Sourcefire VRT Rules Update

Date: 2010-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17042 <-> WEB-CLIENT Microsoft LNK shortcut download attempt (web-client.rules, High)
17044 <-> SQL WinCC DB default password security bypass attempt (sql.rules, High)

Updated rules:
 988 <-> DELETED WEB-IIS SAM Attempt (deleted.rules, High)
7023 <-> DELETED WEB-CLIENT xls file download (deleted.rules, Low)
9418 <-> BOTNET-CNC bagle.a http notification detection (botnet-cnc.rules, High)
10113 <-> BOTNET-CNC Trojan Peacomm command and control propagation detected (botnet-cnc.rules, High)
10114 <-> BOTNET-CNC Trojan Peacomm command and control propagation detected (botnet-cnc.rules, High)
10403 <-> BOTNET-CNC Trojan.Duntek Checkin GET Request (botnet-cnc.rules, High)
13953 <-> BOTNET-CNC Asprox trojan initial query (botnet-cnc.rules, High)
15295 <-> BOTNET-CNC Trojan.Bankpatch.C configuration attempt (botnet-cnc.rules, High)
15296 <-> BOTNET-CNC Trojan.Bankpatch.C malicious file download attempt (botnet-cnc.rules, High)
15297 <-> BOTNET-CNC Trojan.Bankpatch.C report home attempt (botnet-cnc.rules, High)
15423 <-> BOTNET-CNC Clampi virus communication detected (botnet-cnc.rules, High)
15481 <-> BOTNET-CNC Zeus/Zbot malware config file download request (botnet-cnc.rules, High)
15553 <-> BOTNET-CNC Sality virus HTTP GET request (botnet-cnc.rules, High)
15730 <-> BOTNET-CNC Delf Trojan POST attempt (botnet-cnc.rules, High)
15938 <-> BOTNET-CNC Backdoor SubSeven client connection to server (botnet-cnc.rules, High)
16368 <-> BOTNET-CNC Hydraq/Aurora connection to C&C server attempt (botnet-cnc.rules, High)
16439 <-> BOTNET-CNC Possible Zeus User-Agent - _TEST_ (botnet-cnc.rules, High)
16440 <-> BOTNET-CNC Possible Zeus User-Agent - ie (botnet-cnc.rules, High)
16441 <-> BOTNET-CNC Possible Zeus User-Agent - Download (botnet-cnc.rules, High)
16442 <-> BOTNET-CNC Possible Zeus User-Agent - Mozilla (botnet-cnc.rules, High)
16459 <-> BOTNET-CNC Trojan command and control communication attempt (botnet-cnc.rules, High)
16483 <-> BOTNET-CNC Koobface worm submission of collected data to C&C server attempt (botnet-cnc.rules, High)
16484 <-> BOTNET-CNC Koobface contact to C&C server attempt (botnet-cnc.rules, High)
16485 <-> BOTNET-CNC Koobface request for captcha attempt (botnet-cnc.rules, High)
16526 <-> BOTNET-CNC VanBot IRC communication attempt (botnet-cnc.rules, High)
16527 <-> BOTNET-CNC Zbot malware config file download request (botnet-cnc.rules, High)
16528 <-> BOTNET-CNC Zbot malware config file download request (botnet-cnc.rules, High)
16809 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16810 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16811 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16812 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16813 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16814 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16815 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16816 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16817 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16818 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16819 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16820 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16821 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16822 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16823 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16824 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16825 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16826 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16827 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16828 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16829 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16830 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16831 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16832 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16833 <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules, High)
16834 <-> BLACKLIST DNS request for known malware domain qd.netkill.com.cn - Trojan-Downloader.Win32.Adload.rzx (blacklist.rules, High)
16835 <-> BLACKLIST DNS request for known malware domain exe.146843.com - Trojan.Win32.Opeg.a (blacklist.rules, High)
16836 <-> BLACKLIST DNS request for known malware domain ra03.e5732.com - Trojan-Clicker.Win32.Small.afg (blacklist.rules, High)
16837 <-> BLACKLIST DNS request for known malware domain dangercheats.com.br - Trojan.Win32.Refroso.arnq (blacklist.rules, High)
16838 <-> BLACKLIST DNS request for known malware domain xlm.ppvsr.com - Trojan-GameThief.Win32.OnLineGames.wwcf (blacklist.rules, High)
16839 <-> BLACKLIST DNS request for known malware domain sh16.e8753.com - Trojan.Win32.Scar.ccqb (blacklist.rules, High)
16840 <-> BLACKLIST DNS request for known malware domain rx11.e6532.com - Trojan.Win32.Opeg.a (blacklist.rules, High)
16841 <-> BLACKLIST DNS request for known malware domain podgorz.org - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16842 <-> BLACKLIST DNS request for known malware domain sp19.e4578.com - Trojan-Downloader.Win32.Genome.njz (blacklist.rules, High)
16843 <-> BLACKLIST DNS request for known malware domain 1.7zsm.com - Trojan-Downloader.Win32.Agent.dtuo (blacklist.rules, High)
16844 <-> BLACKLIST DNS request for known malware domain rm08.e4562.com - Trojan-Downloader.Win32.Agent.dngx (blacklist.rules, High)
16845 <-> BLACKLIST DNS request for known malware domain rc04.e6532.com - Trojan-Downloader.Win32.Genome.awld (blacklist.rules, High)
16846 <-> BLACKLIST DNS request for known malware domain bedayton.com - Trojan-Downloader.Win32.Agent.dlhe (blacklist.rules, High)
16847 <-> BLACKLIST DNS request for known malware domain rz12.e6805.com - Trojan-Downloader.Win32.Genome.awld (blacklist.rules, High)
16848 <-> BLACKLIST DNS request for known malware domain in.chinaitlm.cn - Trojan.VBS.HideIcon.d (blacklist.rules, High)
16849 <-> BLACKLIST DNS request for known malware domain re05.e6532.com - Trojan-Downloader.Win32.Genome.awld (blacklist.rules, High)
16850 <-> BLACKLIST DNS request for known malware domain kldmten.net - Trojan-Spy.Win32.Zbot.akra (blacklist.rules, High)
16851 <-> BLACKLIST DNS request for known malware domain forelc.cc - Trojan-Ransom.Win32.XBlocker.ahe (blacklist.rules, High)
16852 <-> BLACKLIST DNS request for known malware domain v.yao63.com - Trojan-Downloader.Win32.Agent.dqns (blacklist.rules, High)
16853 <-> BLACKLIST DNS request for known malware domain vh26.e4578.com - Trojan.Win32.Opeg.a (blacklist.rules, High)
16854 <-> BLACKLIST DNS request for known malware domain up1.give2sms.com - Trojan-Downloader.Win32.Genome.est (blacklist.rules, High)
16855 <-> BLACKLIST DNS request for known malware domain d.123kuaihuo.com - Trojan.Win32.Scar.clbx (blacklist.rules, High)
16856 <-> BLACKLIST DNS request for known malware domain andy.cd - Backdoor.Win32.Agent.auto (blacklist.rules, High)
16857 <-> BLACKLIST DNS request for known malware domain site.mynet.com - Trojan.Win32.Buzus.dxsr (blacklist.rules, High)
16858 <-> BLACKLIST DNS request for known malware domain charter-x.biz - Packed.Win32.Krap.ae (blacklist.rules, High)
16859 <-> BLACKLIST DNS request for known malware domain gerherber.com - Trojan-Spy.Win32.Zbot.akdw (blacklist.rules, High)
16860 <-> BLACKLIST DNS request for known malware domain urodinam.net - Trojan.Win32.TDSS.azsj (blacklist.rules, High)
16861 <-> BLACKLIST DNS request for known malware domain gite-eguisheim.com - Trojan-Downloader.Win32.Piker.clp (blacklist.rules, High)
16862 <-> BLACKLIST DNS request for known malware domain phaizeipeu.ru - Packed.Win32.Krap.gx (blacklist.rules, High)
16863 <-> BLACKLIST DNS request for known malware domain teendx.com - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16864 <-> BLACKLIST DNS request for known malware domain taiping2033.2288.org - Trojan-Downloader.Win32.Selvice.afy (blacklist.rules, High)
16865 <-> BLACKLIST DNS request for known malware domain cnfg.maxsitesrevenues.net - Trojan.Win32.BHO.afke (blacklist.rules, High)
