VRT Rules 2015-02-05
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-02-05 16:23:36 UTC

Sourcefire VRT Rules Update

Date: 2015-02-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33310 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33309 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33308 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33307 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33306 <-> ENABLED <-> BLACKLIST Connection to malware sinkhole (blacklist.rules)
 * 1:33305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33304 <-> ENABLED <-> PUA-ADWARE Win.Adware.Gamevance variant outbound connection (pua-adware.rules)
 * 1:33303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Foxy variant outbound connection (malware-cnc.rules)
 * 1:33298 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33297 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33294 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33293 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33292 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)

2015-02-05 16:23:36 UTC

Sourcefire VRT Rules Update

Date: 2015-02-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33297 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Foxy variant outbound connection (malware-cnc.rules)
 * 1:33296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33293 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33292 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33298 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33304 <-> ENABLED <-> PUA-ADWARE Win.Adware.Gamevance variant outbound connection (pua-adware.rules)
 * 1:33305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33294 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33310 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33309 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33308 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33306 <-> ENABLED <-> BLACKLIST Connection to malware sinkhole (blacklist.rules)
 * 1:33307 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)