Sourcefire VRT Rules Update

Date: 2010-03-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16489 <-> SPYWARE-PUT Bobax botnet contact to C&C server attempt (spyware-put.rules, High)
16490 <-> SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt (specific-threats.rules, High)

Updated rules:
 105 <-> BACKDOOR - Dagger_1.4.0 (backdoor.rules, Low)
 108 <-> BACKDOOR QAZ Worm Client Login access (backdoor.rules, Low)
 109 <-> BACKDOOR netbus active (backdoor.rules, High)
 110 <-> BACKDOOR netbus getinfo (backdoor.rules, High)
 115 <-> BACKDOOR NetBus Pro 2.0 connection established (backdoor.rules, High)
 117 <-> BACKDOOR Infector.1.x (backdoor.rules, Low)
 118 <-> BACKDOOR SatansBackdoor.2.0.Beta (backdoor.rules, High)
 119 <-> BACKDOOR Doly 2.0 access (backdoor.rules, Low)
 121 <-> BACKDOOR Infector 1.6 Client to Server Connection Request (backdoor.rules, Low)
 141 <-> BACKDOOR HackAttack 1.20 Connect (backdoor.rules, Low)
 145 <-> BACKDOOR GirlFriendaccess (backdoor.rules, Low)
 146 <-> BACKDOOR NetSphere access (backdoor.rules, High)
 147 <-> BACKDOOR GateCrasher (backdoor.rules, High)
 152 <-> BACKDOOR BackConstruction 2.1 Connection (backdoor.rules, Low)
 157 <-> BACKDOOR BackConstruction 2.1 Client FTP Open Request (backdoor.rules, Low)
 158 <-> BACKDOOR BackConstruction 2.1 Server FTP Open Reply (backdoor.rules, Low)
 161 <-> BACKDOOR Matrix 2.0 Client connect (backdoor.rules, Low)
 162 <-> BACKDOOR Matrix 2.0 Server access (backdoor.rules, Low)
 163 <-> BACKDOOR WinCrash 1.0 Server Active (backdoor.rules, Low)
 185 <-> BACKDOOR CDK (backdoor.rules, Low)
 195 <-> BACKDOOR DeepThroat 3.1 Server Response (backdoor.rules, High)
 208 <-> BACKDOOR PhaseZero Server Active on Network (backdoor.rules, High)
 209 <-> BACKDOOR w00w00 attempt (backdoor.rules, High)
 210 <-> BACKDOOR attempt (backdoor.rules, High)
 211 <-> BACKDOOR MISC r00t attempt (backdoor.rules, High)
 212 <-> BACKDOOR MISC rewt attempt (backdoor.rules, High)
 213 <-> BACKDOOR MISC Linux rootkit attempt (backdoor.rules, High)
 214 <-> BACKDOOR MISC Linux rootkit attempt lrkr0x (backdoor.rules, High)
 215 <-> BACKDOOR MISC Linux rootkit attempt (backdoor.rules, High)
 216 <-> BACKDOOR MISC Linux rootkit satori attempt (backdoor.rules, High)
 217 <-> BACKDOOR MISC sm4ck attempt (backdoor.rules, High)
 218 <-> BACKDOOR MISC Solaris 2.5 attempt (backdoor.rules, High)
 219 <-> BACKDOOR HidePak backdoor attempt (backdoor.rules, Low)
 220 <-> BACKDOOR HideSource backdoor attempt (backdoor.rules, Low)
 614 <-> BACKDOOR hack-a-tack attempt (backdoor.rules, Medium)
 989 <-> BACKDOOR sensepost.exe command shell attempt (backdoor.rules, Medium)
1260 <-> WEB-MISC long basic authorization string (web-misc.rules, Medium)
1843 <-> BACKDOOR trinity connection attempt (backdoor.rules, High)
1853 <-> BACKDOOR win-trin00 connection attempt (backdoor.rules, High)
1980 <-> BACKDOOR DeepThroat 3.1 Connection attempt (backdoor.rules, High)
1981 <-> BACKDOOR DeepThroat 3.1 Connection attempt [3150] (backdoor.rules, High)
1982 <-> BACKDOOR DeepThroat 3.1 Server Response [3150] (backdoor.rules, High)
1983 <-> BACKDOOR DeepThroat 3.1 Connection attempt [4120] (backdoor.rules, High)
1984 <-> BACKDOOR DeepThroat 3.1 Server Response [4120] (backdoor.rules, High)
1985 <-> BACKDOOR Doly 1.5 server response (backdoor.rules, High)
2100 <-> BACKDOOR SubSeven 2.1 Gold server connection response (backdoor.rules, High)
2124 <-> BACKDOOR Remote PC Access connection attempt (backdoor.rules, High)
2267 <-> SMTP MAIL FROM sendmail prescan too many addresses overflow (smtp.rules, High)
2269 <-> SMTP RCPT TO sendmail prescan too many addresses overflow (smtp.rules, High)
2271 <-> BACKDOOR FsSniffer connection attempt (backdoor.rules, High)
2375 <-> BACKDOOR DoomJuice/mydoom.a backdoor upload/execute attempt (backdoor.rules, High)
3009 <-> BACKDOOR NetBus Pro 2.0 connection request (backdoor.rules, Low)
5771 <-> SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection (spyware-put.rules, Medium)
5772 <-> SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection (spyware-put.rules, Medium)
6012 <-> BACKDOOR coolcat runtime connection detection - tcp 1 (backdoor.rules, High)
6013 <-> BACKDOOR coolcat runtime connection detection - tcp 2 (backdoor.rules, High)
6014 <-> BACKDOOR coolcat runtime connection detection - tcp 3 (backdoor.rules, High)
6025 <-> BACKDOOR tequila bandita 1.2 runtime detection - reverse connection (backdoor.rules, High)
6027 <-> BACKDOOR netshadow runtime detection (backdoor.rules, High)
6029 <-> BACKDOOR fkwp 2.0 runtime detection - icq notification (backdoor.rules, High)
