VRT Rules 2014-06-10
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS14-032:

A coding deficiency in Microsoft Lync Server could lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 31217.

Microsoft Security Bulletin MS14-035: Microsoft Internet Explorer contains programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 31188 through 31191, 31194, 31196 through 31209, 31215 through 31216, and 31219 through 31220.

The Sourcefire VRT has also added and modified multiple rules in the blacklist, browser-ie, indicator-compromise, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 19:31:51 UTC

Sourcefire VRT Rules Update

Date: 2014-06-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31219 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:31216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31215 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules)
 * 1:31213 <-> DISABLED <-> INDICATOR-COMPROMISE http POST request smuggling attempt (indicator-compromise.rules)
 * 1:31212 <-> DISABLED <-> INDICATOR-COMPROMISE http GET request smuggling attempt (indicator-compromise.rules)
 * 1:31211 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31210 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31209 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31206 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31203 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31201 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31200 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31195 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager directory traversal attempt (server-webapp.rules)
 * 1:31194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:31193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31190 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31189 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31188 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31187 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sarkaricareer.com - Win.Trojan.Scarpnex (blacklist.rules)
 * 1:31186 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kentawp.3322.org - Win.Trojan.Guise (blacklist.rules)
 * 1:31185 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31184 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection (malware-cnc.rules)
 * 1:31182 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection attempt (malware-cnc.rules)
 * 1:31180 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)

2014-07-07 19:31:51 UTC

Sourcefire VRT Rules Update

Date: 2014-06-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31182 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 1:31183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection (malware-cnc.rules)
 * 1:31184 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31185 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31186 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kentawp.3322.org - Win.Trojan.Guise (blacklist.rules)
 * 1:31187 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sarkaricareer.com - Win.Trojan.Scarpnex (blacklist.rules)
 * 1:31188 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31189 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31190 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:31195 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager directory traversal attempt (server-webapp.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31200 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31201 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31203 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31206 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31209 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31210 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31211 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31219 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:31215 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules)
 * 1:31216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31213 <-> DISABLED <-> INDICATOR-COMPROMISE http POST request smuggling attempt (indicator-compromise.rules)
 * 1:31212 <-> DISABLED <-> INDICATOR-COMPROMISE http GET request smuggling attempt (indicator-compromise.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection attempt (malware-cnc.rules)
 * 1:31180 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)

2014-07-07 19:31:51 UTC

Sourcefire VRT Rules Update

Date: 2014-06-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31188 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31184 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31214 <-> ENABLED <-> INDICATOR-COMPROMISE connection to zeus malware sinkhole (indicator-compromise.rules)
 * 1:31220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31215 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31219 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer WindowedMarkupContext use after free attempt (browser-ie.rules)
 * 1:31216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31182 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 1:31183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bankeiya outbound connection (malware-cnc.rules)
 * 1:31185 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ZBerp variant download attempt (malware-other.rules)
 * 1:31186 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kentawp.3322.org - Win.Trojan.Guise (blacklist.rules)
 * 1:31187 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sarkaricareer.com - Win.Trojan.Scarpnex (blacklist.rules)
 * 1:31189 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer isIndex attribute overflow attempt (browser-ie.rules)
 * 1:31190 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31191 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RemoveSplice use-after-free attempt (browser-ie.rules)
 * 1:31192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 use after free attempt (browser-ie.rules)
 * 1:31194 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:31195 <-> DISABLED <-> SERVER-WEBAPP VMTurbo Operations Manager directory traversal attempt (server-webapp.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31200 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31201 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer summary node swap use after free (browser-ie.rules)
 * 1:31202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:31204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31206 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31210 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 CTreePos child element use-after-free attempt (browser-ie.rules)
 * 1:31208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31211 <-> ENABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31209 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDispNode use after free attempt (browser-ie.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:31203 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CRangeSaver use after free attempt (browser-ie.rules)
 * 1:31212 <-> DISABLED <-> INDICATOR-COMPROMISE http GET request smuggling attempt (indicator-compromise.rules)
 * 1:31213 <-> DISABLED <-> INDICATOR-COMPROMISE http POST request smuggling attempt (indicator-compromise.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection attempt (malware-cnc.rules)
 * 1:31180 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)