VRT Rules 2015-02-12
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-multimedia, file-office, file-other, malware-cnc, protocol-telnet, protocol-voip, pua-toolbars and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-02-12 20:30:21 UTC

Sourcefire VRT Rules Update

Date: 2015-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33470 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33468 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33469 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33466 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33456 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33452 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33441 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33440 <-> DISABLED <-> SERVER-WEBAPP WordPress EasyCart PHP code execution attempt (server-webapp.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection attempt (malware-cnc.rules)
 * 1:33438 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfdimage.esy.es - Win.Trojan.Gefetroe (blacklist.rules)
 * 1:33439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gefetroe variant outbound connection (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection attempt (malware-cnc.rules)
 * 1:33451 <-> DISABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection attempt (malware-cnc.rules)
 * 1:33454 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33455 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dynamer variant outbound connection (malware-cnc.rules)
 * 1:33465 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33467 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33442 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33478 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33477 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33476 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33475 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33474 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33445 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt (protocol-voip.rules)
 * 1:33473 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33471 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33472 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:24672 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt (file-multimedia.rules)
 * 1:25334 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25335 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25336 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25337 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25338 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25339 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25340 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)

2015-02-12 20:30:21 UTC

Sourcefire VRT Rules Update

Date: 2015-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33478 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33477 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33476 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33475 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33474 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33473 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33472 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33471 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33470 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33469 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33468 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33467 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33466 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33465 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dynamer variant outbound connection (malware-cnc.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33456 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33455 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33454 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection attempt (malware-cnc.rules)
 * 1:33452 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:33451 <-> DISABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection attempt (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33445 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt (protocol-voip.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection attempt (malware-cnc.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33442 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33441 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33440 <-> DISABLED <-> SERVER-WEBAPP WordPress EasyCart PHP code execution attempt (server-webapp.rules)
 * 1:33439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gefetroe variant outbound connection (malware-cnc.rules)
 * 1:33438 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfdimage.esy.es - Win.Trojan.Gefetroe (blacklist.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:24672 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt (file-multimedia.rules)
 * 1:25334 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25335 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25336 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25337 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25338 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25339 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25340 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)