Sourcefire VRT Rules Update

Date: 2011-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2905.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19898 <-> DISABLED <-> BACKDOOR Cinmus Variant outbound connection (backdoor.rules)
 * 1:19901 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connection (spyware-put.rules)
 * 1:19902 <-> DISABLED <-> SPYWARE-PUT Targetedbanner.biz Adrotator runtime detection (spyware-put.rules)
 * 1:19903 <-> DISABLED <-> SPYWARE-PUT Win32.Agent.vvm runtime detection (spyware-put.rules)
 * 1:19904 <-> DISABLED <-> SPYWARE-PUT WinReanimator runtime detection (spyware-put.rules)
 * 1:19905 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Small.jog runtime detection (backdoor.rules)
 * 1:19906 <-> DISABLED <-> SPYWARE-PUT 6SQ Toolbar runtime detection (spyware-put.rules)
 * 1:19907 <-> DISABLED <-> WEB-MISC PICT file magic detection (web-misc.rules)
 * 1:19908 <-> DISABLED <-> WEB-MISC Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt (web-misc.rules)
 * 1:19968 <-> DISABLED <-> BACKDOOR Trojan.PSW.Win32.QQPass.amx runtime detection (backdoor.rules)
 * 1:19966 <-> DISABLED <-> BACKDOOR Octopus 0.1 inbound connection (backdoor.rules)
 * 1:19967 <-> DISABLED <-> BACKDOOR Trojan-PSW.Win32.Papras.dm runtime detection (backdoor.rules)
 * 1:19964 <-> DISABLED <-> BACKDOOR Virus Win32.Sality.aa outbound connection (backdoor.rules)
 * 1:19965 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Agent.avzz outbound connection (backdoor.rules)
 * 1:19962 <-> DISABLED <-> BACKDOOR Email-Worm.CryptBox-A outbound connection (backdoor.rules)
 * 1:19963 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Banload.aajs outbound connection (backdoor.rules)
 * 1:19896 <-> DISABLED <-> SPYWARE-PUT Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Install Detection (spyware-put.rules)
 * 1:19961 <-> DISABLED <-> BACKDOOR Fouad 1.0 outbound connection (backdoor.rules)
 * 1:19959 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent.aulk outbound connection (backdoor.rules)
 * 1:19960 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent.aulk outbound connection (backdoor.rules)
 * 1:19957 <-> DISABLED <-> BACKDOOR Arabian-Attacker 1.1.0 outbound connection (backdoor.rules)
 * 1:19958 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent.aulk outbound connection (backdoor.rules)
 * 1:19956 <-> ENABLED <-> WEB-CLIENT Microsoft Windows Movie Maker project file heap buffer overflow attempt (web-client.rules)
 * 1:19955 <-> DISABLED <-> BACKDOOR PaiN RAT 0.1 outbound connection (backdoor.rules)
 * 1:19954 <-> DISABLED <-> BACKDOOR Hack Style RAT outbound connection (backdoor.rules)
 * 1:19951 <-> DISABLED <-> BACKDOOR DarkstRat 2008 outbound connection (backdoor.rules)
 * 1:19946 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Agent.amwd outbound connection (backdoor.rules)
 * 1:19941 <-> DISABLED <-> BACKDOOR TrojanSpy Win32.Zbot.Gen outbound connection (backdoor.rules)
 * 1:19936 <-> DISABLED <-> BACKDOOR Trojan Dropper Win32.Delf.aba outbound connection (backdoor.rules)
 * 1:19931 <-> DISABLED <-> BACKDOOR Trojan.Lineage.Gen.Pac.3 outbound connection (backdoor.rules)
