VRT Rules 2014-11-18
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-other, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-11-18 19:55:58 UTC

Sourcefire VRT Rules Update

Date: 2014-11-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules)
 * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules)
 * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules)
 * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules)
 * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules)
 * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)

Modified Rules:


 * 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
 * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)

2014-11-18 19:55:58 UTC

Sourcefire VRT Rules Update

Date: 2014-11-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules)
 * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules)
 * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules)
 * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules)
 * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules)
 * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)

Modified Rules:


 * 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)
 * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)

2014-11-18 19:55:58 UTC

Sourcefire VRT Rules Update

Date: 2014-11-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
 * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules)
 * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules)
 * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules)
 * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules)
 * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules)
 * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules)
 * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules)
 * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules)
 * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules)
 * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules)
 * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules)
 * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)
 * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules)
 * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules)
 * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules)
 * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
 * 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)