VRT Rules 2014-12-23
The VRT is aware of a vulnerability affecting Network Time Protocol (NTP).

CVE-2014-9295: A coding deficiency exists in NTP that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 32890.

The VRT has also added and modified multiple rules in the browser-plugins, file-flash, file-multimedia, file-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-12-23 21:18:50 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules)
 * 1:32897 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32896 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Finforst outbound connection attempt (malware-cnc.rules)
 * 1:32892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorLocker variant outbound connection attempt (malware-cnc.rules)
 * 1:32891 <-> ENABLED <-> MALWARE-CNC Php.Malware.SoakSoakRedirect Malware traffic containing WordPress Administrator credentials (malware-cnc.rules)
 * 1:32898 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:32899 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32900 <-> DISABLED <-> FILE-FLASH Adobe Flash pepper player 307 redirect custom header cross domain policy evasion attempt (file-flash.rules)

Modified Rules:


 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)

2014-12-23 21:18:50 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32897 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32898 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32896 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules)
 * 1:32892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorLocker variant outbound connection attempt (malware-cnc.rules)
 * 1:32893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Finforst outbound connection attempt (malware-cnc.rules)
 * 1:32891 <-> ENABLED <-> MALWARE-CNC Php.Malware.SoakSoakRedirect Malware traffic containing WordPress Administrator credentials (malware-cnc.rules)
 * 1:32900 <-> DISABLED <-> FILE-FLASH Adobe Flash pepper player 307 redirect custom header cross domain policy evasion attempt (file-flash.rules)
 * 1:32899 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)

Modified Rules:


 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)

2014-12-23 21:18:49 UTC

Sourcefire VRT Rules Update

Date: 2014-12-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32900 <-> DISABLED <-> FILE-FLASH Adobe Flash pepper player 307 redirect custom header cross domain policy evasion attempt (file-flash.rules)
 * 1:32899 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:32898 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:32897 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32896 <-> ENABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Finforst outbound connection attempt (malware-cnc.rules)
 * 1:32892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TorLocker variant outbound connection attempt (malware-cnc.rules)
 * 1:32891 <-> ENABLED <-> MALWARE-CNC Php.Malware.SoakSoakRedirect Malware traffic containing WordPress Administrator credentials (malware-cnc.rules)
 * 1:32890 <-> DISABLED <-> SERVER-OTHER ntpd configure buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:32508 <-> ENABLED <-> FILE-OTHER Oracle Java SE GSUB FeatureCount Buffer Overflow attempt (file-other.rules)