VRT Rules 2014-06-17
This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the blacklist, file-flash, file-identify, file-multimedia, file-other, file-pdf, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-07 18:55:59 UTC

Sourcefire VRT Rules Update

Date: 2014-06-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules)
 * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules)
 * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
 * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules)
 * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules)
 * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
 * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules)
 * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)
 * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules)
 * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules)
 * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules)
 * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules)
 * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules)
 * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules)
 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
 * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules)

Modified Rules:


 * 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
 * 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules)
 * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules)
 * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules)
 * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules)
 * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
 * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules)
 * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules)
 * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules)
 * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules)

2014-07-07 18:55:59 UTC

Sourcefire VRT Rules Update

Date: 2014-06-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules)
 * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules)
 * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules)
 * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules)
 * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules)
 * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules)
 * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules)
 * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
 * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
 * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules)
 * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules)
 * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules)
 * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules)
 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)

Modified Rules:


 * 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules)
 * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules)
 * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules)
 * 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
 * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules)
 * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules)
 * 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules)
 * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules)
 * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules)
 * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)

2014-07-07 18:55:59 UTC

Sourcefire VRT Rules Update

Date: 2014-06-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
 * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules)
 * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules)
 * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules)
 * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules)
 * 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules)
 * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules)
 * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules)
 * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules)
 * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules)
 * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules)
 * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules)
 * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules)
 * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules)
 * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules)
 * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules)
 * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
 * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules)
 * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules)
 * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules)
 * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules)
 * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules)
 * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules)
 * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules)
 * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules)
 * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules)
 * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules)
 * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules)
 * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules)
 * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules)
 * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules)
 * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules)
 * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules)
 * 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
 * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules)
 * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)