VRT Rules 2014-10-02
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, file-office, file-pdf, malware-backdoor, malware-cnc, os-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-02 15:10:57 UTC

Sourcefire VRT Rules Update

Date: 2014-10-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules)
 * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules)
 * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules)
 * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules)
 * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules)
 * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules)
 * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules)
 * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules)
 * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules)
 * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules)
 * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules)
 * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)

Modified Rules:


 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)

2014-10-02 15:10:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules)
 * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules)
 * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules)
 * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules)
 * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules)
 * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules)
 * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules)
 * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules)
 * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules)
 * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules)
 * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules)
 * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)

Modified Rules:


 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)

2014-10-02 15:10:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules)
 * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
 * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules)
 * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules)
 * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules)
 * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules)
 * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules)
 * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules)
 * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules)
 * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules)
 * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules)
 * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules)
 * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules)
 * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules)
 * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules)
 * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
 * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)