VRT Rules 2014-07-10
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-office, malware-backdoor, malware-cnc, os-windows, policy-other, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-10 16:02:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31410 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31409 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31408 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31407 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:31405 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Unexpected method call remote code execution attempt (browser-ie.rules)
 * 1:31401 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31400 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31399 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)

Modified Rules:


 * 1:30496 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:30493 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:30492 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:26130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:26129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:24256 <-> ENABLED <-> MALWARE-BACKDOOR phpMyAdmin server_sync.php backdoor access attempt (malware-backdoor.rules)
 * 1:13269 <-> DISABLED <-> OS-WINDOWS Multiple product nntp uri handling code execution attempt (os-windows.rules)
 * 1:13270 <-> DISABLED <-> OS-WINDOWS Multiple product news uri handling code execution attempt (os-windows.rules)
 * 1:13271 <-> DISABLED <-> OS-WINDOWS Multiple product telnet uri handling code execution attempt (os-windows.rules)
 * 1:22937 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (malware-cnc.rules)
 * 1:13272 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer attempt (policy-other.rules)
 * 1:1808 <-> DISABLED <-> SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt (server-webapp.rules)
 * 1:1809 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:19225 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:18261 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt (browser-firefox.rules)
 * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18262 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt (browser-firefox.rules)
 * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)

2014-07-10 16:02:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31410 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31407 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31409 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31405 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:31399 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31400 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31401 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Unexpected method call remote code execution attempt (browser-ie.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31408 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)

Modified Rules:


 * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:13269 <-> DISABLED <-> OS-WINDOWS Multiple product nntp uri handling code execution attempt (os-windows.rules)
 * 1:13271 <-> DISABLED <-> OS-WINDOWS Multiple product telnet uri handling code execution attempt (os-windows.rules)
 * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:13270 <-> DISABLED <-> OS-WINDOWS Multiple product news uri handling code execution attempt (os-windows.rules)
 * 1:1809 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer attempt (policy-other.rules)
 * 1:1808 <-> DISABLED <-> SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt (server-webapp.rules)
 * 1:13272 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:18262 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt (browser-firefox.rules)
 * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18261 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt (browser-firefox.rules)
 * 1:19225 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:30492 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:30493 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:30496 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:22937 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (malware-cnc.rules)
 * 1:24256 <-> ENABLED <-> MALWARE-BACKDOOR phpMyAdmin server_sync.php backdoor access attempt (malware-backdoor.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:26130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:26129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)

2014-07-10 16:02:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31416 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31412 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31399 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31401 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Unexpected method call remote code execution attempt (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31405 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31400 <-> DISABLED <-> POLICY-OTHER Rosetta Flash tool use attempt (policy-other.rules)
 * 1:31407 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:31408 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31409 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)
 * 1:31411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31413 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31415 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietDAN.dll dll-load exploit attempt (os-windows.rules)
 * 1:31410 <-> ENABLED <-> BROWSER-PLUGINS Adobe Reader 11 messageHandler use after free attempt (browser-plugins.rules)

Modified Rules:


 * 1:30496 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:19225 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:18223 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18224 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:1809 <-> DISABLED <-> SERVER-APACHE Apache Chunked-Encoding worm attempt (server-apache.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer attempt (policy-other.rules)
 * 1:1808 <-> DISABLED <-> SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt (server-webapp.rules)
 * 1:13272 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:13271 <-> DISABLED <-> OS-WINDOWS Multiple product telnet uri handling code execution attempt (os-windows.rules)
 * 1:13269 <-> DISABLED <-> OS-WINDOWS Multiple product nntp uri handling code execution attempt (os-windows.rules)
 * 1:13270 <-> DISABLED <-> OS-WINDOWS Multiple product news uri handling code execution attempt (os-windows.rules)
 * 1:18227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18262 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt (browser-firefox.rules)
 * 1:18261 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt (browser-firefox.rules)
 * 1:26130 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:22937 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (malware-cnc.rules)
 * 1:24256 <-> ENABLED <-> MALWARE-BACKDOOR phpMyAdmin server_sync.php backdoor access attempt (malware-backdoor.rules)
 * 1:30493 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:26129 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htc file use after free attempt (browser-ie.rules)
 * 1:28794 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SerAuxTrend biff record corruption attempt (file-office.rules)
 * 1:30492 <-> DISABLED <-> PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud (pua-adware.rules)
 * 1:18226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt (os-windows.rules)
 * 1:18225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt (os-windows.rules)