VRT Rules 2015-03-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-image, file-other, malware-cnc, pua-adware, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2970

2015-03-03 20:37:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:33664 <-> DISABLED <-> BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt (browser-other.rules)
 * 1:33663 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:33662 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:33661 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:33660 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:33659 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33658 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33657 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denail of service attempt (server-other.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba outbound connection attempt (malware-cnc.rules)
 * 1:33649 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro (blacklist.rules)
 * 1:33648 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33647 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33646 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33645 <-> DISABLED <-> PUA-ADWARE SuperFish adware outbound connection attempt (pua-adware.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33642 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33641 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33638 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)

Modified Rules:


 * 1:12762 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX clsid access (browser-plugins.rules)
 * 1:16214 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)

2962

2015-03-03 20:37:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33661 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denail of service attempt (server-other.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33649 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro (blacklist.rules)
 * 1:33647 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33646 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba outbound connection attempt (malware-cnc.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)
 * 1:33638 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33639 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Java applet denial of service attempt (browser-ie.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33641 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33642 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file attachment detected (file-identify.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33645 <-> DISABLED <-> PUA-ADWARE SuperFish adware outbound connection attempt (pua-adware.rules)
 * 1:33657 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33658 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33659 <-> DISABLED <-> SERVER-WEBAPP Dell ScriptLogic Asset Manager GetClientPackage SQL injection attempt (server-webapp.rules)
 * 1:33660 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:33662 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:33663 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:33648 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt (malware-cnc.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:33664 <-> DISABLED <-> BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt (browser-other.rules)

Modified Rules:


 * 1:12762 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Toolbar Helper Class ActiveX clsid access (browser-plugins.rules)
 * 1:16214 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:19484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)
 * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules)
 * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules)