Sourcefire VRT Rules Update
Date: 2008-05-27
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group)
New rules: 13808 <-> SPYWARE-PUT Adware ie antivirus runtime detection - presale request (spyware-put.rules) 13809 <-> SPYWARE-PUT Adware ie antivirus runtime detection - update request (spyware-put.rules) 13810 <-> SPYWARE-PUT Trickler Adware.Win32.Ejik runtime detection - udp payload (spyware-put.rules) 13811 <-> SPYWARE-PUT Adware xp antivirus runtime detection (spyware-put.rules) 13812 <-> SPYWARE-PUT Keylogger refog Keylogger runtime detection (spyware-put.rules) 13813 <-> SPYWARE-PUT Trickler mm.exe runtime detection (spyware-put.rules) 13814 <-> BACKDOOR passhax runtime detection - initial connection (backdoor.rules) 13815 <-> BACKDOOR zombget.03 runtime detection (backdoor.rules) 13816 <-> SPECIFIC THREAT Metasploit Framework xmlrpc.php command injection attempt (specific-threats.rules) 13817 <-> SPECIFIC THREAT xmlrpc.php command injection attempt (specific-threats.rules) 13818 <-> SPECIFIC THREAT alternate xmlrpc.php command injection attempt (specific-threats.rules) Updated rules: 12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules) 12422 <-> EXPLOIT RealNetworks Helix RTSP long describe request exploit attempt (exploit.rules) 13625 <-> BACKDOOR MBR rootkit HTTP POST activity detected (backdoor.rules) 13694 <-> EXPLOIT RealNetworks Helix RTSP long get request exploit attempt (exploit.rules) 13695 <-> EXPLOIT RealNetworks Helix RTSP long setup request exploit attempt (exploit.rules)
