VRT Rules 2014-08-14
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, malware-backdoor, malware-cnc, malware-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-08-14 14:49:43 UTC

Sourcefire VRT Rules Update

Date: 2014-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules)
 * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules)
 * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules)
 * 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
 * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules)
 * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules)
 * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules)
 * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules)
 * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)

Modified Rules:


 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules)
 * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)

2014-08-14 14:49:43 UTC

Sourcefire VRT Rules Update

Date: 2014-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules)
 * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules)
 * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules)
 * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules)
 * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules)
 * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules)
 * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
 * 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules)
 * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules)
 * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)

2014-08-14 14:49:43 UTC

Sourcefire VRT Rules Update

Date: 2014-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
 * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules)
 * 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
 * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules)
 * 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules)
 * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules)
 * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules)
 * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules)
 * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules)
 * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules)
 * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules)
 * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules)
 * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
 * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules)