VRT Rules 2014-06-05
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)

2014-07-07 20:47:31 UTC

Sourcefire VRT Rules Update

Date: 2014-06-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31175 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest (blacklist.rules)
 * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
 * 1:31173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31172 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection (malware-cnc.rules)
 * 1:31170 <-> ENABLED <-> BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31169 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence (blacklist.rules)
 * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound communication (malware-cnc.rules)
 * 1:31167 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31166 <-> DISABLED <-> PUA-ADWARE InstallRex bundled installer outbound activity (pua-adware.rules)
 * 1:31165 <-> ENABLED <-> BLACKLIST DNS request for known malware domain r1.getapplicationmy.info (blacklist.rules)
 * 1:31164 <-> ENABLED <-> BLACKLIST DNS request for known malware domain i1.megagetnews.net (blacklist.rules)
 * 1:31163 <-> ENABLED <-> BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info (blacklist.rules)
 * 1:31162 <-> ENABLED <-> SERVER-OTHER Beetel 450TC2 CSRF attempt (server-other.rules)
 * 1:31161 <-> ENABLED <-> SERVER-OTHER AuraCMS LFI attempt (server-other.rules)
 * 1:31160 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31159 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31158 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31157 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt (server-webapp.rules)
 * 1:31156 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31155 <-> ENABLED <-> BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31154 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31153 <-> ENABLED <-> BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31152 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit (blacklist.rules)
 * 1:31151 <-> ENABLED <-> BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit (blacklist.rules)
 * 1:31150 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot (blacklist.rules)
 * 1:31149 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31148 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt (server-webapp.rules)
 * 1:31147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30934 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (exploit-kit.rules)
 * 1:30935 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)