Sourcefire VRT Rules Update
Date: 2010-03-17
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16489 <-> SPYWARE-PUT Bobax botnet contact to C&C server attempt (spyware-put.rules, High) 16490 <-> SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt (specific-threats.rules, High) Updated rules: 105 <-> BACKDOOR - Dagger_1.4.0 (backdoor.rules, Low) 108 <-> BACKDOOR QAZ Worm Client Login access (backdoor.rules, Low) 109 <-> BACKDOOR netbus active (backdoor.rules, High) 110 <-> BACKDOOR netbus getinfo (backdoor.rules, High) 115 <-> BACKDOOR NetBus Pro 2.0 connection established (backdoor.rules, High) 117 <-> BACKDOOR Infector.1.x (backdoor.rules, Low) 118 <-> BACKDOOR SatansBackdoor.2.0.Beta (backdoor.rules, High) 119 <-> BACKDOOR Doly 2.0 access (backdoor.rules, Low) 121 <-> BACKDOOR Infector 1.6 Client to Server Connection Request (backdoor.rules, Low) 141 <-> BACKDOOR HackAttack 1.20 Connect (backdoor.rules, Low) 145 <-> BACKDOOR GirlFriendaccess (backdoor.rules, Low) 146 <-> BACKDOOR NetSphere access (backdoor.rules, High) 147 <-> BACKDOOR GateCrasher (backdoor.rules, High) 152 <-> BACKDOOR BackConstruction 2.1 Connection (backdoor.rules, Low) 157 <-> BACKDOOR BackConstruction 2.1 Client FTP Open Request (backdoor.rules, Low) 158 <-> BACKDOOR BackConstruction 2.1 Server FTP Open Reply (backdoor.rules, Low) 161 <-> BACKDOOR Matrix 2.0 Client connect (backdoor.rules, Low) 162 <-> BACKDOOR Matrix 2.0 Server access (backdoor.rules, Low) 163 <-> BACKDOOR WinCrash 1.0 Server Active (backdoor.rules, Low) 185 <-> BACKDOOR CDK (backdoor.rules, Low) 195 <-> BACKDOOR DeepThroat 3.1 Server Response (backdoor.rules, High) 208 <-> BACKDOOR PhaseZero Server Active on Network (backdoor.rules, High) 209 <-> BACKDOOR w00w00 attempt (backdoor.rules, High) 210 <-> BACKDOOR attempt (backdoor.rules, High) 211 <-> BACKDOOR MISC r00t attempt (backdoor.rules, High) 212 <-> BACKDOOR MISC rewt attempt (backdoor.rules, High) 213 <-> BACKDOOR MISC Linux rootkit attempt (backdoor.rules, High) 214 <-> BACKDOOR MISC Linux rootkit attempt lrkr0x (backdoor.rules, High) 215 <-> BACKDOOR MISC Linux rootkit attempt (backdoor.rules, High) 216 <-> BACKDOOR MISC Linux rootkit satori attempt (backdoor.rules, High) 217 <-> BACKDOOR MISC sm4ck attempt (backdoor.rules, High) 218 <-> BACKDOOR MISC Solaris 2.5 attempt (backdoor.rules, High) 219 <-> BACKDOOR HidePak backdoor attempt (backdoor.rules, Low) 220 <-> BACKDOOR HideSource backdoor attempt (backdoor.rules, Low) 614 <-> BACKDOOR hack-a-tack attempt (backdoor.rules, Medium) 989 <-> BACKDOOR sensepost.exe command shell attempt (backdoor.rules, Medium) 1260 <-> WEB-MISC long basic authorization string (web-misc.rules, Medium) 1843 <-> BACKDOOR trinity connection attempt (backdoor.rules, High) 1853 <-> BACKDOOR win-trin00 connection attempt (backdoor.rules, High) 1980 <-> BACKDOOR DeepThroat 3.1 Connection attempt (backdoor.rules, High) 1981 <-> BACKDOOR DeepThroat 3.1 Connection attempt [3150] (backdoor.rules, High) 1982 <-> BACKDOOR DeepThroat 3.1 Server Response [3150] (backdoor.rules, High) 1983 <-> BACKDOOR DeepThroat 3.1 Connection attempt [4120] (backdoor.rules, High) 1984 <-> BACKDOOR DeepThroat 3.1 Server Response [4120] (backdoor.rules, High) 1985 <-> BACKDOOR Doly 1.5 server response (backdoor.rules, High) 2100 <-> BACKDOOR SubSeven 2.1 Gold server connection response (backdoor.rules, High) 2124 <-> BACKDOOR Remote PC Access connection attempt (backdoor.rules, High) 2267 <-> SMTP MAIL FROM sendmail prescan too many addresses overflow (smtp.rules, High) 2269 <-> SMTP RCPT TO sendmail prescan too many addresses overflow (smtp.rules, High) 2271 <-> BACKDOOR FsSniffer connection attempt (backdoor.rules, High) 2375 <-> BACKDOOR DoomJuice/mydoom.a backdoor upload/execute attempt (backdoor.rules, High) 3009 <-> BACKDOOR NetBus Pro 2.0 connection request (backdoor.rules, Low) 5771 <-> SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection (spyware-put.rules, Medium) 5772 <-> SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection (spyware-put.rules, Medium) 6012 <-> BACKDOOR coolcat runtime connection detection - tcp 1 (backdoor.rules, High) 6013 <-> BACKDOOR coolcat runtime connection detection - tcp 2 (backdoor.rules, High) 6014 <-> BACKDOOR coolcat runtime connection detection - tcp 3 (backdoor.rules, High) 6025 <-> BACKDOOR tequila bandita 1.2 runtime detection - reverse connection (backdoor.rules, High) 6027 <-> BACKDOOR netshadow runtime detection (backdoor.rules, High) 6029 <-> BACKDOOR fkwp 2.0 runtime detection - icq notification (backdoor.rules, High) 6040 <-> BACKDOOR fade 1.0 runtime detection - enable keylogger (backdoor.rules, High) 