Sourcefire VRT Rules Update

Date: 2007-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
12363 <-> SPYWARE-PUT Other-Technologies malware-stopper runtime detection (spyware-put.rules)
12364 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - get cfg information (spyware-put.rules)
12365 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - redirect searches (spyware-put.rules)
12366 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - toolbar search function (spyware-put.rules)
12367 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie searches (spyware-put.rules)
12368 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie side search (spyware-put.rules)
12369 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - collect user information (spyware-put.rules)
12370 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - auto update (spyware-put.rules)
12371 <-> SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string (spyware-put.rules)
12372 <-> SPYWARE-PUT Keylogger mg-shadow 2.0 runtime detection (spyware-put.rules)
12373 <-> BACKDOOR radmin 3.0 runtime detection - initial connection (backdoor.rules)
12374 <-> BACKDOOR radmin 3.0 runtime detection - initial connection (backdoor.rules)
12375 <-> BACKDOOR radmin 3.0 runtime detection - login & remote control (backdoor.rules)
12376 <-> BACKDOOR radmin 3.0 runtime detection - login & remote control (backdoor.rules)
12377 <-> BACKDOOR shark 2.3.2 runtime detection (backdoor.rules)
12378 <-> BACKDOOR shark 2.3.2 runtime detection (backdoor.rules)
12379 <-> SPYWARE-PUT Keylogger PaqKeylogger 5.1 runtime detection - ftp (spyware-put.rules)
12380 <-> WEB-CLIENT Oracle JInitiator ActiveX clsid access (web-client.rules)
12381 <-> WEB-CLIENT Oracle JInitiator ActiveX clsid unicode access (web-client.rules)
12382 <-> WEB-CLIENT EasyMail Objects ActiveX clsid access (web-client.rules)
12383 <-> WEB-CLIENT EasyMail Objects ActiveX clsid unicode access (web-client.rules)
12384 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX clsid access (web-client.rules)
12385 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX clsid unicode access (web-client.rules)
12386 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX function call access (web-client.rules)
12387 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX function call unicode access (web-client.rules)
12388 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid access (web-client.rules)
12389 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid unicode access (web-client.rules)
12390 <-> POLICY Yahoo Webmail client chat applet (policy.rules)
12391 <-> POLICY Google Webmail client chat applet (policy.rules)
12392 <-> IMAP GNU Mailutils request tag format string vulnerability (imap.rules)
12393 <-> WEB-CLIENT Intuit QuickBooks Online Edition 1 ActiveX clsid access (web-client.rules)
12394 <-> WEB-CLIENT Intuit QuickBooks Online Edition 1 ActiveX clsid unicode access (web-client.rules)
12395 <-> WEB-CLIENT Intuit QuickBooks Online Edition 2 ActiveX clsid access (web-client.rules)
12396 <-> WEB-CLIENT Intuit QuickBooks Online Edition 2 ActiveX clsid unicode access (web-client.rules)
12397 <-> WEB-CLIENT Intuit QuickBooks Online Edition 3 ActiveX clsid access (web-client.rules)
12398 <-> WEB-CLIENT Intuit QuickBooks Online Edition 3 ActiveX clsid unicode access (web-client.rules)
12399 <-> WEB-CLIENT Intuit QuickBooks Online Edition 4 ActiveX clsid access (web-client.rules)
12400 <-> WEB-CLIENT Intuit QuickBooks Online Edition 4 ActiveX clsid unicode access (web-client.rules)
12401 <-> WEB-CLIENT Intuit QuickBooks Online Edition 5 ActiveX clsid access (web-client.rules)
12402 <-> WEB-CLIENT Intuit QuickBooks Online Edition 5 ActiveX clsid unicode access (web-client.rules)
12403 <-> WEB-CLIENT Intuit QuickBooks Online Edition 6 ActiveX clsid access (web-client.rules)
12404 <-> WEB-CLIENT Intuit QuickBooks Online Edition 6 ActiveX clsid unicode access (web-client.rules)
12405 <-> WEB-CLIENT Intuit QuickBooks Online Edition 7 ActiveX clsid access (web-client.rules)
12406 <-> WEB-CLIENT Intuit QuickBooks Online Edition 7 ActiveX clsid unicode access (web-client.rules)
12407 <-> WEB-CLIENT Intuit QuickBooks Online Edition 8 ActiveX clsid access (web-client.rules)
12408 <-> WEB-CLIENT Intuit QuickBooks Online Edition 8 ActiveX clsid unicode access (web-client.rules)
12409 <-> WEB-CLIENT Intuit QuickBooks Online Edition 9 ActiveX clsid access (web-client.rules)
12410 <-> WEB-CLIENT Intuit QuickBooks Online Edition 9 ActiveX clsid unicode access (web-client.rules)
12411 <-> WEB-CLIENT Intuit QuickBooks Online Edition 10 ActiveX clsid access (web-client.rules)
12412 <-> WEB-CLIENT Intuit QuickBooks Online Edition 10 ActiveX clsid unicode access (web-client.rules)
12413 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX clsid access (web-client.rules)
12414 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX clsid unicode access (web-client.rules)
12415 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX function call access (web-client.rules)
12416 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX function call unicode access (web-client.rules)
12417 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid access (web-client.rules)
12418 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid unicode access (web-client.rules)
12419 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call access (web-client.rules)
12420 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call unicode access (web-client.rules)
12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules)