 * 1:19926 <-> ENABLED <-> WEB-CLIENT Sun Java Runtime AWT setDiffICM stack buffer overflow attempt (web-client.rules)
 * 1:19921 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Puprlehzae.A outbound connection (botnet-cnc.rules)
 * 1:19912 <-> ENABLED <-> BOTNET-CNC Trojan.DelfInject.gen!X outbound connection (botnet-cnc.rules)
 * 1:19900 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connection (spyware-put.rules)
 * 1:19909 <-> DISABLED <-> SPECIFIC-THREATS Cisco AnyConnect ActiveX clsid access (specific-threats.rules)
 * 1:19910 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer VML user after free attempt (web-client.rules)
 * 1:19911 <-> ENABLED <-> WEB-CLIENT Microsoft SYmbolic LinK stack overflow attempt (web-client.rules)
 * 1:19913 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - optima/index.php (blacklist.rules)
 * 1:19914 <-> DISABLED <-> BACKDOOR Win32.Quivoe.A outbound connection (backdoor.rules)
 * 1:19915 <-> DISABLED <-> BACKDOOR Win32.Gnutler.apd outbound connection (backdoor.rules)
 * 1:19916 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Bancos.ACB outbound connection (botnet-cnc.rules)
 * 1:19917 <-> DISABLED <-> BACKDOOR Win32.Sogu.A outbound connection (backdoor.rules)
 * 1:19918 <-> ENABLED <-> BOTNET-CNC Worm Win32.Ganelp.B outbound connection (botnet-cnc.rules)
 * 1:19919 <-> DISABLED <-> BACKDOOR Win32.Murcy.A outbound connection (backdoor.rules)
 * 1:19920 <-> DISABLED <-> BACKDOOR Win32.Reppserv.A outbond connection (backdoor.rules)
 * 1:19922 <-> DISABLED <-> BACKDOOR Win32.Shiz.ivr outbound connection (backdoor.rules)
 * 1:19923 <-> DISABLED <-> BACKDOOR Win32.Venik.B outbound connection (backdoor.rules)
 * 1:19924 <-> ENABLED <-> BOTNET-CNC Trojan Win32.Spidern.A outbound connection (botnet-cnc.rules)
 * 1:19925 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX client browser plugin call-back-url buffer overflow attempt (web-activex.rules)
 * 1:19927 <-> DISABLED <-> BACKDOOR BRX Rat 0.02 inbound connection (backdoor.rules)
 * 1:19928 <-> DISABLED <-> BACKDOOR BRX Rat 0.02 inbound connection (backdoor.rules)
 * 1:19929 <-> DISABLED <-> BACKDOOR BRX Rat 0.02 inbound connection (backdoor.rules)
 * 1:19930 <-> DISABLED <-> BACKDOOR BRX Rat 0.02 inbound connection (backdoor.rules)
 * 1:19932 <-> ENABLED <-> WEB-CLIENT Microsoft Office Publisher 2007 pointer dereference attempt (web-client.rules)
 * 1:19933 <-> DISABLED <-> WEB-MISC DirBuster brute forcing tool detected (web-misc.rules)
 * 1:19934 <-> DISABLED <-> BLACKLIST USER-AGENT known malicious user-agent string MYURL (blacklist.rules)
 * 1:19935 <-> DISABLED <-> BACKDOOR Trojan Dropper Win32.Delf.aba outbound connection (backdoor.rules)
 * 1:19937 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer invalid object access memory corruption attempt (web-client.rules)
 * 1:19938 <-> ENABLED <-> EXPLOIT IBM Tivoli Directory Server ibmslapd.exe Stack Buffer Overflow (exploit.rules)
 * 1:19939 <-> DISABLED <-> SPYWARE-PUT WeatherStudio runtime detection (spyware-put.rules)
 * 1:19940 <-> DISABLED <-> BACKDOOR Trojan-Dropper.IRC.TKB outbound connection - dir4you (backdoor.rules)
 * 1:19942 <-> DISABLED <-> BACKDOOR TrojanSpy Win32.Zbot.Gen outbound connection (backdoor.rules)
