VRT Rules 2014-07-08
The VRT is aware of vulnerabilities affecting products from Adobe Systems.

Adobe Security Bulletin APSB14-17: A coding deficiency exists in Adobe Flash Player that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 31392 through 31397.

The Sourcefire VRT has also added and modified multiple rules in the exploit-kit and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-08 22:09:36 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)

Modified Rules:


 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pushdo variant outbound connection (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)

2014-07-08 22:09:36 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)

Modified Rules:


 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:29891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pushdo variant outbound connection (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)

2014-07-08 22:09:36 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31395 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31394 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31392 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31393 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31396 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)
 * 1:31397 <-> ENABLED <-> FILE-FLASH Adobe JSONP callback API vulnerability exploitation attempt (file-flash.rules)

Modified Rules:


 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:29891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Pushdo variant outbound connection (malware-cnc.rules)
 * 1:31244 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)