VRT Rules 2014-07-02
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-java, file-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)

Modified Rules:


 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)