VRT Rules 2014-07-15
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-office, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2961

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)

Modified Rules:


 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)

2960

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)

2956

2014-07-15 15:27:08 UTC

Sourcefire VRT Rules Update

Date: 2014-07-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31427 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:31423 <-> ENABLED <-> BLACKLIST DNS request for known malware domain indo.msname.org (blacklist.rules)
 * 1:31420 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31424 <-> ENABLED <-> MALWARE-CNC Kegis.A outbound connection (malware-cnc.rules)
 * 1:31422 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Cactus (blacklist.rules)
 * 1:31421 <-> DISABLED <-> FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt (file-office.rules)
 * 1:31418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Subla variant outbound connection (malware-cnc.rules)
 * 1:31417 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun (blacklist.rules)
 * 1:31419 <-> DISABLED <-> SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt (server-webapp.rules)
 * 1:31429 <-> DISABLED <-> SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt (server-webapp.rules)
 * 1:31428 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:31425 <-> DISABLED <-> SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt (server-webapp.rules)
 * 1:31426 <-> DISABLED <-> SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:25246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt (browser-ie.rules)
 * 1:28838 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:15102 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access (browser-plugins.rules)
 * 1:15100 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access (browser-plugins.rules)
 * 1:20020 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection attempt (malware-cnc.rules)
 * 1:21308 <-> ENABLED <-> FILE-OTHER Microsoft Windows C Run-Time Library remote code execution attempt (file-other.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control ActiveX clsid access (browser-plugins.rules)
 * 1:28832 <-> DISABLED <-> FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:29676 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CRootElement Object use after free attempt (browser-ie.rules)
 * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules)