Snort

• Blog
• VRT
• Community
• Docs
• Services
• About
• Swag Store
• Sign In
• 

Sourcefire VRT Rules Update

Date: 2011-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18336 <-> BLACKLIST USER-AGENT known malicious user-agent string gbot/2.3 (blacklist.rules, High)
18337 <-> BLACKLIST USER-AGENT known malicious user-agent string iamx/3.11 (blacklist.rules, High)
18338 <-> BLACKLIST USER-AGENT known malicious user-agent string NSISDL/1.2 (blacklist.rules, High)
18339 <-> BLACKLIST USER-AGENT known malicious user-agent string NSIS_Inetc (blacklist.rules, High)
18340 <-> BLACKLIST USER-AGENT known malicious user-agent string ClickAdsByIE 0.7.5 (blacklist.rules, High)
18341 <-> BLACKLIST USER-AGENT known malicious user-agent string UtilMind HTTPGet (blacklist.rules, High)
18342 <-> BLACKLIST USER-AGENT known malicious user-agent string NSIS_DOWNLOAD (blacklist.rules, High)
18343 <-> BLACKLIST USER-AGENT known malicious user-agent string WSEnrichment (blacklist.rules, High)
18344 <-> BLACKLIST USER-AGENT known malicious user-agent string FSD (blacklist.rules, High)
18345 <-> BLACKLIST USER-AGENT known malicious user-agent string Macrovision_DM_2.4.15 (blacklist.rules, High)
18346 <-> BLACKLIST USER-AGENT known malicious user-agent string GPRecover (blacklist.rules, High)
18347 <-> BLACKLIST USER-AGENT known malicious user-agent string AutoIt (blacklist.rules, High)
18348 <-> BLACKLIST USER-AGENT known malicious user-agent string Opera/9.80 Pesto/2.2.15 (blacklist.rules, High)
18349 <-> BLACKLIST USER-AGENT known malicious user-agent string Flipopia (blacklist.rules, High)
18350 <-> BLACKLIST USER-AGENT known malicious user-agent string GabPath (blacklist.rules, High)
18351 <-> BLACKLIST USER-AGENT known malicious user-agent string GPUpdater (blacklist.rules, High)
18352 <-> BLACKLIST USER-AGENT known malicious user-agent string PinballCorp-BSAI/VER_STR_COMMA (blacklist.rules, High)
18353 <-> BLACKLIST USER-AGENT known malicious user-agent string SelectRebates (blacklist.rules, High)
18354 <-> BLACKLIST USER-AGENT known malicious user-agent string opera/8.11 (blacklist.rules, High)
18355 <-> BLACKLIST USER-AGENT known malicious user-agent string Se2011 (blacklist.rules, High)
18356 <-> BLACKLIST USER-AGENT known malicious user-agent string random (blacklist.rules, High)
18357 <-> BLACKLIST USER-AGENT known malicious user-agent string Setup Factory (blacklist.rules, High)
18358 <-> BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD (blacklist.rules, High)
18359 <-> BLACKLIST USER-AGENT known malicious user-agent string Shareaza (blacklist.rules, High)
18360 <-> BLACKLIST USER-AGENT known malicious user-agent string Oncues (blacklist.rules, High)
18361 <-> BLACKLIST USER-AGENT known malicious user-agent string Downloader1.1 (blacklist.rules, High)
18362 <-> BLACKLIST USER-AGENT known malicious user-agent string Search Toolbar 1.1 (blacklist.rules, High)
18363 <-> BLACKLIST USER-AGENT known malicious user-agent string GPRecover (blacklist.rules, High)
18364 <-> BLACKLIST USER-AGENT known malicious user-agent string msndown (blacklist.rules, High)
18365 <-> BLACKLIST USER-AGENT known malicious user-agent string Agentcc (blacklist.rules, High)
18366 <-> BLACKLIST USER-AGENT known malicious user-agent string OCInstaller (blacklist.rules, High)
18367 <-> BLACKLIST USER-AGENT known malicious user-agent string FPRecover (blacklist.rules, High)
18368 <-> BLACKLIST USER-AGENT known malicious user-agent string Our_Agent (blacklist.rules, High)
18369 <-> BLACKLIST USER-AGENT known malicious user-agent string iexp-get (blacklist.rules, High)
18370 <-> BLACKLIST USER-AGENT known malicious user-agent string Mozilla Windows MSIE (blacklist.rules, High)
18371 <-> BLACKLIST USER-AGENT known malicious user-agent string QvodDown (blacklist.rules, High)
