VRT Rules 2014-09-18
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-office, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-09-18 14:23:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules)
 * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules)
 * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules)
 * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules)
 * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules)
 * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules)
 * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules)
 * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules)
 * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules)
 * 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules)
 * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules)
 * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)

2014-09-18 14:23:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules)
 * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules)
 * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules)
 * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules)
 * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules)
 * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules)
 * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules)
 * 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules)
 * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules)
 * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules)
 * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules)
 * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)

2014-09-18 14:23:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules)
 * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules)
 * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules)
 * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules)
 * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules)
 * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules)
 * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules)
 * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules)
 * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules)
 * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules)
 * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules)
 * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules)
 * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules)
 * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules)
 * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules)
 * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules)
 * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules)
 * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)