16866 <-> BLACKLIST DNS request for known malware domain members.multimania.co.uk - Trojan.Win32.Inject.ahqv (blacklist.rules, High)
16867 <-> BLACKLIST DNS request for known malware domain down.toopc.com - Trojan-Dropper.Win32.Clons.hai (blacklist.rules, High)
16868 <-> BLACKLIST DNS request for known malware domain hostshack.net - Trojan.Win32.Buzus.empl (blacklist.rules, High)
16869 <-> BLACKLIST DNS request for known malware domain tt.vv49.com - Trojan-GameThief.Win32.OnLineGames.bnkb (blacklist.rules, High)
16870 <-> BLACKLIST DNS request for known malware domain search.sidegreen.com - Backdoor.Win32.Agent.arqi (blacklist.rules, High)
16871 <-> BLACKLIST DNS request for known malware domain parfaitpournous.com - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16872 <-> BLACKLIST DNS request for known malware domain postmetoday.ru - Packed.Win32.Katusha.j (blacklist.rules, High)
16873 <-> BLACKLIST DNS request for known malware domain youword.cn - Trojan.Win32.Scar.bvgu (blacklist.rules, High)
16874 <-> BLACKLIST DNS request for known malware domain ophaeghaev.ru - Trojan-Spy.Win32.Zbot.akmi (blacklist.rules, High)
16875 <-> BLACKLIST DNS request for known malware domain up1.free-sms.co.kr - Trojan.Win32.Vilsel.akp (blacklist.rules, High)
16876 <-> BLACKLIST DNS request for known malware domain c.softdowns.info - Trojan.BAT.Agent.yn (blacklist.rules, High)
16877 <-> BLACKLIST DNS request for known malware domain ddkom.biz - Trojan.Win32.Scar.ckhr (blacklist.rules, High)
16878 <-> BLACKLIST DNS request for known malware domain vopret.ru - Trojan.Win32.FraudPack.axwn (blacklist.rules, High)
16879 <-> BLACKLIST DNS request for known malware domain dnfpomo.dnfranran.com - Trojan-GameThief.Win32.OnLineGames.bnkx (blacklist.rules, High)
16880 <-> BLACKLIST DNS request for known malware domain dnfuu.3322.org - Trojan-Downloader.Win32.Genome.asrx (blacklist.rules, High)
16881 <-> BLACKLIST DNS request for known malware domain sex-gifts.ru - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16882 <-> BLACKLIST DNS request for known malware domain 111.168lala.com - Backdoor.Win32.Popwin.cyn (blacklist.rules, High)
16883 <-> BLACKLIST DNS request for known malware domain mcafee-registry.ru - Trojan-Spy.Win32.Zbot.akgb (blacklist.rules, High)
16884 <-> BLACKLIST DNS request for known malware domain bits4ever.ru - Trojan-Spy.Win32.Zbot.aknt (blacklist.rules, High)
16885 <-> BLACKLIST DNS request for known malware domain monicaecarlos.com - Trojan-Downloader.Win32.Genome.awxv (blacklist.rules, High)
16886 <-> BLACKLIST DNS request for known malware domain d.trymedia.com - Trojan-Dropper.Win32.Delf.fkk (blacklist.rules, High)
16887 <-> BLACKLIST DNS request for known malware domain hesneclimi.ru - Packed.Win32.Krap.ae (blacklist.rules, High)
16888 <-> BLACKLIST DNS request for known malware domain dbtte.com - Trojan-Banker.Win32.Banz.crk (blacklist.rules, High)
16889 <-> BLACKLIST DNS request for known malware domain h1.ripway.com - Trojan.Win32.Refroso.bcdq (blacklist.rules, High)
16890 <-> BLACKLIST DNS request for known malware domain in6cs.com - Trojan.Win32.Tdss.beea (blacklist.rules, High)
16891 <-> BLACKLIST DNS request for known malware domain solo1928.ru - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16892 <-> BLACKLIST DNS request for known malware domain fg545633.host.zgridc.com - Trojan.Win32.Pincav.abub (blacklist.rules, High)
16893 <-> BLACKLIST DNS request for known malware domain primusdns.ru - Backdoor.Win32.Havar.eh (blacklist.rules, High)
16894 <-> BLACKLIST DNS request for known malware domain eq.pccppc.com - Trojan-Downloader.Win32.Pher.fkl (blacklist.rules, High)
16895 <-> BLACKLIST DNS request for known malware domain alodh.in - Backdoor.Win32.Delf.vde (blacklist.rules, High)
16896 <-> BLACKLIST DNS request for known malware domain reward.pnshop.co.kr - Backdoor.Win32.Agent.ahra (blacklist.rules, High)
16897 <-> BLACKLIST DNS request for known malware domain sympathy.hdnews.net - Trojan-Spy.Win32.Zbot.gen (blacklist.rules, High)
