Snort - Network Intrusion Detection & Prevention System

VRT Rules 2015-03-12

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, malware-backdoor, malware-cnc, os-windows, pua-adware, server-mail, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2972

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)

2962

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)

2970

2015-03-12 22:03:34 UTC

Sourcefire VRT Rules Update

Date: 2015-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33826 <-> ENABLED <-> SERVER-SAMBA Samba smbd _netr_ServerPasswordSet uninitialized pointer denial of service attempt (server-samba.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS SMB NTLM NULL session attempt (os-windows.rules)
 * 1:33824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:33813 <-> DISABLED <-> SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt (server-webapp.rules)
 * 1:33814 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:33815 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33818 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33819 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Egamipload variant outbound connection (malware-cnc.rules)
 * 1:33823 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection (malware-backdoor.rules)
 * 1:33816 <-> DISABLED <-> PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection (pua-adware.rules)
 * 1:33830 <-> ENABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:33829 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33828 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)
 * 1:33812 <-> ENABLED <-> SERVER-WEBAPP Seagate NAS remote code execution attempt (server-webapp.rules)
 * 1:33827 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services MIME Viewer memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:18543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:19964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:31359 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Httneilc variant outbound connection (malware-cnc.rules)
 * 1:33564 <-> DISABLED <-> SERVER-MAIL GNU Mailman date field buffer overflow attempt (server-mail.rules)