Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-06-05

This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)

2960

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)

2961

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)