VRT Rules 2015-01-13
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-001: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32965 through 32966.

Microsoft Security Bulletin MS15-002: A coding deficiency exists in Microsoft Telnet Server that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 33050.

Microsoft Security Bulletin MS15-004: A coding deficiency exists in the Microsoft CTSWebProxy ActiveX control that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33051 through 33052.

Microsoft Security Bulletin MS15-007: A coding deficiency exists in Microsoft RADIUS services on domain controllers that may lead to a Denial of Service (DoS).

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33048 through 33049.

Microsoft Security Bulletin MS15-008: A coding deficiency exists in Microsoft WebDAV that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 33053.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, file-multimedia and protocol-telnet rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-01-13 18:59:48 UTC

Sourcefire VRT Rules Update

Date: 2015-01-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33041 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:33048 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33042 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:33047 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33049 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33050 <-> ENABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33043 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:33052 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33051 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33045 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:23271 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:23272 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:12459 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12616 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)

2015-01-13 18:59:48 UTC

Sourcefire VRT Rules Update

Date: 2015-01-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33052 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33041 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:33043 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:33042 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:33048 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33049 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33050 <-> ENABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33051 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33045 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:33047 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:12459 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12616 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:23271 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:23272 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)

2015-01-13 18:59:48 UTC

Sourcefire VRT Rules Update

Date: 2015-01-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33052 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33051 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:33050 <-> ENABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33049 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33048 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebdavRedirector privilege escalation attempt (os-windows.rules)
 * 1:33047 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33045 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:33044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33043 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:33042 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:33041 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:23272 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:12459 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23271 <-> DISABLED <-> FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt (file-multimedia.rules)
 * 1:12616 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Studio 6 PDWizard.ocx ActiveX function call access attempt (browser-plugins.rules)
 * 1:32965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)