 * 1:19943 <-> ENABLED <-> WEB-CLIENT Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (web-client.rules)
 * 1:19944 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Banload.ykl outbound connection (backdoor.rules)
 * 1:19945 <-> DISABLED <-> BACKDOOR Trojan Downloader.Win32.Agent.amwd outbound connection (backdoor.rules)
 * 1:19947 <-> DISABLED <-> BACKDOOR Trojan-Downloader.Win32.Agent.amwd outbound connection (backdoor.rules)
 * 1:19948 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent.asjk outbound connection (backdoor.rules)
 * 1:19949 <-> DISABLED <-> BACKDOOR Trojan Win32.Agent.asjk outbound connection (backdoor.rules)
 * 1:19950 <-> DISABLED <-> BACKDOOR DarkstRat 2008 inbound connection (backdoor.rules)
 * 1:19952 <-> DISABLED <-> BACKDOOR Biodox inbound connection (backdoor.rules)
 * 1:19953 <-> DISABLED <-> BACKDOOR Biodox outbound connection (backdoor.rules)
 * 1:19895 <-> DISABLED <-> BACKDOOR Win32.Delf.jwh runtime detection (backdoor.rules)
 * 1:19894 <-> ENABLED <-> WEB-CLIENT Microsoft PowerPoint unbound memcpy and remote code execution attempt (web-client.rules)
 * 1:19899 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connectiooutbound connection (spyware-put.rules)
 * 1:19992 <-> DISABLED <-> BACKDOOR Trojan-Dropper.Win32.Farfli.A runtime traffic detected (backdoor.rules)
 * 1:19991 <-> DISABLED <-> BACKDOOR Trojan.Win32.Zbot.PG runtime traffic detected (backdoor.rules)
 * 1:19990 <-> DISABLED <-> SPYWARE-PUT Total Protect 2009 outbound connection (spyware-put.rules)
 * 1:19989 <-> DISABLED <-> SPYWARE-PUT Total Protect 2009 outbound connection (spyware-put.rules)
 * 1:19988 <-> DISABLED <-> BACKDOOR Asprox outbound connection (backdoor.rules)
 * 1:19987 <-> DISABLED <-> SPYWARE-PUT PCLiveGuard install-time traffic detected (spyware-put.rules)
 * 1:19986 <-> DISABLED <-> SPYWARE-PUT AntivirusPC2009 install-time traffic detected (spyware-put.rules)
 * 1:19985 <-> DISABLED <-> SPYWARE-PUT AntivirusPC2009 runtime traffic detected (spyware-put.rules)
 * 1:19984 <-> DISABLED <-> SPYWARE-PUT Antivirus 2010 Install Detection (spyware-put.rules)
 * 1:19983 <-> DISABLED <-> BACKDOOR Win32.Kolabc.fic outbound connection (backdoor.rules)
 * 1:19982 <-> DISABLED <-> BACKDOOR Win32.Agent.wwe outbound connection (backdoor.rules)
 * 1:19981 <-> ENABLED <-> BOTNET-CNC Trojan Micstus.A runtime traffic detected (botnet-cnc.rules)
 * 1:19980 <-> DISABLED <-> BACKDOOR IRCBot runtime traffic detected (backdoor.rules)
 * 1:19979 <-> DISABLED <-> BACKDOOR IRCBot runtime traffic detected (backdoor.rules)
 * 1:19978 <-> DISABLED <-> BACKDOOR Viking.JB Worm runtime traffic detected (backdoor.rules)
 * 1:19977 <-> DISABLED <-> BACKDOOR Trojan.LooksLike.Zaplot runtime detection (backdoor.rules)
 * 1:19976 <-> DISABLED <-> SPYWARE-PUT Worm.Win32.Koobface.hy runtime detection (spyware-put.rules)
 * 1:19975 <-> DISABLED <-> BACKDOOR Trojan.Win32.Crypt.vb runtime detection (backdoor.rules)
 * 1:19974 <-> DISABLED <-> BACKDOOR Trojan.Win32.Small.bwj runtime detection (backdoor.rules)
 * 1:19973 <-> DISABLED <-> BACKDOOR Worm.Trojan.Win32.Nebuler.D runtime detection (backdoor.rules)
 * 1:19972 <-> ENABLED <-> NETBIOS SMB client TRANS response paramcount overflow attempt (netbios.rules)
