VRT Rules 2014-10-30
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, indicator-obfuscation, malware-cnc, os-other, os-windows, policy-other, protocol-nntp and protocol-scada rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-30 16:58:12 UTC

Sourcefire VRT Rules Update

Date: 2014-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:32367 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32366 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32365 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32364 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32361 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer overflow (file-other.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32358 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt (file-pdf.rules)
 * 1:32357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Akaza variant outbound connection attempt (malware-cnc.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules)

Modified Rules:


 * 1:19103 <-> DISABLED <-> BROWSER-PLUGINS Symantec CLIProxy.dll ActiveX function call access (browser-plugins.rules)
 * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules)
 * 1:23950 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt (os-windows.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:30898 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer underflow (file-other.rules)

2014-10-30 16:58:12 UTC

Sourcefire VRT Rules Update

Date: 2014-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32361 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer overflow (file-other.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Akaza variant outbound connection attempt (malware-cnc.rules)
 * 1:32358 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt (file-pdf.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32366 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32365 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32367 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:32364 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:19103 <-> DISABLED <-> BROWSER-PLUGINS Symantec CLIProxy.dll ActiveX function call access (browser-plugins.rules)
 * 1:23950 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt (os-windows.rules)
 * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:30898 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer underflow (file-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)

2014-10-30 16:58:12 UTC

Sourcefire VRT Rules Update

Date: 2014-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32366 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Akaza variant outbound connection attempt (malware-cnc.rules)
 * 1:32367 <-> DISABLED <-> MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32361 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer overflow (file-other.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:32358 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt (file-pdf.rules)
 * 1:32356 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount path overflow attempt (protocol-rpc.rules)
 * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32364 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32365 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:32368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:23950 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNS NAPTR remote unauthenticated code execution vulnerability attempt (os-windows.rules)
 * 1:20692 <-> DISABLED <-> POLICY-OTHER Cisco network registrar default credentials authentication attempt (policy-other.rules)
 * 1:19103 <-> DISABLED <-> BROWSER-PLUGINS Symantec CLIProxy.dll ActiveX function call access (browser-plugins.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:25140 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit portable executable download request (exploit-kit.rules)
 * 1:30898 <-> DISABLED <-> FILE-OTHER Microsoft Windows Briefcase integer underflow (file-other.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)