VRT Rules 2014-10-21
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, file-identify, file-other, malware-backdoor, malware-cnc, malware-other, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-21 15:23:04 UTC

Sourcefire VRT Rules Update

Date: 2014-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules)
 * 1:32266 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules)
 * 1:32265 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules)
 * 1:32264 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules)
 * 1:32263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules)
 * 1:32262 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32260 <-> ENABLED <-> MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl (malware-other.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:32258 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32257 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32256 <-> ENABLED <-> FILE-OTHER GE Cimplicity bcl file loading external file attempt (file-other.rules)
 * 1:32255 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32254 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32253 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file download request (file-identify.rules)
 * 1:32252 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules)
 * 1:32251 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules)
 * 1:32250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected (malware-cnc.rules)
 * 1:32249 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot port bind attempt (malware-backdoor.rules)
 * 1:32248 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot file edit attempt (malware-backdoor.rules)
 * 1:32247 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot command execution attempt (malware-backdoor.rules)
 * 1:32246 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules)
 * 1:32245 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules)
 * 1:32244 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules)
 * 1:32243 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Clemint variant outbound connection (malware-cnc.rules)
 * 1:32242 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.freetzi.com - WIN.Trojan.Clemint (blacklist.rules)
 * 1:32241 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.0catch.com - WIN.Trojan.Clemint (blacklist.rules)

Modified Rules:


 * 1:16008 <-> DISABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules)
 * 1:1841 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules)
 * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:32041 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32042 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)

2014-10-21 15:23:04 UTC

Sourcefire VRT Rules Update

Date: 2014-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules)
 * 1:32265 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules)
 * 1:32267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules)
 * 1:32264 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32252 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules)
 * 1:32266 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules)
 * 1:32246 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules)
 * 1:32255 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32257 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32249 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot port bind attempt (malware-backdoor.rules)
 * 1:32253 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file download request (file-identify.rules)
 * 1:32248 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot file edit attempt (malware-backdoor.rules)
 * 1:32247 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot command execution attempt (malware-backdoor.rules)
 * 1:32245 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules)
 * 1:32254 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32244 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules)
 * 1:32251 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules)
 * 1:32250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected (malware-cnc.rules)
 * 1:32256 <-> ENABLED <-> FILE-OTHER GE Cimplicity bcl file loading external file attempt (file-other.rules)
 * 1:32258 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules)
 * 1:32260 <-> ENABLED <-> MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl (malware-other.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:32241 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.0catch.com - WIN.Trojan.Clemint (blacklist.rules)
 * 1:32243 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Clemint variant outbound connection (malware-cnc.rules)
 * 1:32242 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.freetzi.com - WIN.Trojan.Clemint (blacklist.rules)
 * 1:32262 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules)

Modified Rules:


 * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules)
 * 1:32042 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:1841 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules)
 * 1:32041 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:16008 <-> DISABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules)