Sourcefire VRT Rules Update

Date: 2007-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.

The format of the file is:

sid - Message (rule group)

New rules:
12224 <-> SPYWARE-PUT Adware enbrowser snackman runtime detection (spyware-put.rules)
12225 <-> SPYWARE-PUT Adware zango2007 toolbar runtime detection (spyware-put.rules)
12226 <-> SPYWARE-PUT Keylogger overspy runtime detection (spyware-put.rules)
12227 <-> SPYWARE-PUT Trackware snap ultrasearch/desktop toolbar runtime detection - search (spyware-put.rules)
12228 <-> SPYWARE-PUT Trackware snap ultrasearch/desktop toolbar runtime detection - cookie (spyware-put.rules)
12229 <-> SPYWARE-PUT Adware vroomsearch runtime detection (spyware-put.rules)
12230 <-> SPYWARE-PUT Hacker-Tool hippynotify 2.0 runtime detection (spyware-put.rules)
12231 <-> SPYWARE-PUT Adware vroomsearch runtime detection (spyware-put.rules)
12232 <-> SPYWARE-PUT Adware errorsafe runtime detection (spyware-put.rules)
12233 <-> BACKDOOR theef 2.10 runtime detection - connect with no password (backdoor.rules)
12234 <-> BACKDOOR theef 2.10 runtime detection - connect with no password (backdoor.rules)
12235 <-> BACKDOOR theef 2.10 runtime detection - connect with password (backdoor.rules)
12236 <-> BACKDOOR theef 2.10 runtime detection - connect with password (backdoor.rules)
12237 <-> BACKDOOR theef 2.10 runtime detection - ftp (backdoor.rules)
12238 <-> BACKDOOR theef 2.10 runtime detection - ftp (backdoor.rules)
12239 <-> BACKDOOR webcenter v1.0 Backdoor - init connection (backdoor.rules)
12240 <-> BACKDOOR genie 1.7 runtime detection - init connection (backdoor.rules)
12241 <-> BACKDOOR genie 1.7 runtime detection - init connection (backdoor.rules)
12242 <-> BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (backdoor.rules)
12243 <-> BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection (backdoor.rules)
12244 <-> BACKDOOR itadem trojan 3.0 runtime detection (backdoor.rules)
12245 <-> BACKDOOR furax 1.0 b3 runtime detection (backdoor.rules)
12246 <-> WEB-CLIENT Symantec NavComUI AxSysListView32 ActiveX clsid access (web-client.rules)
12247 <-> WEB-CLIENT Symantec NavComUI AxSysListView32 ActiveX clsid unicode access (web-client.rules)
12248 <-> WEB-CLIENT Symantec NavComUI AxSysListView32 ActiveX function call access (web-client.rules)
12249 <-> WEB-CLIENT Symantec NavComUI AxSysListView32 ActiveX function call unicode access (web-client.rules)
12250 <-> WEB-CLIENT Symantec NavComUI AxSysListView32OAA ActiveX clsid access (web-client.rules)
12251 <-> WEB-CLIENT Symantec NavComUI AxSysListView32OAA ActiveX clsid unicode access (web-client.rules)
12252 <-> WEB-CLIENT Symantec NavComUI AxSysListView32OAA ActiveX function call access (web-client.rules)
12253 <-> WEB-CLIENT Symantec NavComUI AxSysListView32OAA ActiveX function call unicode access (web-client.rules)
12254 <-> EXPLOIT CA message queuing erroneous length field (exploit.rules)
12255 <-> WEB-CGI CSGuestbook setup attempt (web-cgi.rules)
12256 <-> WEB-CLIENT Excel malformed FBI record (web-client.rules)
12257 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX clsid access (web-client.rules)
12258 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX clsid unicode access (web-client.rules)
12259 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX function call access (web-client.rules)
12260 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX function call unicode access (web-client.rules)
12261 <-> WEB-CLIENT Microsoft Visual Basic 6 PDWizard.File ActiveX clsid access (web-client.rules)
12262 <-> WEB-CLIENT Microsoft Visual Basic 6 PDWizard.File ActiveX clsid unicode access (web-client.rules)
12263 <-> WEB-CLIENT Microsoft Visual Basic 6 PDWizard.File ActiveX function call access (web-client.rules)
12264 <-> WEB-CLIENT Microsoft Visual Basic 6 PDWizard.File ActiveX function call unicode access (web-client.rules)
12265 <-> WEB-CLIENT Microsoft Visual Basic 6 SearchHelper ActiveX clsid access (web-client.rules)
12266 <-> WEB-CLIENT Microsoft Visual Basic 6 SearchHelper ActiveX clsid unicode access (web-client.rules)
12267 <-> WEB-CLIENT Microsoft Visual Basic 6 SearchHelper ActiveX function call access (web-client.rules)
12268 <-> WEB-CLIENT Microsoft Visual Basic 6 SearchHelper ActiveX function call unicode access (web-client.rules)
12269 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid access (web-client.rules)
12270 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid unicode access (web-client.rules)
12271 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call access (web-client.rules)
12272 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access (web-client.rules)
12273 <-> WEB-CLIENT Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid access (web-client.rules)
12274 <-> WEB-CLIENT Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid unicode access (web-client.rules)
12275 <-> WEB-CLIENT Microsoft Visual Basic 6 TypeLibInfo ActiveX function call access (web-client.rules)
12276 <-> WEB-CLIENT Microsoft Visual Basic 6 TypeLibInfo ActiveX function call unicode access (web-client.rules)
12277 <-> EXPLOIT Microsoft IE CSS memory corruption exploit (exploit.rules)
12278 <-> POLICY Microsoft Media Player compressed skin download (policy.rules)
12279 <-> WEB-CLIENT Microsoft XML substringData integer overflow attept (web-client.rules)
12280 <-> WEB-CLIENT VML source file memory corruption (web-client.rules)
12281 <-> WEB-CLIENT VML source file memory corruption (web-client.rules)
12282 <-> WEB-CLIENT VML source file memory corruption (web-client.rules)
12283 <-> WEB-CLIENT xlw file download (web-client.rules)
12284 <-> WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt (web-client.rules)

