VRT Rules 2015-02-12
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-multimedia, file-office, file-other, malware-cnc, protocol-telnet, protocol-voip, pua-toolbars and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-02-12 20:30:21 UTC

Sourcefire VRT Rules Update

Date: 2015-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33470 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33468 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33469 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33466 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33456 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33452 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33441 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33440 <-> DISABLED <-> SERVER-WEBAPP WordPress EasyCart PHP code execution attempt (server-webapp.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection attempt (malware-cnc.rules)
 * 1:33438 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfdimage.esy.es - Win.Trojan.Gefetroe (blacklist.rules)
 * 1:33439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gefetroe variant outbound connection (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection attempt (malware-cnc.rules)
 * 1:33451 <-> DISABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection attempt (malware-cnc.rules)
 * 1:33454 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33455 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dynamer variant outbound connection (malware-cnc.rules)
 * 1:33465 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33467 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33442 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33478 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33477 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33476 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33475 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33474 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33445 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt (protocol-voip.rules)
 * 1:33473 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33471 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33472 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:24672 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt (file-multimedia.rules)
 * 1:25334 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25335 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25336 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25337 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25338 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25339 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25340 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)

2970

2015-02-12 20:30:21 UTC

Sourcefire VRT Rules Update

Date: 2015-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33478 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33477 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33476 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33475 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byte array use after free attempt (file-flash.rules)
 * 1:33474 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33473 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt (file-multimedia.rules)
 * 1:33472 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33471 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33470 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33469 <-> DISABLED <-> FILE-FLASH Adobe Flash Player arbitrary code execution attempt (file-flash.rules)
 * 1:33468 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33467 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33466 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33465 <-> ENABLED <-> FILE-FLASH Adobe Flash Player heap overflow using special characters with regex options attempt (file-flash.rules)
 * 1:33464 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dynamer variant outbound connection (malware-cnc.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:33457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33456 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Dridex outbound connection (malware-cnc.rules)
 * 1:33455 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33454 <-> ENABLED <-> FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt (file-other.rules)
 * 1:33453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection attempt (malware-cnc.rules)
 * 1:33452 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:33451 <-> DISABLED <-> PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt (protocol-telnet.rules)
 * 1:33450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection attempt (malware-cnc.rules)
 * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33445 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt (protocol-voip.rules)
 * 1:33444 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection attempt (malware-cnc.rules)
 * 1:33443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
 * 1:33442 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33441 <-> ENABLED <-> FILE-OFFICE Microsoft Office OLESS stream object name corruption attempt (file-office.rules)
 * 1:33440 <-> DISABLED <-> SERVER-WEBAPP WordPress EasyCart PHP code execution attempt (server-webapp.rules)
 * 1:33439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gefetroe variant outbound connection (malware-cnc.rules)
 * 1:33438 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfdimage.esy.es - Win.Trojan.Gefetroe (blacklist.rules)

Modified Rules:


 * 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules)
 * 1:24672 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt (file-multimedia.rules)
 * 1:25334 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25335 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25336 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25337 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25338 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25339 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:25340 <-> DISABLED <-> SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt (server-other.rules)
 * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules)
 * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)
 * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules)