Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-12-02

This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-other, netbios, os-windows, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

Modified Rules:


 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)
 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)

2962

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

Modified Rules:


 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)

2970

2014-12-02 15:57:54 UTC

Sourcefire VRT Rules Update

Date: 2014-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32641 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:32638 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port (exploit-kit.rules)
 * 1:32637 <-> ENABLED <-> PROTOCOL-TFTP UDP UFO large packet denial of service attempt (protocol-tftp.rules)
 * 1:32636 <-> DISABLED <-> FILE-OTHER fCreateShellLink function use - potential attack (file-other.rules)
 * 1:32635 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32634 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32633 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX function call access (browser-plugins.rules)
 * 1:32632 <-> ENABLED <-> BROWSER-PLUGINS Oracle Data Quality ActiveX clsid access (browser-plugins.rules)
 * 1:32631 <-> DISABLED <-> NETBIOS SMB server response heap overflow attempt (netbios.rules)
 * 1:32630 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32629 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:32628 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP xmlrpc.php post attempt (server-webapp.rules)
 * 1:16540 <-> DISABLED <-> OS-WINDOWS SMB2 client NetBufferList NULL entry remote code execution attempt (os-windows.rules)