VRT Rules 2014-11-04
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-other, exploit-kit, indicator-obfuscation, malware-cnc, protocol-icmp, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)