VRT Rules 2015-03-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-webkit, exploit-kit, file-flash, file-pdf, malware-cnc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-03-26 16:01:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules)
 * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules)
 * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
 * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules)

2015-03-26 16:01:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules)
 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules)
 * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules)
 * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)

2015-03-26 16:01:45 UTC

Sourcefire VRT Rules Update

Date: 2015-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules)
 * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules)
 * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules)
 * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules)
 * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules)
 * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules)
 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules)
 * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules)
 * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules)
 * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
 * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules)
 * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules)
 * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)