Sourcefire VRT Rules Update
Date: 2008-04-02
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group)
New rules: 13635 <-> SPYWARE-PUT Trickler downloader trojan.gen runtime detection - get malicious link (spyware-put.rules) 13636 <-> SPYWARE-PUT Trickler downloader trojan.gen runtime detection - download malicious link (spyware-put.rules) 13637 <-> SPYWARE-PUT Adware virus heat runtime detection - presale request (spyware-put.rules) 13638 <-> SPYWARE-PUT Adware virus heat runtime detection - initial database connection (spyware-put.rules) 13639 <-> SPYWARE-PUT Hijacker locmag toolbar runtime detection - connection to toolbar (spyware-put.rules) 13640 <-> SPYWARE-PUT Hijacker locmag toolbar runtime detection - hijacks address bar (spyware-put.rules) 13641 <-> SPYWARE-PUT Hijacker eclickz toolbar runtime detection - search traffic (spyware-put.rules) 13642 <-> SPYWARE-PUT Keylogger easy Keylogger runtime detection (spyware-put.rules) 13643 <-> SPYWARE-PUT Hijacker zztoolbar runtime detection - toolbar traffic (spyware-put.rules) 13644 <-> SPYWARE-PUT Hijacker zztoolbar runtime detection - search traffic (spyware-put.rules) 13645 <-> SPYWARE-PUT Hijacker mxs toolbar runtime detection (spyware-put.rules) 13646 <-> SPYWARE-PUT Adware registry defender runtime detection - presale request (spyware-put.rules) 13647 <-> SPYWARE-PUT Adware registry defender runtime detection - error report request (spyware-put.rules) 13648 <-> SPYWARE-PUT Hijacker mysearch bar 2.0.2.28 runtime detection (spyware-put.rules) 13649 <-> SPYWARE-PUT Adware spyware stop runtime detection - presale request (spyware-put.rules) 13650 <-> SPYWARE-PUT Adware spyware stop runtime detection - auto updates (spyware-put.rules) 13651 <-> SPYWARE-PUT Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (spyware-put.rules) 13652 <-> SPYWARE-PUT Keylogger all in one Keylogger runtime detection (spyware-put.rules) 13653 <-> SPYWARE-PUT Adware cashfiesta adbar runtime detection - updates traffic (spyware-put.rules) 13654 <-> BACKDOOR nuclear rat 2.1 runtime detection - init connection (backdoor.rules) 13655 <-> BACKDOOR nuclear rat 2.1 runtime detection - init connection (backdoor.rules) 13656 <-> WEB-MISC Cisco Secure Access Control Server UCP Application CSuserCGI.exe Buffer Overflow attempt (web-misc.rules) 13657 <-> WEB-CLIENT BusinessObjects RptViewerAx ActiveX clsid access (web-client.rules) 13658 <-> WEB-CLIENT BusinessObjects RptViewerAx ActiveX clsid unicode access (web-client.rules) 13659 <-> WEB-CLIENT BusinessObjects RptViewerAx ActiveX function call access (web-client.rules) 13660 <-> WEB-CLIENT BusinessObjects RptViewerAx ActiveX function call unicode access (web-client.rules) 13661 <-> WEB-CLIENT VeralSoft HTTP File Upload ActiveX clsid access (web-client.rules) 13662 <-> WEB-CLIENT VeralSoft HTTP File Upload ActiveX clsid unicode access (web-client.rules) 13663 <-> IMAP Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt (imap.rules) 13664 <-> VOIP-SIP hexadecimal characters in IP address portion of Remote-Party-ID field (voip.rules) Updated rules: 528 <-> BAD-TRAFFIC loopback traffic (bad-traffic.rules) 2125 <-> FTP CWD Root directory transversal attempt (ftp.rules) 13591 <-> WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt (web-cgi.rules)