 * 1:19971 <-> DISABLED <-> SPYWARE-PUT Win32.Mudrop.lj runtime detection (spyware-put.rules)
 * 1:19970 <-> DISABLED <-> BACKDOOR W32.Smalltroj.MHYR runtime detection (backdoor.rules)
 * 1:19897 <-> DISABLED <-> SPYWARE-PUT Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Runtime Detection (spyware-put.rules)
 * 1:19969 <-> DISABLED <-> BACKDOOR Trojan.Crypt.CY runtime detection (backdoor.rules)

Modified Rules:


 * 1:5704 <-> DISABLED <-> IMAP SELECT overflow attempt (imap.rules)
 * 1:3473 <-> ENABLED <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules)
 * 1:19846 <-> DISABLED <-> BACKDOOR SRaT 1.6 runtime detection (backdoor.rules)
 * 1:19882 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A (blacklist.rules)
 * 1:19683 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player ActionScript 3 buffer overflow attempt (web-client.rules)
 * 1:19687 <-> ENABLED <-> WEB-CLIENT Adobe Flash ActionStoreRegister instruction length invalidation attempt (web-client.rules)
 * 1:19267 <-> ENABLED <-> SHELLCODE Possible heap spray attempt (shellcode.rules)
 * 1:19308 <-> ENABLED <-> SPECIFIC-THREATS Microsoft embeded OpenType EOT font integer overflow attempt (specific-threats.rules)
 * 1:19152 <-> ENABLED <-> WEB-ACTIVEX Trend Micro HouseCall ActiveX function call access (web-activex.rules)
 * 1:19151 <-> ENABLED <-> WEB-ACTIVEX Trend Micro HouseCall ActiveX clsid access (web-activex.rules)
 * 1:1866 <-> ENABLED <-> POP3 USER overflow attempt (pop3.rules)
 * 1:18540 <-> ENABLED <-> SPECIFIC-THREATS Internet Explorer invalid pointer memory corruption attempt (specific-threats.rules)
 * 1:18578 <-> ENABLED <-> WEB-ACTIVEX RealPlayer RMOC3260.DLL cdda URI overflow attempt (web-activex.rules)
 * 1:17562 <-> ENABLED <-> SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow attempt (specific-threats.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules)
 * 1:17392 <-> ENABLED <-> SHELLCODE JavaScript var shellcode (shellcode.rules)
 * 1:17393 <-> ENABLED <-> SHELLCODE JavaScript var heapspray (shellcode.rules)
 * 1:17211 <-> ENABLED <-> WEB-CLIENT Quicktime marshaled punk remote code execution (web-client.rules)
 * 1:17310 <-> ENABLED <-> SPECIFIC-THREATS Microsoft Powerpoint Viewer Memory Allocation Code Execution (specific-threats.rules)
 * 1:16721 <-> ENABLED <-> WEB-CLIENT Orbital Viewer .orb stack buffer overflow attempt (web-client.rules)
 * 1:17156 <-> ENABLED <-> EXPLOIT HP Performance Manager Apache Tomcat policy bypass attempt (exploit.rules)
 * 1:15997 <-> ENABLED <-> SPECIFIC-THREATS Mozilla Firefox JIT escape function memory corruption attempt (specific-threats.rules)
 * 1:16130 <-> DISABLED <-> SPYWARE-PUT Keylogger lord spy pro 1.4 runtime detection (spyware-put.rules)
 * 1:13896 <-> DISABLED <-> SQL Microsoft SQL server MTF file download (sql.rules)
 * 1:15437 <-> ENABLED <-> EXPLOIT IBM Tivoli Storage Manager Express Backup message length heap corruption attempt (exploit.rules)
 * 1:13525 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX function call access (web-activex.rules)
 * 1:13523 <-> ENABLED <-> WEB-ACTIVEX Novell iPrint ActiveX clsid access (web-activex.rules)