Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-09-25

This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-office, file-other, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-09-25 17:15:45 UTC

Sourcefire VRT Rules Update

Date: 2014-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules)
 * 1:31986 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31996 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31997 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31993 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31995 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31992 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31989 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hydrabad-ur.ddns.net - JavaAgent (blacklist.rules)
 * 1:32006 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32007 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler unauthorized file upload attempt (server-webapp.rules)
 * 1:31990 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:31987 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31991 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31994 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31998 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31999 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32002 <-> ENABLED <-> MALWARE-CNC Win.Worm.Zorenium variant outbound connection attempt (malware-cnc.rules)
 * 1:32001 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32000 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32004 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)
 * 1:32003 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)
 * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)

Modified Rules:


 * 1:31956 <-> ENABLED <-> SERVER-WEBAPP Rejetto HttpFileServer command injection attempt (server-webapp.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:24723 <-> ENABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)

2961

2014-09-25 17:15:45 UTC

Sourcefire VRT Rules Update

Date: 2014-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules)
 * 1:31986 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:31990 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31991 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31992 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31993 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31994 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31995 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31996 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31997 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31998 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31999 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32000 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32001 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32002 <-> ENABLED <-> MALWARE-CNC Win.Worm.Zorenium variant outbound connection attempt (malware-cnc.rules)
 * 1:31987 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31989 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hydrabad-ur.ddns.net - JavaAgent (blacklist.rules)
 * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules)
 * 1:32006 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32007 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler unauthorized file upload attempt (server-webapp.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32004 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)
 * 1:32003 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:24723 <-> ENABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31956 <-> ENABLED <-> SERVER-WEBAPP Rejetto HttpFileServer command injection attempt (server-webapp.rules)

2962

2014-09-25 17:15:45 UTC

Sourcefire VRT Rules Update

Date: 2014-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32008 <-> ENABLED <-> MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack (malware-other.rules)
 * 1:32007 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope UploadFilesHandler unauthorized file upload attempt (server-webapp.rules)
 * 1:32006 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules)
 * 1:32004 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)
 * 1:32003 <-> DISABLED <-> SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt (server-webapp.rules)
 * 1:32002 <-> ENABLED <-> MALWARE-CNC Win.Worm.Zorenium variant outbound connection attempt (malware-cnc.rules)
 * 1:32001 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32000 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31999 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31998 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31997 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31996 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31995 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31994 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31993 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31992 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:31991 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31990 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre (blacklist.rules)
 * 1:31989 <-> DISABLED <-> BLACKLIST DNS request for known malware domain hydrabad-ur.ddns.net - JavaAgent (blacklist.rules)
 * 1:31988 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:31987 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31986 <-> ENABLED <-> FILE-OTHER Wireshark MPEG dissector stack buffer overflow attempt (file-other.rules)
 * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules)

Modified Rules:


 * 1:20883 <-> DISABLED <-> FILE-OFFICE Microsoft Windows embedded packager object with .application extension bypass attempt (file-office.rules)
 * 1:24723 <-> ENABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31956 <-> ENABLED <-> SERVER-WEBAPP Rejetto HttpFileServer command injection attempt (server-webapp.rules)