VRT Rules 2015-01-08
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-identify, file-other, malware-cnc, os-mobile, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-01-08 18:52:41 UTC

Sourcefire VRT Rules Update

Date: 2015-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules)
 * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules)
 * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules)
 * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules)
 * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules)
 * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules)
 * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules)
 * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules)
 * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules)
 * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
 * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
 * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
 * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules)
 * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules)
 * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules)
 * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)

2015-01-08 18:52:41 UTC

Sourcefire VRT Rules Update

Date: 2015-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules)
 * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules)
 * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules)
 * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules)
 * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules)
 * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules)
 * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules)
 * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules)
 * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
 * 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules)
 * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
 * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
 * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules)
 * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules)
 * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules)
 * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)

2015-01-08 18:52:41 UTC

Sourcefire VRT Rules Update

Date: 2015-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules)
 * 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules)
 * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
 * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
 * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
 * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules)
 * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules)
 * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules)
 * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules)
 * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules)
 * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules)
 * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules)
 * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules)
 * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules)
 * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules)
 * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules)
 * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules)
 * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules)
 * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules)
 * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules)
 * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules)
 * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules)
 * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules)
 * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules)
 * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules)

Modified Rules:


 * 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules)
 * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules)
 * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules)
 * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules)
 * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules)
 * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules)
 * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules)
 * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules)
 * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules)
 * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
 * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)