VRT Rules 2014-12-23
The VRT is aware of a vulnerability affecting libpng.

Vulnerability in libpng: A coding deficiency exists in the libpng image library that may lead to remote code execution.

A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 3132. A new rule to detect this vulnerability is also included in this release and is identified by GID 1, SID 32889.

The VRT has also added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-other, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-12-23 17:10:57 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules)
 * 1:32886 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32887 <-> DISABLED <-> SERVER-WEBAPP ActualScripts ActualAnalyzer aa.php command injection attempt (server-webapp.rules)
 * 1:32884 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:32880 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:32875 <-> DISABLED <-> MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (malware-tools.rules)
 * 1:32879 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload delivery (exploit-kit.rules)
 * 1:32881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain deruserbikl.com (blacklist.rules)
 * 1:32883 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32885 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ksypypro outbound connection (malware-cnc.rules)
 * 1:32889 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)

Modified Rules:


 * 1:3132 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:28039 <-> ENABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)

2014-12-23 17:10:57 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32889 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)
 * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules)
 * 1:32887 <-> DISABLED <-> SERVER-WEBAPP ActualScripts ActualAnalyzer aa.php command injection attempt (server-webapp.rules)
 * 1:32886 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32885 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32884 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32883 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ksypypro outbound connection (malware-cnc.rules)
 * 1:32881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain deruserbikl.com (blacklist.rules)
 * 1:32880 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:32879 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload delivery (exploit-kit.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:32875 <-> DISABLED <-> MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (malware-tools.rules)

Modified Rules:


 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:28039 <-> ENABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:3132 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)

2014-12-23 17:10:57 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32879 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload delivery (exploit-kit.rules)
 * 1:32881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain deruserbikl.com (blacklist.rules)
 * 1:32880 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:32885 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32875 <-> DISABLED <-> MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (malware-tools.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:32884 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32889 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)
 * 1:32883 <-> DISABLED <-> FILE-OTHER Adobe Reader MoveFileEx arbitrary file write attempt (file-other.rules)
 * 1:32887 <-> DISABLED <-> SERVER-WEBAPP ActualScripts ActualAnalyzer aa.php command injection attempt (server-webapp.rules)
 * 1:32886 <-> ENABLED <-> SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt (server-webapp.rules)
 * 1:32882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ksypypro outbound connection (malware-cnc.rules)
 * 1:32888 <-> ENABLED <-> INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt (indicator-compromise.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)

Modified Rules:


 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:28039 <-> ENABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:3132 <-> DISABLED <-> FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt (file-image.rules)
 * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)