VRT Rules 2014-09-02
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-office, indicator-shellcode, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-09-02 20:21:11 UTC

Sourcefire VRT Rules Update

Date: 2014-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules)
 * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
 * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules)
 * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules)
 * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules)
 * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules)
 * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules)
 * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules)
 * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules)
 * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules)
 * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules)
 * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)

Modified Rules:


 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules)
 * 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules)
 * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules)
 * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

2014-09-02 20:21:11 UTC

Sourcefire VRT Rules Update

Date: 2014-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules)
 * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules)
 * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules)
 * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules)
 * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules)
 * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules)
 * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules)
 * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules)
 * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules)
 * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules)
 * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules)
 * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
 * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)

Modified Rules:


 * 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules)
 * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules)
 * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

2014-09-02 20:21:10 UTC

Sourcefire VRT Rules Update

Date: 2014-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
 * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
 * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules)
 * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules)
 * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules)
 * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules)
 * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules)
 * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules)
 * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules)
 * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules)
 * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules)
 * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules)
 * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules)
 * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules)

Modified Rules:


 * 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules)
 * 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules)
 * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules)
 * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules)
 * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules)
 * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules)
 * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)