Sourcefire VRT Rules Update

Date: 2009-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16089 <-> SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt (specific-threats.rules, High)
16090 <-> SPECIFIC-THREATS Microsoft Core XML core services XMLHTTP control open method code execution attempt (specific-threats.rules, High)
16091 <-> SPECIFIC-THREATS Macromedia Flash Media Server administration service denial of service attempt (specific-threats.rules, Medium)
16092 <-> BACKDOOR win32.delf.jwh runtime detection (backdoor.rules, High)
16093 <-> BACKDOOR bugsprey runtime detection - initial connection (backdoor.rules, High)
16094 <-> BACKDOOR trojan downloader exchan.gen variant runtime detection (backdoor.rules, High)
16095 <-> BACKDOOR td.exe runtime detection - getfile (backdoor.rules, High)
16096 <-> BACKDOOR td.exe runtime detection - download (backdoor.rules, High)
16097 <-> BACKDOOR trojan win32.agent.vvm runtime detection (backdoor.rules, High)
16098 <-> BACKDOOR win32.cekar variant runtime detection (backdoor.rules, High)
16099 <-> BACKDOOR trojan-dropper.win32.agent.wdv runtime detection (backdoor.rules, High)
16100 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - file.exe (backdoor.rules, High)
16101 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - 57329.exe (backdoor.rules, High)
16102 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - sft_ver1.1454.0.exe (backdoor.rules, High)
16103 <-> BACKDOOR lost door 3.0 runtime detection - init (backdoor.rules, High)
16104 <-> BACKDOOR lost door 3.0 runtime detection - init (backdoor.rules, High)
16105 <-> BACKDOOR trojan.zlob runtime detection - topqualityads (backdoor.rules, High)
16106 <-> BACKDOOR synrat 2.1 pro runtime detection - init (backdoor.rules, High)
16107 <-> BACKDOOR synrat 2.1 pro runtime detection - init (backdoor.rules, High)
16108 <-> BACKDOOR trojan downloader exchanger.gen2 runtime detection (backdoor.rules, High)
16109 <-> BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - onestoponlineshop (backdoor.rules, High)
16110 <-> BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - childhe (backdoor.rules, High)
16111 <-> BACKDOOR trojan-downloader.win32.zlob.wwv installtime detection (backdoor.rules, High)
16112 <-> BACKDOOR trojan downloader.agent.vhb runtime detection - contact remote server (backdoor.rules, High)
16113 <-> BACKDOOR trojan downloader.agent.vhb runtime detection - request login page (backdoor.rules, High)
16114 <-> SPYWARE-PUT Hijacker cramtoolbar runtime detection - hijack (spyware-put.rules, Low)
16115 <-> SPYWARE-PUT Hijacker cramtoolbar runtime detection - search (spyware-put.rules, Low)
16116 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server (spyware-put.rules, Medium)
16117 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - ads (spyware-put.rules, Medium)
16118 <-> SPYWARE-PUT Adware winreanimator runtime detection - register request (spyware-put.rules, Low)
16119 <-> SPYWARE-PUT Adware winreanimator runtime detection - daily update (spyware-put.rules, Low)
16120 <-> SPYWARE-PUT Trackware 6sq toolbar runtime detection (spyware-put.rules, Medium)
16121 <-> SPYWARE-PUT Hijacker weatherstudio runtime detection (spyware-put.rules, Low)
16122 <-> SPYWARE-PUT rogue antivirus xp 2008 runtime detection - buy (spyware-put.rules, Low)
16123 <-> SPYWARE-PUT rogue antivirus xp 2008 runtime detection - update (spyware-put.rules, Low)
16124 <-> SPYWARE-PUT downloader trojan.nsis.agent.s runtime detection (spyware-put.rules, Low)
16125 <-> SPYWARE-PUT Keylogger spyyahoo v2.2 runtime detection (spyware-put.rules, Medium)
16126 <-> SPYWARE-PUT Trickler virusremover 2008 runtime detection (spyware-put.rules, Low)
16127 <-> SPYWARE-PUT Adware superiorads runtime detection (spyware-put.rules, Low)
16128 <-> SPYWARE-PUT Keylogger aspy v2.12 runtime detection (spyware-put.rules, Medium)
16129 <-> SPYWARE-PUT Keylogger kamyab Keylogger v.3 runtime detection (spyware-put.rules, Medium)
16130 <-> SPYWARE-PUT Keylogger lord spy pro 1.4 runtime detection (spyware-put.rules, Medium)
16131 <-> SPYWARE-PUT Trackware adclicker trojan zlob.dnz runtime detection - ads (spyware-put.rules, Medium)
16132 <-> SPYWARE-PUT Trackware owlforce runtime detection - remote server #1 (spyware-put.rules, Medium)
16133 <-> SPYWARE-PUT Trackware owlforce runtime detection - remote server #2 (spyware-put.rules, Medium)
16134 <-> SPYWARE-PUT Adware spyware guard 2008 runtime detection - contacts remote server (spyware-put.rules, Low)
16135 <-> SPYWARE-PUT Adware spyware guard 2008 runtime detection - purchase page (spyware-put.rules, Low)
16136 <-> SPYWARE-PUT Hijacker xp antispyware 2009 runtime detection - pre-sale webpage (spyware-put.rules, Low)
16137 <-> SPYWARE-PUT Keylogger cheat monitor runtime detection (spyware-put.rules, Medium)
16138 <-> SPYWARE-PUT Hacker-Tool 0desa msn pass stealer 8.5 runtime detection (spyware-put.rules, Low)
16139 <-> SPYWARE-PUT downloader_trojan.gen2 runtime detection - scanner page (spyware-put.rules, Low)
16140 <-> BACKDOOR torpig-mebroot command and control checkin (backdoor.rules, High)
16141 <-> SPECIFIC-THREATS Kaspersky Online Scanner trojaned Dll download attempt (specific-threats.rules, High)
16142 <-> SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt (specific-threats.rules, High)
16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16144 <-> SPECIFIC-THREATS Bredolab downloader communication with server attempt (specific-threats.rules, High)
16145 <-> SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt (specific-threats.rules, High)

Updated rules:
2436 <-> WEB-CLIENT Microsoft wmf metafile access (web-client.rules, High)
6504 <-> WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt (web-client.rules, High)
12455 <-> POLICY Crystal reports download request (policy.rules, High)
13473 <-> EXPLOIT Microsoft Publisher file download (exploit.rules, Low)
13678 <-> MISC Microsoft EMF metafile access detected (misc.rules, High)
13801 <-> WEB-CLIENT RTF file download request (web-client.rules, Low)
13982 <-> WEB-CLIENT Microsoft Powerpoint file download attempt (web-client.rules, Low)
14017 <-> WEB-CLIENT MPEG Layer 3 playlist file request (web-client.rules, Low)
14018 <-> WEB-CLIENT PLS multimedia playlist file request (web-client.rules, Low)
15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low)
15444 <-> WEB-MISC Core Audio Format file download attempt (web-misc.rules, Low)
15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15516 <-> WEB-CLIENT AVI multimedia file request (web-client.rules, Low)
15585 <-> WEB-CLIENT Excel file download request (web-client.rules, Low)
15586 <-> WEB-CLIENT Powerpoint file download request (web-client.rules, Low)
15587 <-> WEB-CLIENT Word file download request (web-client.rules, Low)
15987 <-> WEB-MISC Microsoft Visio DXF file download request (web-misc.rules, Low)