VRT Rules 2015-03-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-image, file-other, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-19 15:53:31 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)

2015-03-19 15:53:31 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)

2015-03-19 15:53:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33884 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string dolit (blacklist.rules)
 * 1:33883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadtre variant outbound connection (malware-cnc.rules)
 * 1:33882 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33881 <-> ENABLED <-> BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre (blacklist.rules)
 * 1:33880 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:33879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Meowner runtime detection (malware-cnc.rules)
 * 1:33875 <-> DISABLED <-> POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt (policy-other.rules)
 * 1:33874 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection (malware-other.rules)
 * 1:33873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection (malware-cnc.rules)
 * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33800 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33799 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33798 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33797 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33796 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:33760 <-> ENABLED <-> FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt (file-image.rules)
 * 1:33777 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33778 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33780 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33795 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33781 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33794 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33784 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33783 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)
 * 1:33782 <-> DISABLED <-> SERVER-OTHER SSL export grade ciphersuite server negotiation attempt (server-other.rules)