VRT Rules 2015-04-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-flash, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)

2970

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)
 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)

2972

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)
 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)

Modified Rules:


 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)