Sourcefire VRT Rules Update

Date: 2011-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19327 <-> ENABLED <-> BACKDOOR Classroom Spy Professional runtime detection - initial connection (backdoor.rules)
 * 1:19333 <-> DISABLED <-> VOIP-SIP Content-Type invalid format too many slashes (voip.rules)
 * 1:19306 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Publisher pubconv.dll corruption attempt (specific-threats.rules)
 * 1:19313 <-> ENABLED <-> SPECIFIC-THREAT Symantec Antivirus Intel Service DoS Attempt (specific-threats.rules)
 * 1:19345 <-> ENABLED <-> BACKDOOR REAnti outbound connection (backdoor.rules)
 * 1:19346 <-> ENABLED <-> BACKDOOR Additional Guard outbound connection (backdoor.rules)
 * 1:19347 <-> ENABLED <-> BACKDOOR Win32.Poison.banr outbound connection (backdoor.rules)
 * 1:19348 <-> ENABLED <-> BACKDOOR Trojan Downloader Win32.FraudLoad.emq outbound connection (backdoor.rules)
 * 1:19349 <-> ENABLED <-> BACKDOOR Fakeav Vaccineclear outbound connection (backdoor.rules)
 * 1:19351 <-> ENABLED <-> BACKDOOR Trojan Clicker Win32.Hatigh.C outbound connection (backdoor.rules)
 * 1:19352 <-> ENABLED <-> BACKDOOR Backdoor Win32.Small.D outbound connection (backdoor.rules)
 * 1:19354 <-> ENABLED <-> BACKDOOR Win32.Agent.bhxn outbound connection (backdoor.rules)
 * 1:19304 <-> DISABLED <-> WEB-ACTIVEX Oracle EasyMail ActiveX clsid access (web-activex.rules)
 * 1:19308 <-> ENABLED <-> SPECIFIC-THREATS Microsoft embeded OpenType EOT font integer overflow attempt (specific-threats.rules)
 * 1:19344 <-> ENABLED <-> BACKDOOR AntiMalware Pro Runtime Detection (backdoor.rules)
 * 1:19343 <-> ENABLED <-> BACKDOOR Adware Pro Runtime Detection (backdoor.rules)
 * 1:19342 <-> ENABLED <-> BACKDOOR Adware Professional Runtime Detection (backdoor.rules)
 * 1:19341 <-> ENABLED <-> BACKDOOR Worm MSIL.AiO.a outbound connection (backdoor.rules)
 * 1:19340 <-> ENABLED <-> BACKDOOR Trojan Fakeav TREAntivirus outbound connection (backdoor.rules)
 * 1:19338 <-> DISABLED <-> VOIP-SIP invalid SIP-Version field (voip.rules)
 * 1:19337 <-> DISABLED <-> VOIP-SIP invalid SIP-Version field (voip.rules)
 * 1:19326 <-> ENABLED <-> BACKDOOR Classroom Spy Professional runtime detection - initial connection (backdoor.rules)
 * 1:19325 <-> ENABLED <-> SPYWARE-PUT Keylogger WL-Keylogger outbound connection (spyware-put.rules)
 * 1:19355 <-> ENABLED <-> BOTNET-CNC Trojan.Win32.Fareit.A outbound connection (botnet-cnc.rules)
 * 1:19358 <-> ENABLED <-> BOTNET-CNC Win32.XYTvn.A outbound connection (botnet-cnc.rules)
 * 1:19359 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Dcbavict.A outbound connection (botnet-cnc.rules)
 * 1:19362 <-> ENABLED <-> BOTNET-CNC Backdoor Win32.Dorkbot.B outbound conection (botnet-cnc.rules)
 * 1:19364 <-> DISABLED <-> VOIP-SIP invalid or missing Time Stop Header (voip.rules)
 * 1:19323 <-> DISABLED <-> SPECIFIC-THREATS Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt (specific-threats.rules)
 * 1:19321 <-> DISABLED <-> EXPLOIT Mozilla Products nsCSSValue Array Index Integer Overflow (exploit.rules)
 * 1:19322 <-> DISABLED <-> SPECIFIC-THREAT IE and Sharepoint toStaticHTML information disclosure attempt (specific-threats.rules)
 * 1:19318 <-> DISABLED <-> DDOS LOIC UDP default U dun goofed attack (ddos.rules)
 * 1:19319 <-> DISABLED <-> DDOS LOIC TDP default U dun goofed attack (ddos.rules)
 * 1:19316 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office TIFF filter remote code execution attempt (specific-threats.rules)
 * 1:19317 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Office Word sprmTDiagLine80 record parsing stack buffer overflow attempt (specific-threats.rules)
 * 1:19363 <-> ENABLED <-> BOTNET-CNC Backdoor Win32.Dorkbot.B outbound connection (botnet-cnc.rules)
