VRT Rules 2015-03-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)

Modified Rules:


 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)

2970

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)

Modified Rules:


 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)

2972

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)