VRT Rules 2014-06-12
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)

Modified Rules:


 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)

2014-07-07 18:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31239 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre (blacklist.rules)
 * 1:31238 <-> DISABLED <-> SERVER-OTHER Symantec pcAnywhere remote code execution attempt (server-other.rules)
 * 1:31237 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:31236 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hidead outbound communication (malware-cnc.rules)
 * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules)
 * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules)
 * 1:31233 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam (blacklist.rules)
 * 1:31232 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound jar request (exploit-kit.rules)
 * 1:31231 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31230 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound connection (exploit-kit.rules)
 * 1:31229 <-> ENABLED <-> EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:31228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection (malware-cnc.rules)
 * 1:31227 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya (blacklist.rules)
 * 1:31226 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya (blacklist.rules)
 * 1:31225 <-> ENABLED <-> BLACKLIST User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya (blacklist.rules)
 * 1:31224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptor outbound communication (malware-cnc.rules)
 * 1:31223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt (malware-cnc.rules)
 * 1:31222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:31221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:18494 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:18495 <-> DISABLED <-> OS-WINDOWS Microsoft product .dll dll-load exploit attempt (os-windows.rules)
 * 1:21241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection (malware-cnc.rules)
 * 1:28556 <-> DISABLED <-> PROTOCOL-DNS DNS query amplification attempt (protocol-dns.rules)
 * 1:29188 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:30219 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound jar request (exploit-kit.rules)
 * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)
 * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules)