VRT Rules 2014-10-23
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, file-other, file-pdf, malware-cnc, os-other, pua-adware, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-10-23 20:05:58 UTC

Sourcefire VRT Rules Update

Date: 2014-10-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:30717 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30716 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30715 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:25618 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25612 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25617 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25601 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25589 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:12784 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules)
 * 1:32311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rehtesyk outbound communication (malware-cnc.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection attempt (malware-cnc.rules)
 * 1:32309 <-> ENABLED <-> BLACKLIST DNS request for known malware domain good.myftp.org - Win.Trojan.Farfi (blacklist.rules)
 * 1:32307 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32306 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain organfriandpopul.su - Win.Trojan.Waski (blacklist.rules)
 * 1:32301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jollyhollypanzer.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cemotrans.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cryptdice.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32295 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string http - Win.Trojan.Waski (blacklist.rules)
 * 1:32296 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string update - Win.Trojan.Waski (blacklist.rules)
 * 1:32294 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BloodguyBrowser-_- (blacklist.rules)
 * 1:32293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acanas variant outbound connection attempt (malware-cnc.rules)
 * 1:32292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32291 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32288 <-> ENABLED <-> BLACKLIST DNS request for known malware domain royalgourp.org (blacklist.rules)
 * 1:32287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapertilz variant outbound connection (malware-cnc.rules)
 * 1:32286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain test.hoseen454r.com - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:32285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zoxpng variant outbound connection (malware-cnc.rules)
 * 1:32284 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Gresim variant outbound connection (deleted.rules)
 * 1:32283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.winxps.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32282 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.webok.net - Win.Trojan.Gresim (blacklist.rules)
 * 1:32281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.geekgalaxy.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32280 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.eatuo.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32279 <-> ENABLED <-> BLACKLIST DNS request for known malware domain revjj.syshell.org - Win.Trojan.Gresim (blacklist.rules)
 * 1:32278 <-> ENABLED <-> BLACKLIST DNS request for known malware domain images.iphone-android-mobile.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32277 <-> DISABLED <-> SERVER-OTHER Novell ZENworks PreBoot directory traversal attempt (server-other.rules)
 * 1:32275 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32276 <-> DISABLED <-> SERVER-WEBAPP WordPress Infusionsoft Gravity Forms Plugin arbitrary code execution attempt (server-webapp.rules)
 * 1:32274 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32272 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Hesechca variant outbound connection (malware-cnc.rules)
 * 1:32273 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spamnost variant outbound connection (malware-cnc.rules)
 * 1:32271 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cache.bsqlserver.com - Win.Trojan.Hesechca (blacklist.rules)
 * 1:32270 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:30742 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30741 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30740 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30739 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30738 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30737 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30736 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30735 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30734 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30733 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:25619 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:30732 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:25620 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25550 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:30731 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:25664 <-> DISABLED <-> SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt (server-other.rules)
 * 1:30730 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30729 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30711 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30728 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30712 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30727 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30713 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30726 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30714 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30725 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30724 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30723 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30722 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30721 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30720 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30719 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:12786 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:30718 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:12785 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:25549 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:15559 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products WPA key enumeration attempt (protocol-snmp.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:26564 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:16787 <-> DISABLED <-> FILE-OTHER Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (file-other.rules)
 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt (protocol-snmp.rules)

2014-10-23 20:05:58 UTC

Sourcefire VRT Rules Update

Date: 2014-10-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32270 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:32271 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cache.bsqlserver.com - Win.Trojan.Hesechca (blacklist.rules)
 * 1:32272 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Hesechca variant outbound connection (malware-cnc.rules)
 * 1:32273 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spamnost variant outbound connection (malware-cnc.rules)
 * 1:32274 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32275 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32276 <-> DISABLED <-> SERVER-WEBAPP WordPress Infusionsoft Gravity Forms Plugin arbitrary code execution attempt (server-webapp.rules)
 * 1:32277 <-> DISABLED <-> SERVER-OTHER Novell ZENworks PreBoot directory traversal attempt (server-other.rules)
 * 1:32278 <-> ENABLED <-> BLACKLIST DNS request for known malware domain images.iphone-android-mobile.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32279 <-> ENABLED <-> BLACKLIST DNS request for known malware domain revjj.syshell.org - Win.Trojan.Gresim (blacklist.rules)
 * 1:32281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.geekgalaxy.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32280 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.eatuo.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32282 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.webok.net - Win.Trojan.Gresim (blacklist.rules)
 * 1:32283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.winxps.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32284 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Gresim variant outbound connection (deleted.rules)
 * 1:32286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain test.hoseen454r.com - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:32285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zoxpng variant outbound connection (malware-cnc.rules)
 * 1:32287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapertilz variant outbound connection (malware-cnc.rules)
 * 1:32288 <-> ENABLED <-> BLACKLIST DNS request for known malware domain royalgourp.org (blacklist.rules)
 * 1:32289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32291 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acanas variant outbound connection attempt (malware-cnc.rules)
 * 1:32294 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BloodguyBrowser-_- (blacklist.rules)
 * 1:32295 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string http - Win.Trojan.Waski (blacklist.rules)
 * 1:32296 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string update - Win.Trojan.Waski (blacklist.rules)
 * 1:32297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cemotrans.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cryptdice.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jollyhollypanzer.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain organfriandpopul.su - Win.Trojan.Waski (blacklist.rules)
 * 1:32301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules)
 * 1:32311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rehtesyk outbound communication (malware-cnc.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection attempt (malware-cnc.rules)
 * 1:32309 <-> ENABLED <-> BLACKLIST DNS request for known malware domain good.myftp.org - Win.Trojan.Farfi (blacklist.rules)
 * 1:32308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32307 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32306 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)

