VRT Rules 2015-03-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, malware-backdoor, malware-cnc, os-windows, pua-adware, server-mail, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)