VRT Rules 2014-10-28
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-chrome, malware-cnc, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)

Modified Rules:


 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)

2014-10-28 19:51:59 UTC

Sourcefire VRT Rules Update

Date: 2014-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32346 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules)
 * 1:32349 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32351 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32348 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt (malware-cnc.rules)
 * 1:32342 <-> ENABLED <-> SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt (server-other.rules)
 * 1:32354 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsune variant outbound connection (malware-cnc.rules)
 * 1:32347 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules)
 * 1:32344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt (malware-cnc.rules)
 * 1:32350 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32345 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector - initiate connection (server-other.rules)
 * 1:32352 <-> ENABLED <-> SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:32320 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)
 * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules)
 * 1:32319 <-> ENABLED <-> BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt (browser-chrome.rules)