Updated rules:
1293 <-> DELETED NETBIOS nimda .eml (deleted.rules)
1294 <-> DELETED NETBIOS nimda .nws (deleted.rules)
1295 <-> NETBIOS nimda RICHED20.DLL (netbios.rules)
2436 <-> WEB-CLIENT Microsoft wmf metafile access (web-client.rules)
5318 <-> WEB-CLIENT wmf file arbitrary code execution attempt (web-client.rules)
5692 <-> P2P Skype client successful install (p2p.rules)
5693 <-> P2P Skype client start up get latest version attempt (p2p.rules)
5694 <-> P2P Skype client setup get newest version attempt (p2p.rules)
5998 <-> P2P Skype client login startup (p2p.rules)
5999 <-> P2P Skype client login (p2p.rules)
6000 <-> DELETED P2P Skype client login startup (deleted.rules)
6001 <-> DELETED P2P Skype client login (deleted.rules)
7829 <-> SPYWARE-PUT Adware gator user-agent detected (spyware-put.rules)
10172 <-> WEB-MISC uTorrent announce buffer overflow attempt (web-misc.rules)
12203 <-> WEB-CLIENT VMWare Vielib.dll ActiveX clsid access (web-client.rules)
12204 <-> WEB-CLIENT VMWare Vielib.dll ActiveX clsid unicode access (web-client.rules)
12205 <-> WEB-CLIENT VMWare Vielib.dll ActiveX function call access (web-client.rules)
12206 <-> WEB-CLIENT VMWare Vielib.dll ActiveX function call unicode access (web-client.rules)
12219 <-> WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow (web-client.rules)