 * 1:19365 <-> DISABLED <-> VOIP-SIP invalid or missing Time Stop Header (voip.rules)
 * 1:19315 <-> ENABLED <-> WEB-CLIENT Groove GroovePerfmon.dll dll-load exploit attempt (web-client.rules)
 * 1:19314 <-> ENABLED <-> NETBIOS Groove GroovePerfmon.dll dll-load exploit attempt (netbios.rules)
 * 1:19366 <-> ENABLED <-> BOTNET-CNC Backdoor Win32.HXWAN.A outbound connection (botnet-cnc.rules)
 * 1:19367 <-> ENABLED <-> BOTNET-CNC Worm Win32.Vaubeg.A outbound connection (botnet-cnc.rules)
 * 1:19368 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Carberp.D outbound connection (botnet-cnc.rules)
 * 1:19369 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Carberp.D outbound connection (botnet-cnc.rules)
 * 1:19336 <-> DISABLED <-> VOIP-SIP Content-Type invalid format missing slash (voip.rules)
 * 1:19371 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Banker.IC outbound connection (botnet-cnc.rules)
 * 1:19335 <-> DISABLED <-> VOIP-SIP Content-Type invalid format missing slash (voip.rules)
 * 1:19372 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string javasw - Trojan.Banload (blacklist.rules)
 * 1:19373 <-> ENABLED <-> VOIP-SIP SDP Origin header overflow attempt (voip.rules)
 * 1:19375 <-> ENABLED <-> VOIP-SIP SDP Origin header format string attempt (voip.rules)
 * 1:19374 <-> ENABLED <-> VOIP-SIP SDP TCP Origin header overflow attempt (voip.rules)
 * 1:19376 <-> ENABLED <-> VOIP-SIP SDP TCP Origin header format string attempt (voip.rules)
 * 1:19377 <-> ENABLED <-> VOIP-SIP SDP Origin invalid header (voip.rules)
 * 1:19378 <-> ENABLED <-> VOIP-SIP SDP TCP Origin invalid header (voip.rules)
 * 1:19380 <-> ENABLED <-> VOIP-SIP SDP TCP Session Name header overflow attempt (voip.rules)
 * 1:19379 <-> ENABLED <-> VOIP-SIP SDP Session Name header overflow attempt (voip.rules)
 * 1:19381 <-> ENABLED <-> VOIP-SIP SDP Session Name header format string attempt (voip.rules)
 * 1:19382 <-> ENABLED <-> VOIP-SIP SDP TCP Session Name header format string attempt (voip.rules)
 * 1:19383 <-> ENABLED <-> VOIP-SIP SDP Session Name invalid header attempt (voip.rules)
 * 1:19385 <-> ENABLED <-> VOIP-SIP SDP Media Description header overflow attempt (voip.rules)
 * 1:19384 <-> ENABLED <-> VOIP-SIP SDP TCP Session Name invalid header attempt (voip.rules)
 * 1:19386 <-> ENABLED <-> VOIP-SIP SDP TCP Media Description header overflow attempt (voip.rules)
 * 1:19387 <-> ENABLED <-> VOIP-SIP SDP Media Description header format string attempt (voip.rules)
 * 1:19388 <-> ENABLED <-> VOIP-SIP SDP TCP Media Description header format string attempt (voip.rules)
 * 1:19389 <-> ENABLED <-> VOIP-SIP REGISTER flood (voip.rules)
 * 1:19391 <-> ENABLED <-> SPYWARE-PUT Lost Door v3.0 (spyware-put.rules)
 * 1:19392 <-> DISABLED <-> SPYWARE-PUT Keylogger Monitor.win32.perflogger (spyware-put.rules)
 * 1:19393 <-> DISABLED <-> SPYWARE-PUT Keylogger Monitor.win32.perflogger (spyware-put.rules)
 * 1:19394 <-> DISABLED <-> BACKDOOR Trojan Win32.Tidserv outbound connection (backdoor.rules)
 * 1:19395 <-> ENABLED <-> BOTNET-CNC Trojan Downloader Win32.Monkif.J inbound connection - dest ip infected (botnet-cnc.rules)
 * 1:19396 <-> DISABLED <-> BACKDOOR Trojan Win32.Beastdoor.b outbound connection (backdoor.rules)
 * 1:19397 <-> DISABLED <-> BACKDOOR Win32.UltimateDefender.xv outbound connection (backdoor.rules)
 * 1:19398 <-> DISABLED <-> BACKDOOR Trojan BAT.Shutdown.ef outbound connection (backdoor.rules)
 * 1:19400 <-> DISABLED <-> BACKDOOR Worm Win32.Sddrop.D outbound connection (backdoor.rules)
 * 1:19401 <-> DISABLED <-> BACKDOOR Worm Win32.Sddrop.D outbound connection (backdoor.rules)
 * 1:19307 <-> ENABLED <-> WEB-CLIENT Embedded OpenType font file download attempt (web-client.rules)