6041 <-> BACKDOOR fade 1.0 runtime detection - enable keylogger (backdoor.rules, High) 6055 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High) 6056 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High) 6057 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High) 6066 <-> BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client (backdoor.rules, High) 6073 <-> BACKDOOR freak 1.0 runtime detection - initial connection server-to-client (backdoor.rules, High) 6141 <-> BACKDOOR hellzaddiction v1.0e runtime detection - init conn (backdoor.rules, High) 6499 <-> BACKDOOR omerta 1.3 runtime detection (backdoor.rules, High) 6500 <-> BACKDOOR omerta 1.3 runtime detection (backdoor.rules, High) 7082 <-> BACKDOOR mosucker3.0 runtime detection - client-to-server (backdoor.rules, High) 7083 <-> BACKDOOR mosucker3.0 runtime detection - server-to-client1 (backdoor.rules, High) 7087 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server (backdoor.rules, High) 7088 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client (backdoor.rules, High) 7089 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server (backdoor.rules, High) 7090 <-> BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client (backdoor.rules, High) 7538 <-> SPYWARE-PUT Screen-Scraper hidden camera runtime detection (spyware-put.rules, Medium) 7611 <-> BACKDOOR flux 1.0 runtime detection (backdoor.rules, High) 7643 <-> BACKDOOR netcontrol takeover runtime detection (backdoor.rules, High) 7647 <-> BACKDOOR minicom lite runtime detection - udp (backdoor.rules, High) 7648 <-> BACKDOOR minicom lite runtime detection - client-to-server (backdoor.rules, High) 7649 <-> BACKDOOR minicom lite runtime detection - server-to-client (backdoor.rules, High) 7650 <-> BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set (backdoor.rules, High) 7651 <-> BACKDOOR small uploader 1.01 runtime detection - initial connection (backdoor.rules, High) 7695 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1 (backdoor.rules, High) 7696 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2 (backdoor.rules, High) 7697 <-> BACKDOOR hanky panky 1.1 runtime detection - initial connection (backdoor.rules, High) 7723 <-> BACKDOOR wollf runtime detection (backdoor.rules, High) 7734 <-> BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set (backdoor.rules, High) 7735 <-> BACKDOOR bionet 4.05 runtime detection - initial connection (backdoor.rules, High) 7740 <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set (backdoor.rules, High) 7741 <-> BACKDOOR nova 1.0 runtime detection - initial connection with pwd set (backdoor.rules, High) 7769 <-> BACKDOOR data rape runtime detection - execute program server-to-client (backdoor.rules, High) 7785 <-> BACKDOOR forced control uploader runtime detection - connection with password (backdoor.rules, High) 7788 <-> BACKDOOR forced control uploader runtime detection directory listing - client to server (backdoor.rules, High) 7789 <-> BACKDOOR forced control uploader runtime detection directory listing - server to client (backdoor.rules, High) 7810 <-> BACKDOOR nuclear uploader 1.0 runtime detection (backdoor.rules, High) 7821 <-> BACKDOOR nightcreature beta 0.01 runtime detection (backdoor.rules, High) 8361 <-> BACKDOOR black curse 4.0 runtime detection - inverse init connection (backdoor.rules, High) 8362 <-> BACKDOOR black curse 4.0 runtime detection - normal init connection (backdoor.rules, High) 8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High) 8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8436 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High) 8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High) 8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High) 10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules, Medium) 10094 <-> SPYWARE-PUT Adware borlan runtime detection (spyware-put.rules, Low) 10167 <-> SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log (spyware-put.rules, Medium) 10195 <-> WEB-MISC Content-Length buffer overflow attempt (web-misc.rules, High) 13819 <-> WEB-MISC IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt (web-misc.rules, High) 13936 <-> SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home (spyware-put.rules, Low) 15367 <-> SMTP outlook web access script injection attempt (smtp.rules, High) 16144 <-> SPECIFIC-THREATS Bredolab downloader communication with server attempt (specific-threats.rules, High) 16365 <-> SPECIFIC-THREATS Trojan OnlineGames download atttempt (specific-threats.rules, High) 16460 <-> WEB-MISC text/html content-type without HTML - possible malware C&C (web-misc.rules, Medium)
