Sourcefire VRT Rules Update

Date: 2008-05-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
13808 <-> SPYWARE-PUT Adware ie antivirus runtime detection - presale request (spyware-put.rules)
13809 <-> SPYWARE-PUT Adware ie antivirus runtime detection - update request (spyware-put.rules)
13810 <-> SPYWARE-PUT Trickler Adware.Win32.Ejik runtime detection - udp payload (spyware-put.rules)
13811 <-> SPYWARE-PUT Adware xp antivirus runtime detection (spyware-put.rules)
13812 <-> SPYWARE-PUT Keylogger refog Keylogger runtime detection (spyware-put.rules)
13813 <-> SPYWARE-PUT Trickler mm.exe runtime detection (spyware-put.rules)
13814 <-> BACKDOOR passhax runtime detection - initial connection (backdoor.rules)
13815 <-> BACKDOOR zombget.03 runtime detection (backdoor.rules)
13816 <-> SPECIFIC THREAT Metasploit Framework xmlrpc.php command injection attempt (specific-threats.rules)
13817 <-> SPECIFIC THREAT xmlrpc.php command injection attempt (specific-threats.rules)
13818 <-> SPECIFIC THREAT alternate xmlrpc.php command injection attempt (specific-threats.rules)

Updated rules:
12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules)
12422 <-> EXPLOIT RealNetworks Helix RTSP long describe request exploit attempt (exploit.rules)
13625 <-> BACKDOOR MBR rootkit HTTP POST activity detected (backdoor.rules)
13694 <-> EXPLOIT RealNetworks Helix RTSP long get request exploit attempt (exploit.rules)
13695 <-> EXPLOIT RealNetworks Helix RTSP long setup request exploit attempt (exploit.rules)