Modified Rules:


 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:15559 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:16787 <-> DISABLED <-> FILE-OTHER Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (file-other.rules)
 * 1:26564 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products WPA key enumeration attempt (protocol-snmp.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)

2014-10-23 20:05:58 UTC

Sourcefire VRT Rules Update

Date: 2014-10-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32312 <-> DISABLED <-> MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message (malware-cnc.rules)
 * 1:32311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rehtesyk outbound communication (malware-cnc.rules)
 * 1:32310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfi variant outbound connection attempt (malware-cnc.rules)
 * 1:32309 <-> ENABLED <-> BLACKLIST DNS request for known malware domain good.myftp.org - Win.Trojan.Farfi (blacklist.rules)
 * 1:32308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32307 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32306 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex denial of service attempt (file-flash.rules)
 * 1:32300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain organfriandpopul.su - Win.Trojan.Waski (blacklist.rules)
 * 1:32299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jollyhollypanzer.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cryptdice.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cemotrans.com - Win.Trojan.Waski (blacklist.rules)
 * 1:32296 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string update - Win.Trojan.Waski (blacklist.rules)
 * 1:32295 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string http - Win.Trojan.Waski (blacklist.rules)
 * 1:32294 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent BloodguyBrowser-_- (blacklist.rules)
 * 1:32293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acanas variant outbound connection attempt (malware-cnc.rules)
 * 1:32292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32291 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker download detected (malware-cnc.rules)
 * 1:32288 <-> ENABLED <-> BLACKLIST DNS request for known malware domain royalgourp.org (blacklist.rules)
 * 1:32287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapertilz variant outbound connection (malware-cnc.rules)
 * 1:32286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain test.hoseen454r.com - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:32285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zoxpng variant outbound connection (malware-cnc.rules)
 * 1:32284 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Gresim variant outbound connection (deleted.rules)
 * 1:32283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.winxps.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32282 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.webok.net - Win.Trojan.Gresim (blacklist.rules)
 * 1:32281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.geekgalaxy.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32280 <-> ENABLED <-> BLACKLIST DNS request for known malware domain war.eatuo.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32279 <-> ENABLED <-> BLACKLIST DNS request for known malware domain revjj.syshell.org - Win.Trojan.Gresim (blacklist.rules)
 * 1:32278 <-> ENABLED <-> BLACKLIST DNS request for known malware domain images.iphone-android-mobile.com - Win.Trojan.Gresim (blacklist.rules)
 * 1:32277 <-> DISABLED <-> SERVER-OTHER Novell ZENworks PreBoot directory traversal attempt (server-other.rules)
 * 1:32276 <-> DISABLED <-> SERVER-WEBAPP WordPress Infusionsoft Gravity Forms Plugin arbitrary code execution attempt (server-webapp.rules)
 * 1:32275 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32274 <-> DISABLED <-> OS-MOBILE Apple iOS 8.x jailbreak download attempt (os-mobile.rules)
 * 1:32273 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spamnost variant outbound connection (malware-cnc.rules)
 * 1:32272 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Hesechca variant outbound connection (malware-cnc.rules)
 * 1:32271 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cache.bsqlserver.com - Win.Trojan.Hesechca (blacklist.rules)
 * 1:32270 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:15554 <-> DISABLED <-> SERVER-ORACLE Application Server 10g OPMN service format string vulnerability exploit attempt (server-oracle.rules)
 * 1:15559 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:16787 <-> DISABLED <-> FILE-OTHER Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (file-other.rules)
 * 1:26564 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt (file-multimedia.rules)
 * 1:31854 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31855 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt (protocol-snmp.rules)
 * 1:31856 <-> DISABLED <-> PROTOCOL-SNMP Multiple Products WPA key enumeration attempt (protocol-snmp.rules)
 * 1:32186 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:32187 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)