Snort - Network Intrusion Detection & Prevention System

VRT Rules 2015-04-23

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)

2970

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)

2972

2015-04-23 16:42:55 UTC

Snort Subscriber Rules Update

Date: 2015-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34185 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt (server-webapp.rules)
 * 1:34184 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt (server-webapp.rules)
 * 1:34183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34182 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34181 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:21646 <-> DISABLED <-> EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch (exploit-kit.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE SearchProtect user-agent detection (pua-adware.rules)
 * 1:33853 <-> DISABLED <-> SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt (server-webapp.rules)
 * 1:33653 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33652 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:33651 <-> DISABLED <-> SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt (server-webapp.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:30959 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)
 * 1:30958 <-> DISABLED <-> BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt (browser-other.rules)