VRT Rules 2015-02-19
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-office, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-02-19 21:50:28 UTC

Sourcefire VRT Rules Update

Date: 2015-02-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33557 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33556 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection attempt (malware-cnc.rules)
 * 1:33551 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33550 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33553 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules)
 * 1:33558 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33552 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33559 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33549 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33563 <-> DISABLED <-> FILE-OFFICE Microsoft Word document with embedded networking script (file-office.rules)
 * 1:33562 <-> DISABLED <-> FILE-OFFICE Microsoft Word document with embedded networking script (file-office.rules)
 * 1:33560 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tracking-recipient.net46.net - Win.Cossta (blacklist.rules)
 * 1:33548 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt (browser-plugins.rules)
 * 1:33561 <-> DISABLED <-> SERVER-OTHER OpenSSL fragmented protocol downgrade attempt (server-other.rules)

Modified Rules:


 * 1:17037 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt (browser-plugins.rules)
 * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules)
 * 1:24005 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:33545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Equation outbound connection (malware-cnc.rules)

2015-02-19 21:50:28 UTC

Sourcefire VRT Rules Update

Date: 2015-02-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33563 <-> DISABLED <-> FILE-OFFICE Microsoft Word document with embedded networking script (file-office.rules)
 * 1:33562 <-> DISABLED <-> FILE-OFFICE Microsoft Word document with embedded networking script (file-office.rules)
 * 1:33561 <-> DISABLED <-> SERVER-OTHER OpenSSL fragmented protocol downgrade attempt (server-other.rules)
 * 1:33560 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tracking-recipient.net46.net - Win.Cossta (blacklist.rules)
 * 1:33559 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33558 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33557 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33556 <-> DISABLED <-> FILE-FLASH Adobe Flash Player XMLsocket connect arbitrary code execution attempt (file-flash.rules)
 * 1:33555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:33554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF use-after-free attempt (file-flash.rules)
 * 1:33553 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules)
 * 1:33552 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33551 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33550 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33549 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addHeader null pointer dereference attempt (file-flash.rules)
 * 1:33548 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt (browser-plugins.rules)
 * 1:33547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Turla outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:17037 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Access multiple control instantiation memory corruption attempt (browser-plugins.rules)
 * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules)
 * 1:24005 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:33545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Equation outbound connection (malware-cnc.rules)