VRT Rules 2015-01-27
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-01-27 17:08:17 UTC

Sourcefire VRT Rules Update

Date: 2015-01-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:33214 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33212 <-> ENABLED <-> PUA-ADWARE SoftPulse variant HTTP response attempt (pua-adware.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre outbound connection attempt (malware-cnc.rules)
 * 1:33210 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p (blacklist.rules)
 * 1:33209 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infandibula.com (blacklist.rules)
 * 1:33208 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt (malware-other.rules)
 * 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33206 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33205 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33202 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33201 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection attempt (malware-cnc.rules)
 * 1:33199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Sabeba outbound connection (malware-cnc.rules)
 * 1:33198 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:33197 <-> DISABLED <-> SERVER-OTHER BMC Track-It FileStorageService directory traversal attempt (server-other.rules)
 * 1:33196 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33195 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33194 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33193 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33192 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33191 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:18590 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:33146 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks variant outbound connection (malware-cnc.rules)

2015-01-27 17:08:17 UTC

Sourcefire VRT Rules Update

Date: 2015-01-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33210 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p (blacklist.rules)
 * 1:33197 <-> DISABLED <-> SERVER-OTHER BMC Track-It FileStorageService directory traversal attempt (server-other.rules)
 * 1:33199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Sabeba outbound connection (malware-cnc.rules)
 * 1:33196 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33198 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:33195 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33192 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33193 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33194 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33191 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33201 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33206 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33208 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt (malware-other.rules)
 * 1:33209 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infandibula.com (blacklist.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre outbound connection attempt (malware-cnc.rules)
 * 1:33212 <-> ENABLED <-> PUA-ADWARE SoftPulse variant HTTP response attempt (pua-adware.rules)
 * 1:33213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33214 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33202 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33205 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection attempt (malware-cnc.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)

Modified Rules:


 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:18590 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:33146 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks variant outbound connection (malware-cnc.rules)