VRT Rules 2015-03-05
Talos is aware of vulnerabilities affecting OpenSSL.

OpenSSL RSA_EXPORT attack CVE-2015-0204: A coding deficiency in OpenSSL exists that may lead to information disclosure.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, 33686 through 33703.

Talos has also added and modified multiple rules in the blacklist, browser-chrome, file-identify, file-other, malware-cnc, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-05 20:52:52 UTC

Sourcefire VRT Rules Update

Date: 2015-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33668 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file attachment detected (file-identify.rules)
 * 1:33683 <-> ENABLED <-> SERVER-OTHER PHP unserialize use after free attempt (server-other.rules)
 * 1:33693 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33692 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33690 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33691 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33687 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:33682 <-> ENABLED <-> SERVER-OTHER PHP unserialize use after free attempt (server-other.rules)
 * 1:33672 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size3 dos attempt (server-other.rules)
 * 1:33686 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33689 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33694 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33695 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33696 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33697 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33698 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33699 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33700 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33701 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33702 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33703 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33704 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication (malware-cnc.rules)
 * 1:33685 <-> DISABLED <-> SERVER-OTHER PHPMoAdmin remote code execution attempt (server-other.rules)
 * 1:33678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FannyWorm outbound connection attempt (malware-cnc.rules)
 * 1:33688 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:33677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Babar outbound connection (malware-cnc.rules)
 * 1:33669 <-> DISABLED <-> FILE-OTHER Executable disguised as PIF file (file-other.rules)
 * 1:33684 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt (file-other.rules)
 * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33676 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway restore.php command injection attempt (server-webapp.rules)
 * 1:33666 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file download request (file-identify.rules)
 * 1:33670 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules)
 * 1:33667 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file attachment detected (file-identify.rules)
 * 1:33674 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:33671 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size2 dos attempt (server-other.rules)
 * 1:33673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain athenaloader.biz - Win.Trojan.Athena (blacklist.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:20900 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt (file-other.rules)
 * 1:21447 <-> DISABLED <-> BROWSER-CHROME Google Chrome FileSystemObject function call (browser-chrome.rules)
 * 1:23966 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt (protocol-voip.rules)

2015-03-05 20:52:52 UTC

Sourcefire VRT Rules Update

Date: 2015-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33701 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Babar outbound connection (malware-cnc.rules)
 * 1:33678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FannyWorm outbound connection attempt (malware-cnc.rules)
 * 1:33675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:33676 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway restore.php command injection attempt (server-webapp.rules)
 * 1:33673 <-> ENABLED <-> BLACKLIST DNS request for known malware domain athenaloader.biz - Win.Trojan.Athena (blacklist.rules)
 * 1:33674 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:33666 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file download request (file-identify.rules)
 * 1:33683 <-> ENABLED <-> SERVER-OTHER PHP unserialize use after free attempt (server-other.rules)
 * 1:33688 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33682 <-> ENABLED <-> SERVER-OTHER PHP unserialize use after free attempt (server-other.rules)
 * 1:33672 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size3 dos attempt (server-other.rules)
 * 1:33667 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file attachment detected (file-identify.rules)
 * 1:33695 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33684 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt (file-other.rules)
 * 1:33669 <-> DISABLED <-> FILE-OTHER Executable disguised as PIF file (file-other.rules)
 * 1:33670 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules)
 * 1:33671 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size2 dos attempt (server-other.rules)
 * 1:33686 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33690 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33685 <-> DISABLED <-> SERVER-OTHER PHPMoAdmin remote code execution attempt (server-other.rules)
 * 1:33694 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33702 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33668 <-> ENABLED <-> FILE-IDENTIFY PIF Program Information File file attachment detected (file-identify.rules)
 * 1:33696 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33697 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33693 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33691 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33700 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33698 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33699 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33704 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial outbound communication (malware-cnc.rules)
 * 1:33687 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33703 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33692 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)
 * 1:33689 <-> DISABLED <-> SERVER-OTHER SSL request for export grade ciphersuite attempt (server-other.rules)

Modified Rules:


 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:20900 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media MIDI file memory corruption attempt (file-other.rules)
 * 1:21447 <-> DISABLED <-> BROWSER-CHROME Google Chrome FileSystemObject function call (browser-chrome.rules)
 * 1:23966 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt (protocol-voip.rules)