VRT Rules 2015-04-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)