VRT Rules 2015-01-22
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-01-22 21:13:30 UTC

Sourcefire VRT Rules Update

Date: 2015-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules)
 * 1:33160 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules)
 * 1:33161 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Rombertik outbound connection (malware-cnc.rules)
 * 1:33162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33164 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP out-of-bounds read attempt (file-flash.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks (malware-cnc.rules)
 * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33170 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33171 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33172 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33173 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33174 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33175 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33176 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules)
 * 1:33177 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules)
 * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:33187 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33185 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:33183 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)

Modified Rules:


 * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound communication (malware-cnc.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:29066 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound communication (malware-cnc.rules)
 * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)

2015-01-22 21:13:30 UTC

Sourcefire VRT Rules Update

Date: 2015-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:33187 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules)
 * 1:33185 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:33183 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
 * 1:33177 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules)
 * 1:33176 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules)
 * 1:33175 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33174 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33173 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33172 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33171 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33170 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules)
 * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks (malware-cnc.rules)
 * 1:33164 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP out-of-bounds read attempt (file-flash.rules)
 * 1:33163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules)
 * 1:33161 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Rombertik outbound connection (malware-cnc.rules)
 * 1:33160 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules)
 * 1:33159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules)
 * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)

Modified Rules:


 * 1:29066 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules)
 * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound communication (malware-cnc.rules)
 * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound communication (malware-cnc.rules)
 * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
 * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)