Sourcefire VRT Rules Update

Date: 2009-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16242 <-> BACKDOOR downloader-ash.gen.b runtime detection - adload (backdoor.rules, High)
16243 <-> BACKDOOR downloader-ash.gen.b runtime detection - 3264.php (backdoor.rules, High)
16244 <-> BACKDOOR rogue software xp police antivirus runtime detection - purchase (backdoor.rules, High)
16245 <-> BACKDOOR rogue software xp police antivirus install-timedetection (backdoor.rules, High)
16246 <-> BACKDOOR rogue software spyware protect 2009 runtime detection - purchase request (backdoor.rules, High)
16247 <-> BACKDOOR rogue software spyware protect 2009 runtime detection - block (backdoor.rules, High)
16248 <-> BACKDOOR rogue software ms antispyware 2009 runtime detection - start (backdoor.rules, High)
16249 <-> BACKDOOR rogue software ms antispyware 2009 runtime detection - pay (backdoor.rules, High)
16250 <-> BACKDOOR rogue software win pc defender runtime detection (backdoor.rules, High)
16251 <-> BACKDOOR rogue software win pc defender installtime detection (backdoor.rules, High)
16252 <-> BACKDOOR rogue software pro antispyware 2009 runtime detection - purchase (backdoor.rules, High)
16253 <-> BACKDOOR rogue software system security 2009 runtime detection (backdoor.rules, High)
16254 <-> BACKDOOR rogue software system security 2009 installtime detection (backdoor.rules, High)
16255 <-> BACKDOOR rogue software system security 2009 installtime detection (backdoor.rules, High)
16256 <-> BACKDOOR rogue software coreguard antivirus 2009 runtime detection (backdoor.rules, High)
16257 <-> BACKDOOR rogue software perfect defender 2009 runtime detection - update (backdoor.rules, High)
16258 <-> BACKDOOR rogue software perfect defender 2009 runtime detection - purchase (backdoor.rules, High)
16259 <-> BACKDOOR rogue software antivirusdoktor2009 runtime detection (backdoor.rules, High)
16260 <-> BACKDOOR rogue software xp antivirus protection runtime detection - installation (backdoor.rules, High)
16261 <-> BACKDOOR rogue software xp antivirus protection runtime detection - runtime (backdoor.rules, High)
16262 <-> BACKDOOR rogue software xp-shield runtime detection (backdoor.rules, High)
16263 <-> BACKDOOR rogue software xp-shield runtime detection - installation (backdoor.rules, High)
16264 <-> BACKDOOR rogue software 007 anti-spyware runtime detection - update (backdoor.rules, High)
16265 <-> BACKDOOR rogue software 007 anti-spyware runtime detection - register (backdoor.rules, High)
16266 <-> BACKDOOR rogue software pc antispyware 2010 runtime detection - buy (backdoor.rules, High)
16267 <-> BACKDOOR rogue software pc antispyware 2010 runtime detection - files (backdoor.rules, High)
16268 <-> BACKDOOR trojan.tdss.1.gen install-time detection - yournewsblog.net (backdoor.rules, High)
16269 <-> BACKDOOR trojan.tdss.1.gen install-time detection - findzproportal1.com (backdoor.rules, High)
16270 <-> BACKDOOR srat 1.6 runtime detection (backdoor.rules, High)
16271 <-> BACKDOOR srat 1.6 runtime detection (backdoor.rules, High)
16272 <-> BACKDOOR trojan-dropper.irc.tkb runtime detection - lordhack (backdoor.rules, High)
16273 <-> BACKDOOR trojan-dropper.irc.tkb runtime detection - dxcpm (backdoor.rules, High)
16274 <-> SPYWARE-PUT Trickler trojan-spy.win32.pophot runtime detection - connect to server (spyware-put.rules, Low)
16275 <-> SPYWARE-PUT Trickler trojan-spy.win32.pophot runtime detection - download files (spyware-put.rules, Low)
16276 <-> SPYWARE-PUT Trickler win32-fakealert.kl runtime detection (spyware-put.rules, Low)
16277 <-> SPYWARE-PUT Trickler win32-fakealert.kl installtime detection - downloads malicious files (spyware-put.rules, Low)
16278 <-> SPYWARE-PUT Trickler win32-fakealert.kl installime detection - updates remote server (spyware-put.rules, Low)
16279 <-> BACKDOOR rogue-software windows antivirus 2008 runtime detection - pre-sale page (backdoor.rules, High)
16280 <-> BACKDOOR rogue-software windows antivirus 2008 runtime detection - registration and payment page (backdoor.rules, High)
16281 <-> P2P BitTorrent scrape request (p2p.rules, High)
16282 <-> P2P Bittorrent uTP peer request (p2p.rules, High)
16283 <-> WEB-MISC Borland StarTeam Multicast Service buffer overflow attempt (web-misc.rules, High)
16284 <-> SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt (specific-threats.rules, High)
16285 <-> RPC AIX ttdbserv function 15 buffer overflow attempt (rpc.rules, High)

Updated rules:
2278 <-> WEB-MISC client negative Content-Length attempt (web-misc.rules, Medium)