VRT Rules 2014-10-28
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-chrome, malware-cnc, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)

Modified Rules:


 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)
 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)
 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)