VRT Rules 2014-09-04
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the exploit-kit, file-identify, file-office, file-other, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-09-04 14:55:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules)
 * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
 * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules)
 * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)

Modified Rules:


 * 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
 * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)

2014-09-04 14:55:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
 * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules)
 * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules)
 * 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules)
 * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules)
 * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules)

Modified Rules:


 * 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
 * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)

2014-09-04 14:55:31 UTC

Sourcefire VRT Rules Update

Date: 2014-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules)
 * 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules)
 * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules)
 * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules)
 * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)

Modified Rules:


 * 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules)
 * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules)
 * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules)
 * 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
 * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules)
 * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
 * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
 * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)