 * 1:19305 <-> DISABLED <-> WEB-ACTIVEX Oracle EasyMail ActiveX function call access (web-activex.rules)
 * 1:19311 <-> ENABLED <-> SPYWARE-PUT Keylogger aspy v2.12 runtime detection (spyware-put.rules)
 * 1:19403 <-> ENABLED <-> SPECIFIC-THREATS Cinepak Codec VIDC decompression remote code execution attempt (specific-threats.rules)
 * 1:19404 <-> DISABLED <-> BACKDOOR Trojan Win32.Ozdok outbound connection (backdoor.rules)
 * 1:19405 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:19408 <-> ENABLED <-> SPECIFIC-THREATS Adobe flash player newfunction memory corruption exploit attempt (specific-threats.rules)
 * 1:19406 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:19407 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Outlook SMB attach by reference code execution attempt (specific-threats.rules)
 * 1:19390 <-> ENABLED <-> VOIP-SIP TCP REGISTER flood (voip.rules)
 * 1:19357 <-> ENABLED <-> BACKDOOR Worm Win32.Sohanad.ila outbound connection (backdoor.rules)
 * 1:19324 <-> ENABLED <-> SPYWARE-PUT Keylogger WL-Keylogger inbound connection (spyware-put.rules)
 * 1:19332 <-> ENABLED <-> BACKDOOR Trojan Win32.Clampi outbound connection (backdoor.rules)
 * 1:19334 <-> DISABLED <-> VOIP-SIP Content-Type invalid format too many slashes (voip.rules)
 * 3:19350 <-> ENABLED <-> WEB-CLIENT Adobe Shockwave Player Director file FFFFFF88 record integer overflow attempt (web-client.rules)

Modified Rules:


 * 1:11998 <-> DISABLED <-> VOIP-SIP To header invalid characters detected (voip.rules)
 * 1:11999 <-> DISABLED <-> VOIP-SIP Via header invalid characters detected (voip.rules)
 * 1:11993 <-> DISABLED <-> VOIP-SIP Call-ID header invalid characters detected (voip.rules)
 * 1:11994 <-> DISABLED <-> VOIP-SIP Contact header invalid characters detected (voip.rules)
 * 1:11995 <-> DISABLED <-> VOIP-SIP Content-Type header invalid characters detected (voip.rules)
 * 1:16833 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16098 <-> ENABLED <-> BACKDOOR win32.cekar variant runtime detection (backdoor.rules)
 * 1:16219 <-> ENABLED <-> WEB-CLIENT Adobe Director file format transfer (web-client.rules)
 * 1:16809 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16810 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16811 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16812 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16816 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:11997 <-> DISABLED <-> VOIP-SIP From header invalid characters detected (voip.rules)
 * 1:16822 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:11996 <-> DISABLED <-> VOIP-SIP CSeq header invalid characters detected (voip.rules)
 * 1:16823 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16824 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16826 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16827 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16817 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16832 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:18939 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16828 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 1:16820 <-> ENABLED <-> BOTNET-CNC known command and control channel traffic (botnet-cnc.rules)
 * 3:16315 <-> ENABLED <-> WEB-MISC Adobe Flash PlugIn check if file exists attempt (web-misc.rules)
 * 3:13418 <-> ENABLED <-> DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (dos.rules)
 * 3:15851 <-> ENABLED <-> DOS Microsoft ASP.NET bad request denial of service attempt (dos.rules)
 * 3:16231 <-> ENABLED <-> WEB-CLIENT Windows kernel-mode drivers core font parsing integer overflow attempt (web-client.rules)
 * 3:16545 <-> ENABLED <-> WEB-CLIENT Adobe Reader malformed Richmedia annotation exploit attempt (web-client.rules)