VRT Rules 2014-10-09
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-firefox, file-identify, file-office, file-other, malware-cnc, pua-adware, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)

Modified Rules:


 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)

2961

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)
 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)

2962

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)

Modified Rules:


 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)
 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)