VRT Rules 2015-03-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)

Modified Rules:


 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)

Modified Rules:


 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)

2015-03-24 18:50:30 UTC

Sourcefire VRT Rules Update

Date: 2015-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33904 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33903 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt (browser-firefox.rules)
 * 1:33902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33901 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33900 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33899 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript memory corruption attempt (file-flash.rules)
 * 1:33898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33897 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33896 <-> DISABLED <-> SERVER-WEBAPP OpenNMS XML external entity injection attempt (server-webapp.rules)
 * 1:33895 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33894 <-> DISABLED <-> SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt (server-webapp.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33892 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xerq outbound connection (malware-cnc.rules)
 * 1:33891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amasages variant outbound connection (malware-cnc.rules)
 * 1:33890 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33889 <-> DISABLED <-> SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt (server-webapp.rules)
 * 1:33888 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33887 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt (server-webapp.rules)
 * 1:33886 <-> ENABLED <-> MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection (malware-cnc.rules)
 * 1:33885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:29928 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29929 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29930 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:29931 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32359 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32360 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object use-after-free attempt (file-flash.rules)
 * 1:32511 <-> ENABLED <-> MALWARE-CNC PCRat variant outbound connection (malware-cnc.rules)
 * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Task Scheduler access control bypass attempt (os-windows.rules)
 * 1:33880 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Casper outbound connection attempt (malware-cnc.rules)
 * 3:31738 <-> ENABLED <-> PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (protocol-dns.rules)