VRT Rules 2015-02-03
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-02-03 15:29:53 UTC

Sourcefire VRT Rules Update

Date: 2015-02-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33286 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bavload outbound download request attempt (malware-cnc.rules)
 * 1:33284 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OnLineGames variant outbound connection (malware-cnc.rules)
 * 1:33283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stat.wamme.cn - Win.Trojan.OnlineGames (blacklist.rules)
 * 1:33282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection attempt (malware-cnc.rules)
 * 1:33281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain absurdherd.com (blacklist.rules)
 * 1:33280 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules)
 * 1:33279 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator XML external entity injection attempt (server-webapp.rules)
 * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33275 <-> ENABLED <-> SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:30063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound communication (malware-cnc.rules)
 * 1:30064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound communication (malware-cnc.rules)

2015-02-03 15:29:53 UTC

Sourcefire VRT Rules Update

Date: 2015-02-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33281 <-> ENABLED <-> BLACKLIST DNS request for known malware domain absurdherd.com (blacklist.rules)
 * 1:33276 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33275 <-> ENABLED <-> SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt (server-webapp.rules)
 * 1:33277 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33278 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt (server-webapp.rules)
 * 1:33280 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules)
 * 1:33279 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator XML external entity injection attempt (server-webapp.rules)
 * 1:33282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection attempt (malware-cnc.rules)
 * 1:33283 <-> ENABLED <-> BLACKLIST DNS request for known malware domain stat.wamme.cn - Win.Trojan.OnlineGames (blacklist.rules)
 * 1:33284 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OnLineGames variant outbound connection (malware-cnc.rules)
 * 1:33285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bavload outbound download request attempt (malware-cnc.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33286 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)

Modified Rules:


 * 1:30063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound communication (malware-cnc.rules)
 * 1:30064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot outbound communication (malware-cnc.rules)