VRT Rules 2014-09-11
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, file-flash, file-office, file-other, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-09-11 14:04:36 UTC

Sourcefire VRT Rules Update

Date: 2014-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules)
 * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules)
 * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules)
 * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules)
 * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules)
 * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules)
 * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules)
 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules)
 * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules)
 * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules)
 * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules)
 * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules)
 * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules)
 * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules)
 * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules)
 * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules)
 * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules)
 * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules)
 * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)

Modified Rules:


 * 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)

2014-09-11 14:04:36 UTC

Sourcefire VRT Rules Update

Date: 2014-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules)
 * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules)
 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules)
 * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules)
 * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules)
 * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules)
 * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules)
 * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules)
 * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules)
 * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules)
 * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules)
 * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules)
 * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules)
 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules)
 * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules)
 * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules)
 * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules)
 * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)

Modified Rules:


 * 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)

2014-09-11 14:04:36 UTC

Sourcefire VRT Rules Update

Date: 2014-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules)
 * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules)
 * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules)
 * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules)
 * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules)
 * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules)
 * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules)
 * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules)
 * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules)
 * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules)
 * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules)
 * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules)
 * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules)
 * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules)
 * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules)
 * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules)
 * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules)
 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules)
 * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules)
 * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules)
 * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules)

Modified Rules:


 * 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules)
 * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules)
 * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)