Snort - Network Intrusion Detection & Prevention System

VRT Rules 2015-03-19

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-image, file-other, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-03-19 15:53:31 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)

2970

2015-03-19 15:53:31 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)

2972

2015-03-19 15:53:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)