VRT Rules 2015-04-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-image, file-other, malware-cnc, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-04-30 15:49:35 UTC

Snort Subscriber Rules Update

Date: 2015-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:34319 <-> ENABLED <-> MALWARE-CNC Win.Worm.Klogwjds variant outbound connection attempt (malware-cnc.rules)
 * 1:34320 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34283 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34285 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_shaper cross site scripting attempt (server-webapp.rules)
 * 1:34311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34284 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_rules cross site scripting attempt (server-webapp.rules)
 * 1:34280 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection (malware-cnc.rules)
 * 1:34286 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection attempt (malware-cnc.rules)
 * 1:34287 <-> ENABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)
 * 1:34288 <-> DISABLED <-> SERVER-OTHER Windows iSCSI target login request Denial of Service attempt (server-other.rules)
 * 1:34289 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34290 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string crackim (blacklist.rules)
 * 1:34292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraken outbound connection (malware-cnc.rules)
 * 1:34293 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34294 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules)
 * 1:34297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34298 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:34299 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:34301 <-> DISABLED <-> SERVER-OTHER GNU Mailman listname directory traversal attempt (server-other.rules)
 * 1:34300 <-> ENABLED <-> SERVER-WEBAPP D-Link multiple products HNAP SOAPAction header command injection attempt (server-webapp.rules)
 * 1:34315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34314 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34281 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34306 <-> DISABLED <-> SERVER-WEBAPP Subversion HTTP excessive REPORT requests denial of service attempt (server-webapp.rules)
 * 1:34305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:30260 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:30261 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)
 * 1:18583 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:18174 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:18175 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules)

2015-04-30 15:49:35 UTC

Snort Subscriber Rules Update

Date: 2015-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34283 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34281 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34285 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_shaper cross site scripting attempt (server-webapp.rules)
 * 1:34286 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection attempt (malware-cnc.rules)
 * 1:34284 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_rules cross site scripting attempt (server-webapp.rules)
 * 1:34280 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection (malware-cnc.rules)
 * 1:34287 <-> ENABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)
 * 1:34288 <-> DISABLED <-> SERVER-OTHER Windows iSCSI target login request Denial of Service attempt (server-other.rules)
 * 1:34289 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34290 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string crackim (blacklist.rules)
 * 1:34292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraken outbound connection (malware-cnc.rules)
 * 1:34293 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34294 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules)
 * 1:34297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34298 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:34299 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:34301 <-> DISABLED <-> SERVER-OTHER GNU Mailman listname directory traversal attempt (server-other.rules)
 * 1:34300 <-> ENABLED <-> SERVER-WEBAPP D-Link multiple products HNAP SOAPAction header command injection attempt (server-webapp.rules)
 * 1:34302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34306 <-> DISABLED <-> SERVER-WEBAPP Subversion HTTP excessive REPORT requests denial of service attempt (server-webapp.rules)
 * 1:34307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34320 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34319 <-> ENABLED <-> MALWARE-CNC Win.Worm.Klogwjds variant outbound connection attempt (malware-cnc.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:34317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34314 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:30261 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:18583 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:30260 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:18174 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:18175 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules)
 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)

2015-04-30 15:49:35 UTC

Snort Subscriber Rules Update

Date: 2015-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34320 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34319 <-> ENABLED <-> MALWARE-CNC Win.Worm.Klogwjds variant outbound connection attempt (malware-cnc.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:34317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34314 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34312 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection (malware-cnc.rules)
 * 1:34306 <-> DISABLED <-> SERVER-WEBAPP Subversion HTTP excessive REPORT requests denial of service attempt (server-webapp.rules)
 * 1:34305 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34304 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34303 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player shared byte array memory corruption attempt (file-flash.rules)
 * 1:34301 <-> DISABLED <-> SERVER-OTHER GNU Mailman listname directory traversal attempt (server-other.rules)
 * 1:34300 <-> ENABLED <-> SERVER-WEBAPP D-Link multiple products HNAP SOAPAction header command injection attempt (server-webapp.rules)
 * 1:34299 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:34298 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:34297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Simda variant outbound connection attempt (malware-cnc.rules)
 * 1:34295 <-> DISABLED <-> SQL Lblog possible sql injection attempt - GET parameter (sql.rules)
 * 1:34294 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34293 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:34292 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraken outbound connection (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string crackim (blacklist.rules)
 * 1:34290 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34289 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Plez outbound connection (malware-cnc.rules)
 * 1:34288 <-> DISABLED <-> SERVER-OTHER Windows iSCSI target login request Denial of Service attempt (server-other.rules)
 * 1:34287 <-> ENABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)
 * 1:34286 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection attempt (malware-cnc.rules)
 * 1:34285 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_shaper cross site scripting attempt (server-webapp.rules)
 * 1:34284 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense firewall_rules cross site scripting attempt (server-webapp.rules)
 * 1:34283 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34282 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34281 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection (malware-cnc.rules)
 * 1:34280 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:30261 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:18583 <-> DISABLED <-> FILE-IMAGE Microsoft Windows wmf integer overflow attempt (file-image.rules)
 * 1:30260 <-> ENABLED <-> PUA-ADWARE Lucky Leap Adware outbound connection (pua-adware.rules)
 * 1:18174 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:18175 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt (browser-ie.rules)
 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)
 * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules)