VRT Rules 2014-10-07
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, file-flash, file-office, file-other, malware-backdoor, malware-cnc, os-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-07 14:15:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules)
 * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules)
 * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules)
 * 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules)
 * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules)
 * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules)
 * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules)
 * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules)
 * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules)
 * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules)
 * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules)
 * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules)
 * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules)
 * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules)
 * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)

2014-10-07 14:15:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules)
 * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules)
 * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules)
 * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules)
 * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules)
 * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules)
 * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules)
 * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules)
 * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules)
 * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules)
 * 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules)
 * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules)
 * 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules)
 * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules)
 * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules)

Modified Rules:


 * 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)

2014-10-07 14:15:58 UTC

Sourcefire VRT Rules Update

Date: 2014-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules)
 * 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules)
 * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules)
 * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules)
 * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules)
 * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules)
 * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules)
 * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules)
 * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules)
 * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules)
 * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules)
 * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules)
 * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules)
 * 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules)
 * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules)
 * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules)
 * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules)
 * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules)
 * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules)

Modified Rules:


 * 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules)
 * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules)
 * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
 * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)