VRT Rules 2014-12-02
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-other, netbios, os-windows, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

Modified Rules:


 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

Modified Rules:


 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)