VRT Rules 2014-07-22
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit, exploit-kit, file-flash, file-office, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-07-22 15:19:53 UTC

Sourcefire VRT Rules Update

Date: 2014-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules)
 * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules)
 * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules)
 * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)

Modified Rules:


 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)

2014-07-22 15:19:53 UTC

Sourcefire VRT Rules Update

Date: 2014-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules)
 * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules)
 * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules)
 * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules)
 * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules)
 * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)

Modified Rules:


 * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)

2014-07-22 15:19:53 UTC

Sourcefire VRT Rules Update

Date: 2014-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules)
 * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules)
 * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules)
 * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules)
 * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules)
 * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)

Modified Rules:


 * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)

2014-07-22 15:19:53 UTC

Sourcefire VRT Rules Update

Date: 2014-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules)
 * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules)
 * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules)
 * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules)
 * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules)
 * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules)
 * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules)
 * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules)
 * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules)
 * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules)
 * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules)
 * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules)
 * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules)
 * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)

Modified Rules:


 * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules)
 * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
 * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)