VRT Rules 2015-03-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-image, file-other, malware-cnc, pua-adware, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-03 20:37:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:33664 <-> DISABLED <-> BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt (browser-other.rules)
 * 1:33663 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:33662 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:33661 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:33660 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:33659 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33658 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33657 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denail of service attempt (server-other.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba outbound connection attempt (malware-cnc.rules)
 * 1:33649 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro (blacklist.rules)
 * 1:33648 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33647 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33646 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33645 <-> DISABLED <-> PUA-ADWARE SuperFish adware outbound connection attempt (pua-adware.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33642 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33641 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33638 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)

Modified Rules:


 * 1:12762 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX clsid access (browser-plugins.rules)
 * 1:16214 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)

2015-03-03 20:37:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33661 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denail of service attempt (server-other.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33649 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro (blacklist.rules)
 * 1:33647 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33646 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba outbound connection attempt (malware-cnc.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)
 * 1:33638 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33641 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33642 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33645 <-> DISABLED <-> PUA-ADWARE SuperFish adware outbound connection attempt (pua-adware.rules)
 * 1:33657 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33658 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33659 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33660 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:33662 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:33663 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:33648 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:33664 <-> DISABLED <-> BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt (browser-other.rules)

Modified Rules:


 * 1:12762 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX clsid access (browser-plugins.rules)
 * 1:16214 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)