Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-07-02

This release adds and modifies rules in several categories.

The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-java, file-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)

Modified Rules:


 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)

2960

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)

2961

2014-07-02 17:57:14 UTC

Sourcefire VRT Rules Update

Date: 2014-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31372 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31370 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirection page (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31368 <-> DISABLED <-> SERVER-WEBAPP WebBBS arbitrary system command execution attempt (server-webapp.rules)
 * 1:31367 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31366 <-> ENABLED <-> FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt (file-java.rules)
 * 1:31365 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:31364 <-> DISABLED <-> SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31363 <-> DISABLED <-> SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31362 <-> DISABLED <-> SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:20731 <-> DISABLED <-> SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt (server-webapp.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules)
 * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:31217 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Server meeting URL XSS attempt (os-windows.rules)
 * 1:27937 <-> ENABLED <-> SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt (server-other.rules)
 * 1:26230 <-> DISABLED <-> SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt (server-webapp.rules)
 * 3:18505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush overflow attempt (file-flash.rules)
 * 3:18502 <-> ENABLED <-> FILE-FLASH Adobe Flash ActionScript Actionlf out of range negative offset attempt (file-flash.rules)
 * 3:18444 <-> ENABLED <-> FILE-FLASH Adobe Flash forged atom type attempt (file-flash.rules)
 * 3:18672 <-> ENABLED <-> BROWSER-IE Microsoft IE8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 3:16150 <-> ENABLED <-> BROWSER-IE Internet Explorer variant argument validation remote code execution attempt (browser-ie.rules)
 * 3:16504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 encoded content handling exploit attempt (browser-ie.rules)
 * 3:16505 <-> ENABLED <-> BROWSER-IE Microsoft IE HTML parsing memory corruption attempt (browser-ie.rules)
 * 3:18504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionConstantPool overflow attempt (file-flash.rules)
 * 3:16509 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer designMode-enabled information disclosure attempt (browser-ie.rules)
 * 3:17115 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt (browser-ie.rules)
 * 3:18180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript remote code execution attempt (file-flash.rules)
 * 3:18421 <-> ENABLED <-> FILE-FLASH Adobe Flash player ActionScript beginGradientFill memory corruption attempt (file-flash.rules)