Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-06-12

This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)

2960

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)

Modified Rules:


 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)

2961

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)
 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)