Sourcefire VRT Rules Update

Date: 2012-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.2.3.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:23110 <-> DISABLED <-> WEB-CLIENT Microsoft Windows graphics rendering engine buffer overflow attempt (web-client.rules)
 * 1:23109 <-> ENABLED <-> BOTNET-CNC Trojan.Lolbot variant outbound connection (botnet-cnc.rules)
 * 1:23108 <-> ENABLED <-> BOTNET-CNC Trojan.Scar variant outbound connection (botnet-cnc.rules)
 * 1:23107 <-> ENABLED <-> WEB-CLIENT BeEF javascript hook.js download attempt (web-client.rules)
 * 1:23106 <-> ENABLED <-> BACKDOOR SET java applet load attempt (backdoor.rules)
 * 1:23105 <-> DISABLED <-> FILE-OFFICE EMF corruption attempt (file-office.rules)
 * 1:23104 <-> ENABLED <-> BOTNET-CNC Trojan.Scar variant outbound connection attempt (botnet-cnc.rules)
 * 1:23103 <-> ENABLED <-> BOTNET-CNC Trojan.Bublik variant outbound connection attempt (botnet-cnc.rules)
 * 1:23102 <-> DISABLED <-> BACKDOOR Seagate BlackArmor static administrator password reset attempt (backdoor.rules)
 * 1:23101 <-> DISABLED <-> WEB-MISC Cisco WebEx recording integer overflow attempt (web-misc.rules)
 * 1:23100 <-> DISABLED <-> WEB-MISC Cisco WebEx recording integer overflow attempt (web-misc.rules)
 * 1:23099 <-> DISABLED <-> DOS SAP NetWeaver Dispatcher denial of service attempt (dos.rules)
 * 1:23098 <-> ENABLED <-> WEB-CLIENT Adobe Flash Player MP4 sequence parameter set parsing overflow attempt (web-client.rules)
 * 1:23097 <-> ENABLED <-> DOS IBM solidDB SELECT statement denial of service attempt (dos.rules)

Modified Rules:


 * 1:3499 <-> DISABLED <-> POP3 SSLv2 Client_Hello request (pop3.rules)
 * 1:3498 <-> DISABLED <-> SMTP TLSv1 Server_Hello request (smtp.rules)
 * 1:3497 <-> DISABLED <-> SMTP SSLv2 Server_Hello request (smtp.rules)
 * 1:3496 <-> DISABLED <-> SMTP TLSv1 Client_Hello via SSLv2 handshake request (smtp.rules)
 * 1:3495 <-> DISABLED <-> SMTP TLSv1 Client_Hello request (smtp.rules)
 * 1:3494 <-> DISABLED <-> SMTP SSLv2 Client_Hello with pad request (smtp.rules)
 * 1:3493 <-> DISABLED <-> SMTP SSLv2 Client_Hello request (smtp.rules)
 * 1:3491 <-> DISABLED <-> IMAP SSLv2 Server_Hello request (imap.rules)
 * 1:3490 <-> DISABLED <-> IMAP TLSv1 Client_Hello via SSLv2 handshake request (imap.rules)
 * 1:3489 <-> DISABLED <-> IMAP TLSv1 Client_Hello request (imap.rules)
 * 1:3488 <-> DISABLED <-> IMAP SSLv2 Client_Hello with pad request (imap.rules)
 * 1:3487 <-> DISABLED <-> IMAP SSLv2 Client_Hello request (imap.rules)
 * 1:3059 <-> DISABLED <-> WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request (web-misc.rules)
 * 1:2661 <-> DISABLED <-> WEB-MISC TLSv1 Client_Hello request (web-misc.rules)
 * 1:2660 <-> DISABLED <-> WEB-MISC SSLv2 Server_Hello request (web-misc.rules)
 * 1:2659 <-> DISABLED <-> WEB-MISC SSLv2 Client_Hello with pad request (web-misc.rules)
 * 1:2658 <-> DISABLED <-> WEB-MISC SSLv2 Client_Hello request (web-misc.rules)
 * 1:2544 <-> DISABLED <-> SMTP SSLv3 invalid Client_Hello attempt (smtp.rules)
 * 1:2542 <-> DISABLED <-> SMTP SSLv3 Client_Hello request (smtp.rules)
 * 1:2535 <-> DISABLED <-> POP3 SSLv3 Client_Hello request (pop3.rules)
 * 1:2529 <-> DISABLED <-> IMAP SSLv3 Client_Hello request (imap.rules)
 * 1:9830 <-> DISABLED <-> SPYWARE-PUT Keylogger supreme spy runtime detection (spyware-put.rules)
 * 1:9827 <-> DISABLED <-> SPYWARE-PUT Keylogger paq keylog runtime detection - smtp (spyware-put.rules)
 * 1:9650 <-> DISABLED <-> SPYWARE-PUT Keylogger ghost Keylogger runtime detection (spyware-put.rules)
 * 1:9649 <-> DISABLED <-> SPYWARE-PUT Keylogger ghost Keylogger runtime detection - flowbit set (spyware-put.rules)
 * 1:9648 <-> DISABLED <-> SPYWARE-PUT Keylogger emailspypro runtime detection (spyware-put.rules)
 * 1:9647 <-> DISABLED <-> SPYWARE-PUT Keylogger system surveillance pro runtime detection (spyware-put.rules)
 * 1:9417 <-> ENABLED <-> SPECIFIC-THREATS bagle.a smtp propagation detection (specific-threats.rules)
 * 1:9386 <-> ENABLED <-> SPECIFIC-THREATS bagle.f smtp propagation detection (specific-threats.rules)
 * 1:9377 <-> ENABLED <-> SPECIFIC-THREATS mydoom.g smtp propagation detection (specific-threats.rules)
 * 1:9375 <-> ENABLED <-> SPECIFIC-THREATS duksten.c smtp propagation detection (specific-threats.rules)
 * 1:9374 <-> ENABLED <-> SPECIFIC-THREATS creepy.b smtp propagation detection (specific-threats.rules)
 * 1:9373 <-> ENABLED <-> SPECIFIC-THREATS clepa smtp propagation detection (specific-threats.rules)
 * 1:9372 <-> ENABLED <-> SPECIFIC-THREATS blebla.a smtp propagation detection (specific-threats.rules)
 * 1:9366 <-> ENABLED <-> SPECIFIC-THREATS mimail.s smtp propagation detection (specific-threats.rules)
 * 1:9365 <-> ENABLED <-> SPECIFIC-THREATS cult.c smtp propagation detection (specific-threats.rules)
 * 1:9361 <-> ENABLED <-> SPECIFIC-THREATS mimail.l smtp propagation detection (specific-threats.rules)
 * 1:8544 <-> DISABLED <-> SPYWARE-PUT Keylogger nicespy runtime detection - smtp (spyware-put.rules)
 * 1:8466 <-> DISABLED <-> SPYWARE-PUT Keylogger netobserve runtime detection - email notification (spyware-put.rules)
 * 1:8465 <-> DISABLED <-> SPYWARE-PUT Keylogger netobserve runtime detection - email notification (spyware-put.rules)
 * 1:8357 <-> ENABLED <-> SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection - send alert out through email (spyware-put.rules)
 * 1:8356 <-> ENABLED <-> SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection - send log out through email (spyware-put.rules)
 * 1:8355 <-> ENABLED <-> SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection (spyware-put.rules)
 * 1:7857 <-> DISABLED <-> SPYWARE-PUT Keylogger EliteKeylogger runtime detection (spyware-put.rules)
 * 1:7713 <-> DISABLED <-> BACKDOOR amitis v1.3 runtime detection - email notification (backdoor.rules)
 * 1:7847 <-> DISABLED <-> SPYWARE-PUT Keylogger clogger 1.0 runtime detection - send log through email (spyware-put.rules)
 * 1:7064 <-> DISABLED <-> BACKDOOR cybernetic 1.62 runtime detection - email notification (backdoor.rules)
 * 1:6397 <-> DISABLED <-> BACKDOOR http rat runtime detection - smtp (backdoor.rules)
 * 1:6339 <-> DISABLED <-> BACKDOOR hatredfriend email notification detection (backdoor.rules)
 * 1:6301 <-> DISABLED <-> BACKDOOR cia 1.3 runtime detection - smtp notification (backdoor.rules)
 * 1:6126 <-> DISABLED <-> BACKDOOR dkangel runtime detection - smtp (backdoor.rules)
 * 1:6125 <-> DISABLED <-> BACKDOOR dkangel runtime detection - smtp (backdoor.rules)
 * 1:6114 <-> DISABLED <-> BACKDOOR optix 1.32 runtime detection - email notification (backdoor.rules)
 * 1:6037 <-> DISABLED <-> BACKDOOR netbus 1.7 runtime detection - email notification (backdoor.rules)
 * 1:3503 <-> DISABLED <-> POP3 SSLv2 Server_Hello request (pop3.rules)
