Talos Rules 2015-05-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-05-26 19:42:17 UTC

Snort Subscriber Rules Update

Date: 2015-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:34585 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34589 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34590 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Gravity Forms gf_page arbitrary file upload attempt (server-webapp.rules)
 * 1:34592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34594 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34580 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34578 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34579 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34571 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zinnemls variant outbound connection attempt (malware-cnc.rules)
 * 1:34593 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt (file-other.rules)
 * 1:34570 <-> ENABLED <-> BLACKLIST DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34569 <-> DISABLED <-> SERVER-WEBAPP Wordpress Creative Contact Form arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:34567 <-> ENABLED <-> MALWARE-CNC MacOS.Trojan.MacVX outbound connection attempt (malware-cnc.rules)
 * 1:34565 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:34581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mathanuc outbound connection (malware-cnc.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)

Modified Rules:


 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:17618 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:29836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:29525 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:29835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:28704 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:21458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:23997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript getURL target null reference attempt (file-flash.rules)
 * 1:34074 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:34075 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:29524 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:19264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:28703 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:23996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:26172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:26173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:27267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:27268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:19689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript dynamic calculation double-free attempt (file-flash.rules)
 * 1:18388 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RookIE/1.0 (blacklist.rules)
 * 1:19690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite (file-flash.rules)
 * 1:18968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript3 stack integer overflow attempt (file-flash.rules)
 * 1:19262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:21457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:19691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript File reference buffer overflow attempt (file-flash.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:20777 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:15729 <-> DISABLED <-> FILE-FLASH Possible Adobe Flash Player ActionScript byte_array heap spray attempt (file-flash.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:20269 <-> ENABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:20031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:19688 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript BitmapData buffer overflow attempt (file-flash.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:20767 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)

2015-05-26 19:42:17 UTC

Snort Subscriber Rules Update

Date: 2015-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Gravity Forms gf_page arbitrary file upload attempt (server-webapp.rules)
 * 1:34594 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34593 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34589 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34590 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:34585 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mathanuc outbound connection (malware-cnc.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34579 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34580 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34578 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34571 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zinnemls variant outbound connection attempt (malware-cnc.rules)
 * 1:34567 <-> ENABLED <-> MALWARE-CNC MacOS.Trojan.MacVX outbound connection attempt (malware-cnc.rules)
 * 1:34569 <-> DISABLED <-> SERVER-WEBAPP Wordpress Creative Contact Form arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:34570 <-> ENABLED <-> BLACKLIST DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt (file-other.rules)
 * 1:34565 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)

Modified Rules:


 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:20767 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:34075 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:21458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript getURL target null reference attempt (file-flash.rules)
 * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules)
 * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules)
 * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules)
 * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34074 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:29524 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:15729 <-> DISABLED <-> FILE-FLASH Possible Adobe Flash Player ActionScript byte_array heap spray attempt (file-flash.rules)
 * 1:17618 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:18388 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RookIE/1.0 (blacklist.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:28704 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:29525 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:29835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:29836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:28703 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:27267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:27268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:26172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:26173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:23996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:23997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:19263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:19689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript dynamic calculation double-free attempt (file-flash.rules)
 * 1:19688 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript BitmapData buffer overflow attempt (file-flash.rules)
 * 1:20777 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:19691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript File reference buffer overflow attempt (file-flash.rules)
 * 1:21457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:18968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript3 stack integer overflow attempt (file-flash.rules)
 * 1:19262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite (file-flash.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:20269 <-> ENABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:20031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:19264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)

