VRT Rules 2014-10-09
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-firefox, file-identify, file-office, file-other, malware-cnc, pua-adware, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)

Modified Rules:


 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)
 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)

Modified Rules:


 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)

2014-10-09 17:21:38 UTC

Sourcefire VRT Rules Update

Date: 2014-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32136 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:32135 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32134 <-> ENABLED <-> FILE-IDENTIFY XBM file attachment detected (file-identify.rules)
 * 1:32133 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt (browser-firefox.rules)
 * 1:32132 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32131 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:32130 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant download attempt (malware-cnc.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lizarbot outbound communication (malware-cnc.rules)
 * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32124 <-> ENABLED <-> BLACKLIST Win.Backdoor.Upatre SSL Cert inbound (blacklist.rules)
 * 1:32123 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules)
 * 1:32122 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtWnDesk record memory corruption exploit attempt (file-office.rules)
 * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection attempt (malware-cnc.rules)
 * 1:32120 <-> DISABLED <-> PUA-ADWARE Vsearch installer request (pua-adware.rules)
 * 1:32119 <-> DISABLED <-> PUA-ADWARE Vsearch installer User-Agent (pua-adware.rules)
 * 1:32118 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising connectivity check (pua-adware.rules)
 * 1:32117 <-> DISABLED <-> PUA-ADWARE MplayerX malvertising browser hijacker (pua-adware.rules)

Modified Rules:


 * 1:12256 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)
 * 1:16201 <-> DISABLED <-> SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt (server-mail.rules)
 * 1:17289 <-> DISABLED <-> FILE-OTHER GNU gzip LZH decompression make_table overflow attempt (file-other.rules)
 * 1:17556 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules)
 * 1:21928 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed FBI record buffer overflow attempt (file-office.rules)