18372 <-> BLACKLIST USER-AGENT known malicious user-agent string StubInstaller (blacklist.rules, High)
18373 <-> BLACKLIST USER-AGENT known malicious user-agent string Installer (blacklist.rules, High)
18374 <-> BLACKLIST USER-AGENT known malicious user-agent string MSDN SurfBear (blacklist.rules, High)
18375 <-> BLACKLIST USER-AGENT known malicious user-agent string HTTP Wininet (blacklist.rules, High)
18376 <-> BLACKLIST USER-AGENT known malicious user-agent string Trololo (blacklist.rules, High)
18377 <-> BLACKLIST USER-AGENT known malicious user-agent string malware (blacklist.rules, High)
18378 <-> BLACKLIST USER-AGENT known malicious user-agent string AutoHotkey (blacklist.rules, High)
18379 <-> BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker (blacklist.rules, High)
18380 <-> BLACKLIST USER-AGENT known malicious user-agent string FPUpdater (blacklist.rules, High)
18381 <-> BLACKLIST USER-AGENT known malicious user-agent string Travel Update (blacklist.rules, High)
18382 <-> BLACKLIST USER-AGENT known malicious user-agent string WMUpdate (blacklist.rules, High)
18383 <-> BLACKLIST USER-AGENT known malicious user-agent string GPInstaller (blacklist.rules, High)
18384 <-> BLACKLIST USER-AGENT known malicious user-agent string Install Stub (blacklist.rules, High)
18385 <-> BLACKLIST USER-AGENT known malicious user-agent string HTTPCSDCENTER (blacklist.rules, High)
18386 <-> BLACKLIST USER-AGENT known malicious user-agent string AHTTPConnection (blacklist.rules, High)
18387 <-> BLACKLIST USER-AGENT known malicious user-agent string dwplayer (blacklist.rules, High)
18388 <-> BLACKLIST USER-AGENT known malicious user-agent string RookIE/1.0 (blacklist.rules, High)
18389 <-> BLACKLIST USER-AGENT known malicious user-agent string 3653Client (blacklist.rules, High)
18390 <-> BLACKLIST USER-AGENT known malicious user-agent string Delphi 5.x (blacklist.rules, High)
18391 <-> BLACKLIST USER-AGENT known malicious user-agent string MyLove (blacklist.rules, High)
18392 <-> BLACKLIST USER-AGENT known malicious user-agent string qixi (blacklist.rules, High)
18393 <-> BLACKLIST USER-AGENT known malicious user-agent string vyre32 (blacklist.rules, High)
18394 <-> BLACKLIST USER-AGENT known malicious user-agent string OCRecover (blacklist.rules, High)
18395 <-> BLACKLIST USER-AGENT known malicious user-agent string Duckling/1.0 (blacklist.rules, High)
18396 <-> WEB-CLIENT Windows Hypervisor denial of service vfd download attempt (web-client.rules, High)
18397 <-> MISC HP DDMI Agent spoofing - command execution (misc.rules, High)

Updated rules:
3535 <-> WEB-CLIENT GIF transfer (web-client.rules, Low)
3551 <-> WEB-CLIENT .hta download attempt (web-client.rules, Low)
3633 <-> WEB-CLIENT bitmap transfer (web-client.rules, Low)
4194 <-> WEB-CLIENT multipacket CBO CBL CBM file transfer start (web-client.rules, Low)
4678 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
5740 <-> WEB-CLIENT Microsoft HTML help workshop file .hhp download attempt (web-client.rules, Low)
5741 <-> WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt (web-client.rules, High)
6688 <-> WEB-CLIENT PNG file transfer (web-client.rules, Low)
9845 <-> WEB-CLIENT M3U File Download Detected (web-client.rules, Low)
13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low)
13515 <-> WEB-CLIENT Quicktime user agent (web-client.rules, Low)
13584 <-> WEB-CLIENT csv file download request (web-client.rules, Low)
13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low)
13911 <-> WEB-CLIENT Microsoft search file download attempt (web-client.rules, Low)
13982 <-> WEB-CLIENT Microsoft Powerpoint file download attempt (web-client.rules, Low)
13983 <-> WEB-CLIENT Microsoft Office eps file download (web-client.rules, Low)
