Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-11-13

This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, file-flash, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)

Modified Rules:


 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)

2962

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)

Modified Rules:


 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)
 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)

2970

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)

Modified Rules:


 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)