Sourcefire VRT Rules Update

Date: 2011-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.4.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18562 <-> SPYWARE-PUT RogueSoftware.Win32.LivePcCare contact to server attempt (spyware-put.rules, High)
18563 <-> SPYWARE-PUT Trojan.Gaboc contact to server attempt (spyware-put.rules, High)
18564 <-> SPYWARE-PUT RussKill botnet contact to C&C server attempt (spyware-put.rules, High)
18565 <-> WEB-CLIENT fraudulent digital certificate for mail.google.com detected (web-client.rules, Medium)
18566 <-> WEB-CLIENT fraudulent digital certificate for www.google.com detected (web-client.rules, Medium)
18567 <-> WEB-CLIENT fraudulent digital certificate for login.yahoo.com detected (web-client.rules, Medium)
18568 <-> WEB-CLIENT fraudulent digital certificate for login.yahoo.com detected (web-client.rules, Medium)
18569 <-> WEB-CLIENT fraudulent digital certificate for login.yahoo.com detected (web-client.rules, Medium)
18570 <-> WEB-CLIENT fraudulent digital certificate for login.skype.com detected (web-client.rules, Medium)
18571 <-> WEB-CLIENT fraudulent digital certificate for addons.mozilla.org detected (web-client.rules, Medium)
18572 <-> WEB-CLIENT fraudulent digital certificate for login.live.com detected (web-client.rules, Medium)
18573 <-> WEB-CLIENT fraudulent digital certificate for global trustee detected (web-client.rules, Medium)
18574 <-> SPECIFIC-THREATS RCPT TO overflow (specific-threats.rules, High)
18575 <-> FTP CA Secure Content Manager FTP gateway LIST command buffer overflow attempt (ftp.rules, High)
18576 <-> WEB-CLIENT fraudulent digital certificate from usertrust.com detected (web-client.rules, Medium)
18577 <-> SPYWARE-PUT Trojan-Banker.Win32.Banker.agum contact to server attempt (spyware-put.rules, High)
18578 <-> WEB-ACTIVEX RealPlayer RMOC3260.DLL cdda URI overflow attempt (web-activex.rules, High)

Updated rules:
12766 <-> WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX clsid access (web-activex.rules, High)
12767 <-> WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX function call access (web-activex.rules, High)
17369 <-> IMAP MailEnable service APPEND command handling buffer overflow attempt (imap.rules, High)
18326 <-> FTP ProFTPD mod_site_misc module directory traversal attempt (ftp.rules, High)