VRT Rules 2014-11-20
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-firefox, deleted, file-flash, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-11-20 17:45:34 UTC

Sourcefire VRT Rules Update

Date: 2014-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32597 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32596 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32595 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32594 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)
 * 1:32592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)
 * 1:32591 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32590 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32587 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32582 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32581 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32580 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32579 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32578 <-> ENABLED <-> PUA-OTHER Request for known malware domain pierrejb.agora.eu.org (pua-other.rules)
 * 1:32577 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pierrejb.agora.eu.org (blacklist.rules)

Modified Rules:


 * 1:17613 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:19231 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)

2014-11-20 17:45:34 UTC

Sourcefire VRT Rules Update

Date: 2014-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)
 * 1:32585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32597 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)
 * 1:32590 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32591 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32581 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32594 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32580 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32582 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32579 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32578 <-> ENABLED <-> PUA-OTHER Request for known malware domain pierrejb.agora.eu.org (pua-other.rules)
 * 1:32596 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32587 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32595 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32577 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pierrejb.agora.eu.org (blacklist.rules)

Modified Rules:


 * 1:17613 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:19231 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)

2014-11-20 17:45:34 UTC

Sourcefire VRT Rules Update

Date: 2014-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:32583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:32580 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32579 <-> DISABLED <-> SERVER-WEBAPP Reflected file download attempt (server-webapp.rules)
 * 1:32582 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32587 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32588 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32589 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Selection exploit attempt (file-office.rules)
 * 1:32590 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32591 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt (deleted.rules)
 * 1:32592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)
 * 1:32578 <-> ENABLED <-> PUA-OTHER Request for known malware domain pierrejb.agora.eu.org (pua-other.rules)
 * 1:32581 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt (server-webapp.rules)
 * 1:32597 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32596 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt (deleted.rules)
 * 1:32595 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32577 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pierrejb.agora.eu.org (blacklist.rules)
 * 1:32594 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt (deleted.rules)
 * 1:32593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed JPEG information leak attempt (file-flash.rules)

Modified Rules:


 * 1:17613 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:19231 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Series record exploit attempt (file-office.rules)
 * 1:32476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)
 * 1:32477 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bOffset value overflow attempt (file-office.rules)