VRT Rules 2014-08-12
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS14-051: Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 31619 through 31622, 31625 through 31630, and 31634 through 31635.

The VRT has also added and modified multiple rules in the blacklist, browser-ie, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-08-12 16:14:45 UTC

Sourcefire VRT Rules Update

Date: 2014-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:31626 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31628 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31622 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31623 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31624 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31621 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31619 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31618 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)
 * 1:31620 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31627 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31625 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 1:31630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31617 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)

Modified Rules:


 * 1:24632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VaccinePC variant outbound connection (malware-cnc.rules)
 * 1:29800 <-> DISABLED <-> FILE-OTHER XML exponential entity expansion attack attempt (file-other.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)

2014-08-12 16:14:45 UTC

Sourcefire VRT Rules Update

Date: 2014-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 1:31628 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31626 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31627 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31625 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31622 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31617 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)
 * 1:31619 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31620 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31623 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31624 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31618 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)
 * 1:31621 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)

Modified Rules:


 * 1:24632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VaccinePC variant outbound connection (malware-cnc.rules)
 * 1:29800 <-> DISABLED <-> FILE-OTHER XML exponential entity expansion attack attempt (file-other.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)

2014-08-12 16:14:45 UTC

Sourcefire VRT Rules Update

Date: 2014-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:31632 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldvoicetrip.com (blacklist.rules)
 * 1:31631 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games-playbox.com (blacklist.rules)
 * 1:31630 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31629 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup insertMarquee use after free attempt (browser-ie.rules)
 * 1:31628 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31627 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDOMUIEvent use after free attempt (browser-ie.rules)
 * 1:31626 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31625 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Use after free attempt (browser-ie.rules)
 * 1:31624 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31623 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:31622 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31621 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31620 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31619 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer kbd element use-after-free attempt (browser-ie.rules)
 * 1:31618 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)
 * 1:31617 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer meter element use-after-free attempt (browser-ie.rules)

Modified Rules:


 * 1:24632 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VaccinePC variant outbound connection (malware-cnc.rules)
 * 1:29800 <-> DISABLED <-> FILE-OTHER XML exponential entity expansion attack attempt (file-other.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)