12422 <-> EXPLOIT RealNetworks Helix RTSP long DESCRIBE URI (exploit.rules)
12423 <-> SMTP Microsoft CDO long header name (smtp.rules)
12424 <-> RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (rpc.rules)
12425 <-> POLICY Ruckus P2P client (policy.rules)
12426 <-> POLICY Ruckus P2P broadcast domain probe (policy.rules)
12427 <-> POLICY Ruckus encrypted authentication connection (policy.rules)
12428 <-> WEB-CLIENT GlobalLink glitemflat.dll ActiveX clsid access (web-client.rules)
12429 <-> WEB-CLIENT GlobalLink glitemflat.dll ActiveX clsid unicode access (web-client.rules)
12430 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid access (web-client.rules)
12431 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid unicode access (web-client.rules)
12432 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call access (web-client.rules)
12433 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call unicode access (web-client.rules)
12434 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid access (web-client.rules)
12435 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid unicode access (web-client.rules)
12436 <-> MULTIMEDIA Youtube video player file request (multimedia.rules)
12437 <-> MULTIMEDIA Google video player request (multimedia.rules)
12438 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX clsid access (web-client.rules)
12439 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX clsid unicode access (web-client.rules)
12440 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX function call access (web-client.rules)
12441 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX function call unicode access (web-client.rules)
12442 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll 2 ActiveX clsid access (web-client.rules)
12443 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll 2 ActiveX clsid unicode access (web-client.rules)
12444 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid access (web-client.rules)
12445 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid unicode access (web-client.rules)
12446 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call access (web-client.rules)
12447 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call unicode access (web-client.rules)
12448 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid access (web-client.rules)
12449 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid unicode access (web-client.rules)
12450 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call access (web-client.rules)
12451 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call unicode access (web-client.rules)
12452 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid access (web-client.rules)
12453 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid unicode access (web-client.rules)
12454 <-> MISC asf file download (misc.rules)
12455 <-> POLICY Crystal reports download request (policy.rules)
12456 <-> POLICY Crystal reports download (policy.rules)
12457 <-> CHAT Microsoft Live chat video feed initiation (chat.rules)

Updated rules:
 110 <-> BACKDOOR netbus getinfo (backdoor.rules)
 115 <-> BACKDOOR NetBus Pro 2.0 connection established (backdoor.rules)
 146 <-> BACKDOOR NetSphere access (backdoor.rules)
 195 <-> BACKDOOR DeepThroat 3.1 Server Response (backdoor.rules)
 208 <-> BACKDOOR PhaseZero Server Active on Network (backdoor.rules)
1428 <-> MULTIMEDIA audio galaxy keepalive (multimedia.rules)
1436 <-> MULTIMEDIA Quicktime User Agent access (multimedia.rules)
1437 <-> MULTIMEDIA Windows Media download (multimedia.rules)
1439 <-> MULTIMEDIA Shoutcast playlist redirection (multimedia.rules)
1440 <-> MULTIMEDIA Icecast playlist redirection (multimedia.rules)
1957 <-> RPC sadmind UDP PING (rpc.rules)
1958 <-> RPC sadmind TCP PING (rpc.rules)
1964 <-> RPC tooltalk UDP overflow attempt (rpc.rules)
1965 <-> RPC tooltalk TCP overflow attempt (rpc.rules)
1980 <-> BACKDOOR DeepThroat 3.1 Connection attempt (backdoor.rules)
1981 <-> BACKDOOR DeepThroat 3.1 Connection attempt [3150] (backdoor.rules)
1982 <-> BACKDOOR DeepThroat 3.1 Server Response [3150] (backdoor.rules)
1983 <-> BACKDOOR DeepThroat 3.1 Connection attempt [4120] (backdoor.rules)
1984 <-> BACKDOOR DeepThroat 3.1 Server Response [4120] (backdoor.rules)
2100 <-> BACKDOOR SubSeven 2.1 Gold server connection response (backdoor.rules)
2419 <-> MULTIMEDIA realplayer .ram playlist download attempt (multimedia.rules)
2420 <-> MULTIMEDIA realplayer .rmp playlist download attempt (multimedia.rules)
2421 <-> MULTIMEDIA realplayer .smi playlist download attempt (multimedia.rules)
2422 <-> MULTIMEDIA realplayer .rt playlist download attempt (multimedia.rules)
2423 <-> MULTIMEDIA realplayer .rp playlist download attempt (multimedia.rules)
2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules)
2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules)
2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules)
2925 <-> INFO web bug 1x1 gif attempt (info.rules)
12116 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid access (web-client.rules)
12117 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid unicode access (web-client.rules)
12118 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call access (web-client.rules)
12119 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call unicode access (web-client.rules)
12182 <-> POLICY Adobe FLV file transfer (policy.rules)
12183 <-> EXPLOIT Adobe FLV long string script data buffer overflow (exploit.rules)
12359 <-> DELETED EXPLOIT Asterisk data length field overflow (deleted.rules)