14017 <-> WEB-CLIENT MPEG Layer 3 playlist file request (web-client.rules, Low)
14018 <-> WEB-CLIENT PLS multimedia playlist file request (web-client.rules, Low)
14086 <-> BACKDOOR Adware.Win32.Agent.BM runtime detection 1 (backdoor.rules, High)
14087 <-> BACKDOOR Adware.Win32.Agent.BM runtime detection 2 (backdoor.rules, High)
15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low)
15184 <-> CHAT MSN messenger http link transmission attempt (chat.rules, High)
15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low)
15426 <-> WEB-CLIENT MAKI file request (web-client.rules, Low)
15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15471 <-> WEB-CLIENT asp file upload (web-client.rules, Low)
15516 <-> WEB-CLIENT AVI multimedia file request (web-client.rules, Low)
15586 <-> WEB-CLIENT Powerpoint file download request (web-client.rules, Low)
15587 <-> WEB-CLIENT Word file download request (web-client.rules, Low)
15865 <-> WEB-CLIENT MP4 file request (web-client.rules, Low)
15921 <-> WEB-CLIENT Microsoft media format file download request (web-client.rules, Low)
15922 <-> WEB-CLIENT mp3 file download request (web-client.rules, Low)
15945 <-> WEB-CLIENT RSS file download request (web-client.rules, Low)
16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16219 <-> WEB-CLIENT Adobe Director file format transfer (web-client.rules, Low)
16425 <-> WEB-CLIENT request for Portable Executable binary file (web-client.rules, Low)
16473 <-> WEB-CLIENT Microsoft Windows Movie Maker project file download request (web-client.rules, Low)
16474 <-> WEB-CLIENT Microsoft Compound File Binary v3 file download (web-client.rules, Low)
16475 <-> WEB-CLIENT Microsoft Compound File Binary v4 file download (web-client.rules, Low)
16476 <-> WEB-CLIENT Microsoft .MSProducer file download request (web-client.rules, Low)
16477 <-> WEB-CLIENT Microsoft .MSProducerZ file download request (web-client.rules, Low)
16478 <-> WEB-CLIENT Microsoft .MSProducerBF file download request (web-client.rules, Low)
16691 <-> WEB-CLIENT PLF playlist file download request (web-client.rules, Low)
17116 <-> WEB-CLIENT asx file download request (web-client.rules, Low)
17229 <-> WEB-CLIENT Tiff file download - little-endian (web-client.rules, Low)
17230 <-> WEB-CLIENT Tiff file download - big-endian (web-client.rules, Low)
17241 <-> WEB-CLIENT Microsoft wmv file download request (web-client.rules, Low)
17259 <-> WEB-CLIENT .mov file request (web-client.rules, Low)
17314 <-> WEB-CLIENT OLE Document file download (web-client.rules, Low)
17359 <-> WEB-CLIENT xbm image file download request (web-client.rules, Low)
17366 <-> WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt (web-client.rules, High)
17394 <-> WEB-CLIENT GIF file download request (web-client.rules, Low)
17426 <-> WEB-CLIENT RAT file download request (web-client.rules, Low)
17491 <-> SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine memory corruption attempt (specific-threats.rules, High)
17547 <-> WEB-CLIENT Apple Quicktime SMIL transfer (web-client.rules, Low)
17552 <-> WEB-CLIENT Adobe Pagemaker file request (web-client.rules, Low)
17600 <-> WEB-CLIENT .xul document retrieval (web-client.rules, Low)
17751 <-> WEB-CLIENT OpenType Font file download request (web-client.rules, Low)
17809 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
18196 <-> WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt (web-client.rules, High)
18240 <-> WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt (web-client.rules, High)
18243 <-> SPECIFIC-THREATS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt (specific-threats.rules, High)
18265 <-> WEB-CLIENT Microsoft Office thumbnail bitmap invalid biClrUsed attempt (web-client.rules, High)
18335 <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High)