VRT Rules 2014-07-31
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, malware-cnc, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-31 16:42:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules)
 * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules)
 * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules)
 * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules)
 * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules)
 * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules)
 * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules)
 * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules)
 * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules)
 * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules)
 * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules)
 * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules)
 * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules)
 * 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules)

2014-07-31 16:42:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules)
 * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules)
 * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules)
 * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules)
 * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules)
 * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules)
 * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules)
 * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules)
 * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules)
 * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules)
 * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules)
 * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules)
 * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules)
 * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules)
 * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules)
 * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)

2014-07-31 16:42:24 UTC

Sourcefire VRT Rules Update

Date: 2014-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules)
 * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules)
 * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules)
 * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules)
 * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules)
 * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules)
 * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules)
 * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules)
 * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules)
 * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules)
 * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules)
 * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules)
 * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules)
 * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules)
 * 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules)
 * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules)
 * 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules)
 * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules)
 * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules)
 * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules)
 * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules)
 * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules)
 * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules)
 * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)