 * 1:3502 <-> DISABLED <-> POP3 TLSv1 Client_Hello via SSLv2 handshake request (pop3.rules)
 * 1:3501 <-> DISABLED <-> POP3 TLSv1 Client_Hello request (pop3.rules)
 * 1:3500 <-> DISABLED <-> POP3 SSLv2 Client_Hello with pad request (pop3.rules)
 * 1:2520 <-> DISABLED <-> WEB-MISC SSLv3 Client_Hello request (web-misc.rules)
 * 1:23056 <-> DISABLED <-> EXPLOIT SAP NetWeaver Dispatcher buffer overflow attempt (exploit.rules)
 * 1:19901 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connection (spyware-put.rules)
 * 1:19900 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connection (spyware-put.rules)
 * 1:19899 <-> DISABLED <-> SPYWARE-PUT Tong Keylogger outbound connectiooutbound connection (spyware-put.rules)
 * 1:19727 <-> DISABLED <-> BACKDOOR Trojan Win32.Bancos.DI outbound connection (backdoor.rules)
 * 1:19567 <-> DISABLED <-> SPYWARE-PUT W32.Ackantta.C.mm mass-mailer runtime detection (spyware-put.rules)
 * 1:19566 <-> DISABLED <-> SPYWARE-PUT W32.Ackantta.C.mm mass-mailer runtime detection (spyware-put.rules)
 * 1:19396 <-> DISABLED <-> BACKDOOR Trojan Win32.Beastdoor.b outbound connection (backdoor.rules)
 * 1:19311 <-> DISABLED <-> SPYWARE-PUT Keylogger aspy v2.12 runtime detection (spyware-put.rules)
 * 1:17113 <-> ENABLED <-> WEB-CLIENT Microsoft SilverLight ImageSource redefine flowbit (web-client.rules)
 * 1:16455 <-> DISABLED <-> SPYWARE-PUT Keylogger egyspy keylogger 1.13 runtime detection (spyware-put.rules)
 * 1:16137 <-> DISABLED <-> SPYWARE-PUT Keylogger cheat monitor runtime detection (spyware-put.rules)
 * 1:14075 <-> DISABLED <-> SPYWARE-PUT Keylogger ultimate Keylogger pro runtime detection (spyware-put.rules)
 * 1:14074 <-> DISABLED <-> SPYWARE-PUT Keylogger spybosspro 4.2 runtime detection (spyware-put.rules)
 * 1:13812 <-> DISABLED <-> SPYWARE-PUT Keylogger refog Keylogger runtime detection (spyware-put.rules)
 * 1:13778 <-> DISABLED <-> SPYWARE-PUT Keylogger kgb employee monitor runtime detection (spyware-put.rules)
 * 1:13768 <-> DISABLED <-> SPYWARE-PUT Keylogger cyber sitter runtime detection (spyware-put.rules)
 * 1:13767 <-> DISABLED <-> SPYWARE-PUT Keylogger cyber sitter runtime detection (spyware-put.rules)
 * 1:13652 <-> DISABLED <-> SPYWARE-PUT Keylogger all in one Keylogger runtime detection (spyware-put.rules)
 * 1:13651 <-> DISABLED <-> SPYWARE-PUT Keylogger family cyber alert runtime detection - smtp traffic for recorded activities (spyware-put.rules)
 * 1:13642 <-> DISABLED <-> SPYWARE-PUT Keylogger easy Keylogger runtime detection (spyware-put.rules)
 * 1:13568 <-> DISABLED <-> SPYWARE-PUT Keylogger sys keylog 1.3 advanced runtime detection (spyware-put.rules)
 * 1:13567 <-> DISABLED <-> SPYWARE-PUT Keylogger msn spy monitor runtime detection (spyware-put.rules)
 * 1:13494 <-> DISABLED <-> SPYWARE-PUT Keylogger smart pc Keylogger runtime detection (spyware-put.rules)
 * 1:13480 <-> DISABLED <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules)
 * 1:13479 <-> DISABLED <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules)
 * 1:13281 <-> DISABLED <-> SPYWARE-PUT Keylogger email spy monitor 6.9 runtime detection (spyware-put.rules)
 * 1:13280 <-> DISABLED <-> SPYWARE-PUT Keylogger email spy monitor 6.9 runtime detection (spyware-put.rules)
 * 1:13279 <-> DISABLED <-> SPYWARE-PUT Keylogger advanced spy 4.0 runtime detection (spyware-put.rules)
