VRT Rules 2015-01-27
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2970

2015-01-27 17:08:17 UTC

Sourcefire VRT Rules Update

Date: 2015-01-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:33214 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33212 <-> ENABLED <-> PUA-ADWARE SoftPulse variant HTTP response attempt (pua-adware.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre outbound connection attempt (malware-cnc.rules)
 * 1:33210 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p (blacklist.rules)
 * 1:33209 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infandibula.com (blacklist.rules)
 * 1:33208 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt (malware-other.rules)
 * 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33206 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33205 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33202 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33201 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection attempt (malware-cnc.rules)
 * 1:33199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Sabeba outbound connection (malware-cnc.rules)
 * 1:33198 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:33197 <-> DISABLED <-> SERVER-OTHER BMC Track-It FileStorageService directory traversal attempt (server-other.rules)
 * 1:33196 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33195 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33194 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33193 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33192 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33191 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:18590 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:33146 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks variant outbound connection (malware-cnc.rules)

2962

2015-01-27 17:08:17 UTC

Sourcefire VRT Rules Update

Date: 2015-01-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33210 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p (blacklist.rules)
 * 1:33197 <-> DISABLED <-> SERVER-OTHER BMC Track-It FileStorageService directory traversal attempt (server-other.rules)
 * 1:33199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Sabeba outbound connection (malware-cnc.rules)
 * 1:33196 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33198 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:33195 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33192 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33193 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33194 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33191 <-> ENABLED <-> BROWSER-IE Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:33189 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33190 <-> DISABLED <-> SERVER-WEBAPP Samsung AllShare Cast command injection attempt (server-webapp.rules)
 * 1:33201 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33206 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules)
 * 1:33208 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt (malware-other.rules)
 * 1:33209 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infandibula.com (blacklist.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre outbound connection attempt (malware-cnc.rules)
 * 1:33212 <-> ENABLED <-> PUA-ADWARE SoftPulse variant HTTP response attempt (pua-adware.rules)
 * 1:33213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33214 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt (file-pdf.rules)
 * 1:33202 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33205 <-> ENABLED <-> FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt (file-multimedia.rules)
 * 1:33204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class confusion memory corruption compressed file attempt (file-flash.rules)
 * 1:33200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pisces variant outbound connection attempt (malware-cnc.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)

Modified Rules:


 * 1:32819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt (file-pdf.rules)
 * 1:32834 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:32835 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt (file-pdf.rules)
 * 1:31557 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules)
 * 1:25459 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:25460 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt (file-pdf.rules)
 * 1:32836 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:18590 <-> DISABLED <-> OS-WINDOWS Outlook Express WAB file parsing buffer overflow attempt (os-windows.rules)
 * 1:32837 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules)
 * 1:33146 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks variant outbound connection (malware-cnc.rules)