VRT Rules 2014-12-18
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, file-flash, file-office, file-pdf and os-windows rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-12-18 15:16:42 UTC

Sourcefire VRT Rules Update

Date: 2014-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules)
 * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules)
 * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules)
 * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules)
 * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules)
 * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules)
 * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules)
 * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules)
 * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
 * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
 * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules)

Modified Rules:


 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules)
 * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)

2014-12-18 15:16:42 UTC

Sourcefire VRT Rules Update

Date: 2014-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules)
 * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules)
 * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules)
 * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules)
 * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules)
 * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules)
 * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules)
 * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
 * 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules)
 * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)

Modified Rules:


 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules)
 * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)

2014-12-18 15:16:42 UTC

Sourcefire VRT Rules Update

Date: 2014-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules)
 * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules)
 * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
 * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules)
 * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules)
 * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules)
 * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules)
 * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules)
 * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules)
 * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules)
 * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules)
 * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules)
 * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules)
 * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules)
 * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules)
 * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules)
 * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)

Modified Rules:


 * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules)
 * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules)
 * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules)
 * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)