENABLED <-> BROWSER-IE IE5 compatibility mode use after free attempt (browser-ie.rules)
 * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules)
 * 1:26843 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 9 array element property use after free attempt (browser-ie.rules)
 * 1:26844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 layout engine memory corruption attempt (browser-ie.rules)
 * 1:26804 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page (exploit-kit.rules)
 * 1:26410 <-> DISABLED <-> INDICATOR-COMPROMISE IP address check to j.maxmind.com detected (indicator-compromise.rules)
 * 1:25792 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SVG object use after free attempt (browser-ie.rules)
 * 1:25062 <-> DISABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:25516 <-> DISABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:22979 <-> ENABLED <-> FILE-IDENTIFY M4V file attachment detected (file-identify.rules)
 * 1:22980 <-> ENABLED <-> FILE-IDENTIFY M4V file attachment detected (file-identify.rules)
 * 1:19910 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:20105 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - IPHONE (blacklist.rules)
 * 1:16299 <-> DISABLED <-> BLACKLIST DNS request for known malware domain bfisback.no-ip.org (blacklist.rules)
 * 1:19553 <-> ENABLED <-> SERVER-WEBAPP phpMyAdmin session_to_unset session variable injection attempt (server-webapp.rules)
 * 1:16297 <-> DISABLED <-> BLACKLIST DNS request for known malware domain butterfly.sinip.es (blacklist.rules)
 * 1:16298 <-> DISABLED <-> BLACKLIST DNS request for known malware domain qwertasdfg.sinip.es (blacklist.rules)
 * 3:17741 <-> ENABLED <-> EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (exploit.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)
 * 3:13947 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt (web-client.rules)
 * 3:13975 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Event System ActiveX clsid access (web-client.rules)
 * 3:13511 <-> ENABLED <-> EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt (exploit.rules)
 * 3:13946 <-> ENABLED <-> WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt (web-client.rules)