VRT Rules 2014-05-29
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-other, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 20:56:30 UTC

Sourcefire VRT Rules Update

Date: 2014-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules)
 * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules)
 * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules)
 * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules)
 * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules)
 * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules)
 * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules)
 * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules)

Modified Rules:


 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)

2014-07-07 20:56:30 UTC

Sourcefire VRT Rules Update

Date: 2014-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules)
 * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules)
 * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules)
 * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules)
 * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules)
 * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules)
 * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules)
 * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)

2014-07-07 20:56:30 UTC

Sourcefire VRT Rules Update

Date: 2014-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules)
 * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules)
 * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules)
 * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules)
 * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules)
 * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules)
 * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules)
 * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules)
 * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules)
 * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)