 * 1:13278 <-> DISABLED <-> SPYWARE-PUT Keylogger advanced spy 4.0 runtime detection (spyware-put.rules)
 * 1:13244 <-> DISABLED <-> SPYWARE-PUT Keylogger computer monitor 1.1 by lastcomfort runtime detection (spyware-put.rules)
 * 1:13243 <-> DISABLED <-> SPYWARE-PUT Keylogger computer monitor 1.1 by lastcomfort runtime detection (spyware-put.rules)
 * 1:13237 <-> DISABLED <-> SPYWARE-PUT Keylogger active Keylogger 3.9.2 runtime detection (spyware-put.rules)
 * 1:13236 <-> DISABLED <-> SPYWARE-PUT Keylogger active Keylogger 3.9.2 runtime detection (spyware-put.rules)
 * 1:13162 <-> ENABLED <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt (netbios.rules)
 * 1:12793 <-> DISABLED <-> SPYWARE-PUT Keylogger spy lantern Keylogger pro 6.0 runtime detection (spyware-put.rules)
 * 1:12792 <-> DISABLED <-> SPYWARE-PUT Keylogger spy lantern Keylogger pro 6.0 runtime detection (spyware-put.rules)
 * 1:12761 <-> DISABLED <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules)
 * 1:12760 <-> DISABLED <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules)
 * 1:12759 <-> DISABLED <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules)
 * 1:12758 <-> DISABLED <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules)
 * 1:12698 <-> DISABLED <-> SPYWARE-PUT Keylogger net vizo 5.2 runtime detection (spyware-put.rules)
 * 1:12625 <-> DISABLED <-> SPYWARE-PUT Keylogger windows family safety 2.0 runtime detection (spyware-put.rules)
 * 1:12372 <-> DISABLED <-> SPYWARE-PUT Keylogger mg-shadow 2.0 runtime detection (spyware-put.rules)
 * 1:12226 <-> DISABLED <-> SPYWARE-PUT Keylogger overspy runtime detection (spyware-put.rules)
 * 1:12141 <-> DISABLED <-> SPYWARE-PUT Keylogger logit v1.0 runtime detection (spyware-put.rules)
 * 1:12139 <-> DISABLED <-> SPYWARE-PUT Trackware stealth website logger 3.4 runtime detection (spyware-put.rules)
 * 1:12137 <-> DISABLED <-> SPYWARE-PUT Keylogger Keylogger king home 2.3 runtime detection (spyware-put.rules)
 * 1:12049 <-> DISABLED <-> SPYWARE-PUT Keylogger apophis spy 1.0 runtime detection (spyware-put.rules)
 * 1:12048 <-> DISABLED <-> SPYWARE-PUT Keylogger computer Keylogger runtime detection (spyware-put.rules)
 * 1:11309 <-> DISABLED <-> SPYWARE-PUT Keylogger sskc v2.0 runtime detection (spyware-put.rules)
 * 1:11307 <-> DISABLED <-> SPYWARE-PUT Keylogger computer monitor Keylogger runtime detection (spyware-put.rules)
 * 1:11305 <-> DISABLED <-> SPYWARE-PUT Snoopware childwebguardian runtime detection - send log through smtp (spyware-put.rules)
 * 1:10996 <-> DISABLED <-> WEB-MISC SSLv3 Client_Hello request (web-misc.rules)
 * 1:10453 <-> DISABLED <-> BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification (backdoor.rules)
 * 1:10440 <-> DISABLED <-> SPYWARE-PUT Keylogger pc black box runtime detection (spyware-put.rules)
 * 1:10436 <-> DISABLED <-> SPYWARE-PUT Keylogger keyspy runtime detection (spyware-put.rules)
 * 1:10183 <-> DISABLED <-> SPYWARE-PUT Keylogger activity Keylogger runtime detection (spyware-put.rules)
 * 1:10181 <-> DISABLED <-> SPYWARE-PUT Keylogger systemsleuth runtime detection (spyware-put.rules)
 * 1:10091 <-> DISABLED <-> SPYWARE-PUT Hacker-Tool spylply.a runtime detection (spyware-put.rules)
 * 1:10165 <-> DISABLED <-> SPYWARE-PUT Keylogger mybr Keylogger runtime detection (spyware-put.rules)
 * 1:10088 <-> DISABLED <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by smtp (spyware-put.rules)