VRT Rules 2014-09-30
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-other, exploit-kit, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)

Modified Rules:


 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)

2961

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)
 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)

2962

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)