2015-05-26 19:42:17 UTC

Snort Subscriber Rules Update

Date: 2015-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34571 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zinnemls variant outbound connection attempt (malware-cnc.rules)
 * 1:34573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34578 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34580 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34579 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mathanuc outbound connection (malware-cnc.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34585 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:34586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34589 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34590 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34593 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34594 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Gravity Forms gf_page arbitrary file upload attempt (server-webapp.rules)
 * 1:34570 <-> ENABLED <-> BLACKLIST DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt (file-other.rules)
 * 1:34565 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:34567 <-> ENABLED <-> MALWARE-CNC MacOS.Trojan.MacVX outbound connection attempt (malware-cnc.rules)
 * 1:34569 <-> DISABLED <-> SERVER-WEBAPP Wordpress Creative Contact Form arbitrary PHP file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:20767 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:18968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript3 stack integer overflow attempt (file-flash.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34075 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:29836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:29525 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:29835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:28704 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:27268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:28703 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:26173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:27267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:23997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:26172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:23996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:21458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:15729 <-> DISABLED <-> FILE-FLASH Possible Adobe Flash Player ActionScript byte_array heap spray attempt (file-flash.rules)
 * 1:17618 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:21653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript getURL target null reference attempt (file-flash.rules)
 * 1:29524 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules)
 * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules)
 * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:18388 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RookIE/1.0 (blacklist.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:20777 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:34074 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:19263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:20031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19688 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript BitmapData buffer overflow attempt (file-flash.rules)
 * 1:19689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript dynamic calculation double-free attempt (file-flash.rules)
 * 1:20269 <-> ENABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:19262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:21457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite (file-flash.rules)
 * 1:19691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript File reference buffer overflow attempt (file-flash.rules)

2015-05-26 19:42:17 UTC

Snort Subscriber Rules Update

Date: 2015-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34594 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34593 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34592 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34591 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34590 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34589 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt (file-pdf.rules)
 * 1:34588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34585 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:34583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid BitmapData use after free attempt (file-flash.rules)
 * 1:34581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mathanuc outbound connection (malware-cnc.rules)
 * 1:34580 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34579 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34578 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player uninitialized register memory leak attempt (file-flash.rules)
 * 1:34576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerMoveFileEx sandbox escape attempt (file-flash.rules)
 * 1:34572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zinnemls variant outbound connection attempt (malware-cnc.rules)
 * 1:34571 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34570 <-> ENABLED <-> BLACKLIST DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls (blacklist.rules)
 * 1:34569 <-> DISABLED <-> SERVER-WEBAPP Wordpress Creative Contact Form arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:34568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Gravity Forms gf_page arbitrary file upload attempt (server-webapp.rules)
 * 1:34567 <-> ENABLED <-> MALWARE-CNC MacOS.Trojan.MacVX outbound connection attempt (malware-cnc.rules)
 * 1:34566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Font Library file buffer overflow attempt (file-other.rules)
 * 1:34565 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)

Modified Rules:


 * 1:7515 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring (malware-other.rules)
 * 1:7514 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically (malware-other.rules)
 * 1:7513 <-> DISABLED <-> MALWARE-OTHER Keylogger watchdog runtime detection - init connection (malware-other.rules)
 * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt (file-pdf.rules)
 * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules)
 * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt (file-pdf.rules)
 * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt (file-pdf.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34075 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:34074 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:33806 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33805 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33804 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33802 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33803 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33801 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33793 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33792 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33791 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33790 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33789 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33787 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33788 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33786 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33785 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33779 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:33773 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt (os-windows.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:29836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:29835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt (file-flash.rules)
 * 1:29525 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:29524 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray bad sample count attempt (file-flash.rules)
 * 1:28704 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:28703 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:27268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:27267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt (file-flash.rules)
 * 1:26173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:26172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sortOn heap overflow attempt (file-flash.rules)
 * 1:23997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:23996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:21653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript getURL target null reference attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript Stage3D null dereference attempt (file-flash.rules)
 * 1:21458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:15729 <-> DISABLED <-> FILE-FLASH Possible Adobe Flash Player ActionScript byte_array heap spray attempt (file-flash.rules)
 * 1:17618 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics engine EMF rendering vulnerability (os-windows.rules)
 * 1:18388 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string RookIE/1.0 (blacklist.rules)
 * 1:21457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:18968 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript3 stack integer overflow attempt (file-flash.rules)
 * 1:19262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:20777 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption attempt (file-flash.rules)
 * 1:20767 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:20269 <-> ENABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:19690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite (file-flash.rules)
 * 1:20031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript float index array memory corruption (file-flash.rules)
 * 1:19691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript File reference buffer overflow attempt (file-flash.rules)
 * 1:19688 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript BitmapData buffer overflow attempt (file-flash.rules)
 * 1:19689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript dynamic calculation double-free attempt (file-flash.rules)