16898 <-> BLACKLIST DNS request for known malware domain sx21.e4578.com - Trojan.Win32.Scar.ccqb (blacklist.rules, High)
16899 <-> BLACKLIST DNS request for known malware domain downloadering.9966.org - Trojan.Win32.Vilsel.adxv (blacklist.rules, High)
16900 <-> BLACKLIST DNS request for known malware domain reportes201.com - Trojan-Downloader.Win32.Genome.ashe (blacklist.rules, High)
16901 <-> BLACKLIST DNS request for known malware domain local.1140.co.kr - Trojan-Downloader.Win32.Genome.aobm (blacklist.rules, High)
16902 <-> BLACKLIST DNS request for known malware domain promojoy.net - Packed.Win32.Krap.gx (blacklist.rules, High)
16903 <-> BLACKLIST DNS request for known malware domain gpwg.ws - Worm.Win32.AutoRun.bjca (blacklist.rules, High)
16904 <-> BLACKLIST DNS request for known malware domain xoomer.alice.it - Trojan-Downloader.Win32.Banload.kdu (blacklist.rules, High)
16905 <-> BLACKLIST DNS request for known malware domain xoomer.virgilio.it - Backdoor.Win32.Clar.d (blacklist.rules, High)
16906 <-> BLACKLIST DNS request for known malware domain down.p2pplay.com - Trojan-GameThief.Win32.OnLineGames.wgkv (blacklist.rules, High)
16907 <-> BLACKLIST DNS request for known malware domain livetrust.info - Trojan-Spy.Win32.Zbot.akku (blacklist.rules, High)
16908 <-> BLACKLIST DNS request for known malware domain ootaivilei.ru - Trojan-Spy.Win32.Zbot.akme (blacklist.rules, High)
16909 <-> BLACKLIST DNS request for known malware domain babah20122012.com - Trojan-Spy.Win32.Zbot.akbb (blacklist.rules, High)
16910 <-> BLACKLIST DNS request for known malware domain pattern - 0-0-0-0-0-0-0.info (blacklist.rules, High)
16911 <-> BLACKLIST URI request for known malicious URI - ucsp0416.exe?t= (blacklist.rules, High)
16912 <-> BLACKLIST URI request for known malicious URI - net/cfg2.bin (blacklist.rules, High)
16913 <-> BLACKLIST URI request for known malicious URI - count_log/log/boot.php?p= (blacklist.rules, High)
16914 <-> BLACKLIST URI request for known malicious URI - .bin?ucsp (blacklist.rules, High)
16915 <-> BLACKLIST URI request for known malicious URI - /MNG/Download/?File=AZF (blacklist.rules, High)
16916 <-> BLACKLIST URI request for known malicious URI - /jarun/jezerce (blacklist.rules, High)
16917 <-> BLACKLIST URI request for known malicious URI - /ekaterina/velika (blacklist.rules, High)
16918 <-> BLACKLIST URI request for known malicious URI - /ultimate/fight (blacklist.rules, High)
16919 <-> BLACKLIST URI request for known malicious URI - /tmp/pm.exe?t= (blacklist.rules, High)
16920 <-> BLACKLIST URI request for known malicious URI - /DownLoadFile/BaePo/ver (blacklist.rules, High)
16921 <-> BLACKLIST URI request for known malicious URI - /s1/launcher/update/Update/data/ (blacklist.rules, High)
16922 <-> BLACKLIST URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (blacklist.rules, High)
16923 <-> BLACKLIST URI request for known malicious URI - /search.php?username=coolweb07&keywords= (blacklist.rules, High)
16924 <-> BLACKLIST URI request for known malicious URI - /inst.php?fff= (blacklist.rules, High)
16925 <-> BLACKLIST URI request for known malicious URI - /message.php?subid= (blacklist.rules, High)
16926 <-> BLACKLIST URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (blacklist.rules, High)
16927 <-> BLACKLIST URI request for known malicious URI - MGWEB.php?c=TestUrl (blacklist.rules, High)
16928 <-> BLACKLIST URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (blacklist.rules, High)
16929 <-> BLACKLIST URI request for known malicious URI - gate.php?guid= (blacklist.rules, High)
16930 <-> BLACKLIST URI request for known malicious URI - count.asp?mac= (blacklist.rules, High)
16931 <-> BLACKLIST URI request for known malicious URI - feedbigfoot.php?m= (blacklist.rules, High)
16932 <-> BLACKLIST URI request for known malicious URI - /qqnongchang/qqkj. (blacklist.rules, High)
16933 <-> BLACKLIST URI request for known malicious URI - /root/9 frt.rar (blacklist.rules, High)