VRT Rules 2015-02-05
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-02-05 16:23:36 UTC

Sourcefire VRT Rules Update

Date: 2015-02-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33297 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Foxy variant outbound connection (malware-cnc.rules)
 * 1:33296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)
 * 1:33293 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33292 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33298 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33304 <-> ENABLED <-> PUA-ADWARE Win.Adware.Gamevance variant outbound connection (pua-adware.rules)
 * 1:33305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33294 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33310 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33309 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33308 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33306 <-> ENABLED <-> BLACKLIST Connection to malware sinkhole (blacklist.rules)
 * 1:33307 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)

2970

2015-02-05 16:23:36 UTC

Sourcefire VRT Rules Update

Date: 2015-02-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33310 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33309 <-> DISABLED <-> FILE-OTHER libxml2 entity reference name heap buffer overflow attempt (file-other.rules)
 * 1:33308 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33307 <-> ENABLED <-> FILE-OTHER Microsoft Visio packed object parsing memory corruption attempt (file-other.rules)
 * 1:33306 <-> ENABLED <-> BLACKLIST Connection to malware sinkhole (blacklist.rules)
 * 1:33305 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection (malware-cnc.rules)
 * 1:33304 <-> ENABLED <-> PUA-ADWARE Win.Adware.Gamevance variant outbound connection (pua-adware.rules)
 * 1:33303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules)
 * 1:33299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Foxy variant outbound connection (malware-cnc.rules)
 * 1:33298 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33297 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sound object heap buffer overflow attempt (file-flash.rules)
 * 1:33294 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33293 <-> DISABLED <-> SERVER-WEBAPP phpBB viewtopic double URL encoding attempt (server-webapp.rules)
 * 1:33292 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:33291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player stage object use-after-free attempt (file-flash.rules)
 * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:32399 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Oracle Java request (exploit-kit.rules)
 * 1:32817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)