Sourcefire VRT Rules Update

Date: 2008-07-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
13930 <-> SPYWARE-PUT Trickler pc privacy cleaner runtime detection - order/register request (spyware-put.rules)
13931 <-> SPYWARE-PUT Trickler pc privacy cleaner runtime detection - auto update (spyware-put.rules)
13932 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - post user info to remote server (spyware-put.rules)
13933 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - ads (spyware-put.rules)
13934 <-> SPYWARE-PUT Hijacker mediatubecodec 1.470.0 runtime detection - hijack ie (spyware-put.rules)
13935 <-> SPYWARE-PUT Hijacker mediatubecodec 1.470.0 runtime detection - download other malware (spyware-put.rules)
13936 <-> SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home (spyware-put.rules)
13937 <-> SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - call home (spyware-put.rules)
13938 <-> SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection (spyware-put.rules)
13939 <-> SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update (spyware-put.rules)
13940 <-> SPYWARE-PUT Hijacker win32.bho.bgf runtime detection (spyware-put.rules)
13941 <-> BACKDOOR trojan agent.nac runtime detection - click fraud (backdoor.rules)
13942 <-> BACKDOOR trojan agent.nac runtime detection - call home (backdoor.rules)
13943 <-> SPYWARE-PUT Trickler dropper agent.rqg runtime detection (spyware-put.rules)
13944 <-> BACKDOOR trojan downloader small.gy runtime detection - get whitelist (backdoor.rules)
13945 <-> BACKDOOR trojan downloader small.gy runtime detection - update (backdoor.rules)
13948 <-> DNS large number of NXDOMAIN replies - possible DNS cache poisoning (dns.rules)
13949 <-> DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (dns.rules)
13950 <-> WEB-CLIENT Sun Java Web Start JNLP attribute buffer overflow attempt (web-client.rules)
13952 <-> SPECIFIC-THREATS b.js download - possible Asprox trojan attack (specific-threats.rules)
13953 <-> SPECIFIC-THREATS Asprox trojan initial query (specific-threats.rules)

Updated rules:
12592 <-> SMTP ClamAV recipient command injection attempt (smtp.rules)