VRT Rules 2014-12-16
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-pdf, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-12-16 16:44:08 UTC

Sourcefire VRT Rules Update

Date: 2014-12-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32828 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32832 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32830 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32785 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32783 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32782 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.web.lookin.at - Win.Backdoor.Eskaetee variant (blacklist.rules)
 * 1:32780 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32781 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32795 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32796 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32797 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32799 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32800 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32801 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32802 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32805 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32806 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32807 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32808 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32811 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32812 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32829 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32831 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32833 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32839 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32838 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32821 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32822 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbount connection attempt (malware-cnc.rules)
 * 1:32825 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32784 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel data upload attempt (malware-cnc.rules)
 * 1:32827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel response connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:26924 <-> ENABLED <-> MALWARE-CNC Potential Gozi Trojan HTTP Header Structure (malware-cnc.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:16665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt (os-windows.rules)
 * 1:16332 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:30946 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Wysotot variant download attempt (malware-other.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2014-12-16 16:44:08 UTC

Sourcefire VRT Rules Update

Date: 2014-12-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32785 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32783 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32782 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.web.lookin.at - Win.Backdoor.Eskaetee variant (blacklist.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32780 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32781 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32795 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32796 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32797 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32799 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32800 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32801 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32802 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32805 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32806 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32807 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32808 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32811 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32812 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32821 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32822 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbount connection attempt (malware-cnc.rules)
 * 1:32825 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32784 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32839 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32838 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32833 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32832 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32831 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32830 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32829 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel response connection attempt (malware-cnc.rules)
 * 1:32828 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel data upload attempt (malware-cnc.rules)

Modified Rules:


 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:16332 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules)
 * 1:16665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt (os-windows.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:26924 <-> ENABLED <-> MALWARE-CNC Potential Gozi Trojan HTTP Header Structure (malware-cnc.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:30946 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Wysotot variant download attempt (malware-other.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

2014-12-16 16:44:08 UTC

Sourcefire VRT Rules Update

Date: 2014-12-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32839 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32838 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt (file-pdf.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32833 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32832 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32831 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32830 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32829 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32828 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt (file-image.rules)
 * 1:32827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel response connection attempt (malware-cnc.rules)
 * 1:32826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel data upload attempt (malware-cnc.rules)
 * 1:32825 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbount connection attempt (malware-cnc.rules)
 * 1:32823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel outbound connection attempt (malware-cnc.rules)
 * 1:32822 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32821 <-> ENABLED <-> FILE-PDF Cross Domain potentially malicious redirection attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32812 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32811 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32808 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32807 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32806 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32805 <-> ENABLED <-> FILE-FLASH Adobe Flash Player regex buffer overflow attempt (file-flash.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:32802 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32801 <-> DISABLED <-> FILE-FLASH Adobe Flash Player orphaning MP3 crash attempt (file-flash.rules)
 * 1:32800 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32799 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32797 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt (file-pdf.rules)
 * 1:32796 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32795 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt (file-pdf.rules)
 * 1:32794 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32793 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt (file-pdf.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection attempt (malware-cnc.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobot Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:32785 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32784 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32783 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32782 <-> ENABLED <-> FILE-FLASH Adobe Flash Player parseFloat stack overflow remote code execution attempt (file-flash.rules)
 * 1:32781 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32780 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Eskaetee outbound connection (malware-cnc.rules)
 * 1:32779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.web.lookin.at - Win.Backdoor.Eskaetee variant (blacklist.rules)

Modified Rules:


 * 1:16332 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules)
 * 1:16665 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Help Centre escape sequence XSS attempt (os-windows.rules)
 * 1:21533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:21534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt (file-flash.rules)
 * 1:21536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Actionscript Stage3D null dereference attempt (file-flash.rules)
 * 1:26924 <-> ENABLED <-> MALWARE-CNC Potential Gozi Trojan HTTP Header Structure (malware-cnc.rules)
 * 1:30946 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Wysotot variant download attempt (malware-other.rules)
 * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash Player security sandbox bypass attempt (file-flash.rules)
 * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)