VRT Rules 2014-07-15
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-office, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)

Modified Rules:


 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)