6040 <-> BACKDOOR fade 1.0 runtime detection - enable keylogger (backdoor.rules, High)
6041 <-> BACKDOOR fade 1.0 runtime detection - enable keylogger (backdoor.rules, High)
6055 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High)
6056 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High)
6057 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High)
6066 <-> BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client (backdoor.rules, High)
6073 <-> BACKDOOR freak 1.0 runtime detection - initial connection server-to-client (backdoor.rules, High)
6141 <-> BACKDOOR hellzaddiction v1.0e runtime detection - init conn (backdoor.rules, High)
6499 <-> BACKDOOR omerta 1.3 runtime detection (backdoor.rules, High)
6500 <-> BACKDOOR omerta 1.3 runtime detection (backdoor.rules, High)
7082 <-> BACKDOOR mosucker3.0 runtime detection - client-to-server (backdoor.rules, High)
7083 <-> BACKDOOR mosucker3.0 runtime detection - server-to-client1 (backdoor.rules, High)
7087 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server (backdoor.rules, High)
7088 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client (backdoor.rules, High)
7089 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server (backdoor.rules, High)
7090 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client (backdoor.rules, High)
7538 <-> SPYWARE-PUT Screen-Scraper hidden camera runtime detection (spyware-put.rules, Medium)
7611 <-> BACKDOOR flux 1.0 runtime detection (backdoor.rules, High)
7643 <-> BACKDOOR netcontrol takeover runtime detection (backdoor.rules, High)
7647 <-> BACKDOOR minicom lite runtime detection - udp (backdoor.rules, High)
7648 <-> BACKDOOR minicom lite runtime detection - client-to-server (backdoor.rules, High)
7649 <-> BACKDOOR minicom lite runtime detection - server-to-client (backdoor.rules, High)
7650 <-> BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set (backdoor.rules, High)
7651 <-> BACKDOOR small uploader 1.01 runtime detection - initial connection (backdoor.rules, High)
7695 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1 (backdoor.rules, High)
7696 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2 (backdoor.rules, High)
7697 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection (backdoor.rules, High)
7723 <-> BACKDOOR wollf runtime detection (backdoor.rules, High)
7734 <-> BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set (backdoor.rules, High)
7735 <-> BACKDOOR bionet 4.05 runtime detection - initial connection (backdoor.rules, High)
7740 <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set (backdoor.rules, High)
7741 <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set (backdoor.rules, High)
7769 <-> BACKDOOR data rape runtime detection - execute program server-to-client (backdoor.rules, High)
7785 <-> BACKDOOR forced control uploader runtime detection - connection with password (backdoor.rules, High)
7788 <-> BACKDOOR forced control uploader runtime detection directory listing - client to server (backdoor.rules, High)
7789 <-> BACKDOOR forced control uploader runtime detection directory listing - server to client (backdoor.rules, High)
7810 <-> BACKDOOR nuclear uploader 1.0 runtime detection (backdoor.rules, High)
7821 <-> BACKDOOR nightcreature beta 0.01 runtime detection (backdoor.rules, High)
8361 <-> BACKDOOR black curse 4.0 runtime detection - inverse init connection (backdoor.rules, High)
8362 <-> BACKDOOR black curse 4.0 runtime detection - normal init connection (backdoor.rules, High)
8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High)
8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8436 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High)
8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules, Medium)
10094 <-> SPYWARE-PUT Adware borlan runtime detection (spyware-put.rules, Low)
10167 <-> SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log (spyware-put.rules, Medium)
10195 <-> WEB-MISC Content-Length buffer overflow attempt (web-misc.rules, High)
13819 <-> WEB-MISC IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt (web-misc.rules, High)
13936 <-> SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home (spyware-put.rules, Low)
15367 <-> SMTP outlook web access script injection attempt (smtp.rules, High)
16144 <-> SPECIFIC-THREATS Bredolab downloader communication with server attempt (specific-threats.rules, High)
16365 <-> SPECIFIC-THREATS Trojan OnlineGames download atttempt (specific-threats.rules, High)
16460 <-> WEB-MISC text/html content-type without HTML - possible malware C&C (web-misc.rules, Medium)