VRT Rules 2014-11-13
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, file-flash, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)

Modified Rules:


 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)

Modified Rules:


 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)
 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)

2014-11-13 16:36:15 UTC

Sourcefire VRT Rules Update

Date: 2014-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32547 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32546 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt (server-webapp.rules)
 * 1:32545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player HTML focus with no data denial of service attempt (file-flash.rules)
 * 1:32543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player compressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32541 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player decompressed microphone object codec denial of service attempt (file-flash.rules)
 * 1:32539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32535 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32534 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regular expression grouping depth denial of service attempt (file-flash.rules)
 * 1:32533 <-> ENABLED <-> SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt (server-mysql.rules)
 * 1:32532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt (malware-cnc.rules)
 * 1:32530 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32529 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Vkont variant outbound connection (malware-cnc.rules)
 * 1:32528 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32527 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt (server-webapp.rules)
 * 1:32526 <-> DISABLED <-> POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt (policy-other.rules)
 * 1:32525 <-> ENABLED <-> BROWSER-OTHER FreeBSD tnftp client detected (browser-other.rules)
 * 1:32524 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32523 <-> DISABLED <-> BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt (browser-other.rules)
 * 1:32522 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor (blacklist.rules)
 * 1:32521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt (malware-cnc.rules)

Modified Rules:


 * 1:16659 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style sheet array memory corruption attempt (browser-ie.rules)
 * 1:32463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker (blacklist.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor LGServer Stack buffer overflow attempt (server-other.rules)