VRT Rules 2015-05-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-05-05 17:26:18 UTC

Snort Subscriber Rules Update

Date: 2015-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules)
 * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules)
 * 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules)
 * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules)
 * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules)
 * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules)

Modified Rules:


 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)
 * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)

2015-05-05 17:26:19 UTC

Snort Subscriber Rules Update

Date: 2015-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules)
 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules)
 * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules)
 * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules)
 * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules)
 * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules)
 * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules)

Modified Rules:


 * 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules)
 * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules)
 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules)
 * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)

2015-05-05 17:26:18 UTC

Snort Subscriber Rules Update

Date: 2015-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules)
 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules)
 * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules)
 * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules)
 * 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules)
 * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules)
 * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules)
 * 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules)

Modified Rules:


 * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules)
 * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules)
 * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)