CVE-2015-0235: Exim mail server is exposed to a vulnerability in the GNU C Library (Glibc) that may lead to remote code execution.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 33225 through 33226.
The VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-flash, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33252 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - WATClient - Win.Backdoor.Upatre (blacklist.rules) * 1:33250 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Tintin - Win.Backdoor.Upatre (blacklist.rules) * 1:33249 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SLSSoapClient - Win.Backdoor.Upatre (blacklist.rules) * 1:33247 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - PPKHandler - Win.Backdoor.Upatre (blacklist.rules) * 1:33248 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Peers12 - Win.Backdoor.Upatre (blacklist.rules) * 1:33245 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Opera10 - Win.Backdoor.Upatre (blacklist.rules) * 1:33243 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozilla - Win.Backdoor.Upatre (blacklist.rules) * 1:33244 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Opera - Win.Backdoor.Upatre (blacklist.rules) * 1:33240 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - FixUpdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33242 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Explorer - Win.Backdoor.Upatre (blacklist.rules) * 1:33239 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Installer/1.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33237 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Player - Win.Backdoor.Upatre (blacklist.rules) * 1:33238 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Wurst - Win.Backdoor.Upatre (blacklist.rules) * 1:33235 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2608cw-2 - Win.Backdoor.Upatre (blacklist.rules) * 1:33234 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2508Inst - Win.Backdoor.Upatre (blacklist.rules) * 1:33232 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - AppUpdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33231 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Firefox/5.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Firefox - Win.Backdoor.Upatre (blacklist.rules) * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Kovter variant outbound connection attempt (malware-cnc.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:33218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cendode system information disclosure attempt (malware-cnc.rules) * 1:33219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gamarue variant outbound connection attempt (malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuovoscor variant outbound connection (malware-cnc.rules) * 1:33225 <-> ENABLED <-> SERVER-MAIL Exim gethostbyname heap buffer overflow attempt (server-mail.rules) * 1:33226 <-> ENABLED <-> SERVER-MAIL Exim gethostbyname heap buffer overflow attempt (server-mail.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection attempt (malware-cnc.rules) * 1:33233 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2608cw-1 - Win.Backdoor.Upatre (blacklist.rules) * 1:33236 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2808inst - Win.Backdoor.Upatre (blacklist.rules) * 1:33241 <-> DISABLED <-> DELETED BLACKLIST User-Agent known malicious user-agent string - MSDW - Win.Backdoor.Upatre (deleted.rules) * 1:33246 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - OperaMini - Win.Backdoor.Upatre (blacklist.rules) * 1:33251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - USER_CHECK - Win.Backdoor.Upatre (blacklist.rules) * 1:33253 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - bbbbbbbbbb - Win.Backdoor.Upatre (blacklist.rules) * 1:33254 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - hi - Win.Backdoor.Upatre (blacklist.rules) * 1:33255 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - iMacros - Win.Backdoor.Upatre (blacklist.rules) * 1:33256 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - macrotest - Win.Backdoor.Upatre (blacklist.rules) * 1:33257 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - onlymacros - Win.Backdoor.Upatre (blacklist.rules) * 1:33258 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Updates downloader - Win.Backdoor.Upatre (blacklist.rules) * 1:33259 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - testupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33260 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - onlyupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33274 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33273 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33272 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33271 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33270 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33269 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33224 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt (indicator-compromise.rules) * 1:33265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33261 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 3:33229 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Services Catalog XML external entity injection attempt (server-webapp.rules)
* 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33047 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks outbound communication (malware-cnc.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32383 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre (blacklist.rules) * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules) * 1:31991 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre (blacklist.rules) * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules) * 1:31990 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre (blacklist.rules) * 1:31557 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33274 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33273 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33272 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33271 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33270 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33269 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33261 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:33260 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - onlyupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33259 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - testupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33258 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Updates downloader - Win.Backdoor.Upatre (blacklist.rules) * 1:33257 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - onlymacros - Win.Backdoor.Upatre (blacklist.rules) * 1:33256 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - macrotest - Win.Backdoor.Upatre (blacklist.rules) * 1:33255 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - iMacros - Win.Backdoor.Upatre (blacklist.rules) * 1:33254 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - hi - Win.Backdoor.Upatre (blacklist.rules) * 1:33253 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - bbbbbbbbbb - Win.Backdoor.Upatre (blacklist.rules) * 1:33252 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - WATClient - Win.Backdoor.Upatre (blacklist.rules) * 1:33251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - USER_CHECK - Win.Backdoor.Upatre (blacklist.rules) * 1:33250 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Tintin - Win.Backdoor.Upatre (blacklist.rules) * 1:33249 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SLSSoapClient - Win.Backdoor.Upatre (blacklist.rules) * 1:33248 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Peers12 - Win.Backdoor.Upatre (blacklist.rules) * 1:33247 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - PPKHandler - Win.Backdoor.Upatre (blacklist.rules) * 1:33246 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - OperaMini - Win.Backdoor.Upatre (blacklist.rules) * 1:33245 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Opera10 - Win.Backdoor.Upatre (blacklist.rules) * 1:33244 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Opera - Win.Backdoor.Upatre (blacklist.rules) * 1:33243 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozilla - Win.Backdoor.Upatre (blacklist.rules) * 1:33242 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Explorer - Win.Backdoor.Upatre (blacklist.rules) * 1:33241 <-> DISABLED <-> DELETED BLACKLIST User-Agent known malicious user-agent string - MSDW - Win.Backdoor.Upatre (deleted.rules) * 1:33240 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - FixUpdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33239 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Installer/1.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33238 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Wurst - Win.Backdoor.Upatre (blacklist.rules) * 1:33237 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Player - Win.Backdoor.Upatre (blacklist.rules) * 1:33236 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2808inst - Win.Backdoor.Upatre (blacklist.rules) * 1:33235 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2608cw-2 - Win.Backdoor.Upatre (blacklist.rules) * 1:33234 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2508Inst - Win.Backdoor.Upatre (blacklist.rules) * 1:33233 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - 2608cw-1 - Win.Backdoor.Upatre (blacklist.rules) * 1:33232 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - AppUpdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33231 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Firefox/5.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Firefox - Win.Backdoor.Upatre (blacklist.rules) * 1:33228 <-> ENABLED <-> MALWARE-CNC Win.Kovter variant outbound connection attempt (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection attempt (malware-cnc.rules) * 1:33226 <-> ENABLED <-> SERVER-MAIL Exim gethostbyname heap buffer overflow attempt (server-mail.rules) * 1:33225 <-> ENABLED <-> SERVER-MAIL Exim gethostbyname heap buffer overflow attempt (server-mail.rules) * 1:33224 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt (indicator-compromise.rules) * 1:33223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot (malware-cnc.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:33219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gamarue variant outbound connection attempt (malware-cnc.rules) * 1:33218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cendode system information disclosure attempt (malware-cnc.rules) * 1:33217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuovoscor variant outbound connection (malware-cnc.rules) * 3:33229 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Services Catalog XML external entity injection attempt (server-webapp.rules)
* 1:33207 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre (blacklist.rules) * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks outbound communication (malware-cnc.rules) * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript out-of-bounds read attempt (file-flash.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:33047 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32125 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre (blacklist.rules) * 1:32383 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre (blacklist.rules) * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules) * 1:31991 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre (blacklist.rules) * 1:31557 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre (blacklist.rules) * 1:31990 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre (blacklist.rules)