VRT Rules 2014-11-04
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-other, exploit-kit, indicator-obfuscation, malware-cnc, protocol-icmp, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)

2014-11-04 18:14:42 UTC

Sourcefire VRT Rules Update

Date: 2014-11-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32376 <-> DISABLED <-> SERVER-OTHER Citrix NetScaler stack buffer overflow attempt (server-other.rules)
 * 1:32375 <-> DISABLED <-> BROWSER-OTHER WGet symlink arbitrary file write attempt (browser-other.rules)
 * 1:32374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drepitt variant outbound connection attempt (malware-cnc.rules)
 * 1:32373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Broonject variant outbound connection attempt (malware-cnc.rules)
 * 1:32370 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:32371 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules)
 * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD stsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules)

Modified Rules:


 * 1:30834 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30831 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop (blacklist.rules)
 * 1:31330 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt (server-webapp.rules)
 * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules)
 * 1:31505 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt (server-webapp.rules)
 * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:31506 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt (server-webapp.rules)
 * 1:12362 <-> DISABLED <-> SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt (server-webapp.rules)
 * 1:26451 <-> DISABLED <-> INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt (indicator-obfuscation.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:26615 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript substr rename attempt (indicator-obfuscation.rules)
 * 1:30841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30835 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30824 <-> ENABLED <-> BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30826 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:26616 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript indexOf rename attempt (indicator-obfuscation.rules)
 * 1:30825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30827 <-> ENABLED <-> BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30828 <-> ENABLED <-> BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30830 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30832 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30833 <-> ENABLED <-> BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30836 <-> ENABLED <-> BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop (blacklist.rules)
 * 1:30837 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop (blacklist.rules)
 * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
 * 1:32353 <-> DISABLED <-> SQL Drupal 7 pre auth SQL injection attempt (sql.rules)
 * 1:30842 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop (blacklist.rules)