Sourcefire VRT Rules Update
Date: 2009-10-06
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16089 <-> SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt (specific-threats.rules, High) 16090 <-> SPECIFIC-THREATS Microsoft Core XML core services XMLHTTP control open method code execution attempt (specific-threats.rules, High) 16091 <-> SPECIFIC-THREATS Macromedia Flash Media Server administration service denial of service attempt (specific-threats.rules, Medium) 16092 <-> BACKDOOR win32.delf.jwh runtime detection (backdoor.rules, High) 16093 <-> BACKDOOR bugsprey runtime detection - initial connection (backdoor.rules, High) 16094 <-> BACKDOOR trojan downloader exchan.gen variant runtime detection (backdoor.rules, High) 16095 <-> BACKDOOR td.exe runtime detection - getfile (backdoor.rules, High) 16096 <-> BACKDOOR td.exe runtime detection - download (backdoor.rules, High) 16097 <-> BACKDOOR trojan win32.agent.vvm runtime detection (backdoor.rules, High) 16098 <-> BACKDOOR win32.cekar variant runtime detection (backdoor.rules, High) 16099 <-> BACKDOOR trojan-dropper.win32.agent.wdv runtime detection (backdoor.rules, High) 16100 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - file.exe (backdoor.rules, High) 16101 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - 57329.exe (backdoor.rules, High) 16102 <-> BACKDOOR trojan-downloader.win32.delf.phh runtime detection - sft_ver1.1454.0.exe (backdoor.rules, High) 16103 <-> BACKDOOR lost door 3.0 runtime detection - init (backdoor.rules, High) 16104 <-> BACKDOOR lost door 3.0 runtime detection - init (backdoor.rules, High) 16105 <-> BACKDOOR trojan.zlob runtime detection - topqualityads (backdoor.rules, High) 16106 <-> BACKDOOR synrat 2.1 pro runtime detection - init (backdoor.rules, High) 16107 <-> BACKDOOR synrat 2.1 pro runtime detection - init (backdoor.rules, High) 16108 <-> BACKDOOR trojan downloader exchanger.gen2 runtime detection (backdoor.rules, High) 16109 <-> BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - onestoponlineshop (backdoor.rules, High) 16110 <-> BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - childhe (backdoor.rules, High) 16111 <-> BACKDOOR trojan-downloader.win32.zlob.wwv installtime detection (backdoor.rules, High) 16112 <-> BACKDOOR trojan downloader.agent.vhb runtime detection - contact remote server (backdoor.rules, High) 16113 <-> BACKDOOR trojan downloader.agent.vhb runtime detection - request login page (backdoor.rules, High) 16114 <-> SPYWARE-PUT Hijacker cramtoolbar runtime detection - hijack (spyware-put.rules, Low) 16115 <-> SPYWARE-PUT Hijacker cramtoolbar runtime detection - search (spyware-put.rules, Low) 16116 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server (spyware-put.rules, Medium) 16117 <-> SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - ads (spyware-put.rules, Medium) 16118 <-> SPYWARE-PUT Adware winreanimator runtime detection - register request (spyware-put.rules, Low) 16119 <-> SPYWARE-PUT Adware winreanimator runtime detection - daily update (spyware-put.rules, Low) 16120 <-> SPYWARE-PUT Trackware 6sq toolbar runtime detection (spyware-put.rules, Medium) 16121 <-> SPYWARE-PUT Hijacker weatherstudio runtime detection (spyware-put.rules, Low) 16122 <-> SPYWARE-PUT rogue antivirus xp 2008 runtime detection - buy (spyware-put.rules, Low) 16123 <-> SPYWARE-PUT rogue antivirus xp 2008 runtime detection - update (spyware-put.rules, Low) 16124 <-> SPYWARE-PUT downloader trojan.nsis.agent.s runtime detection (spyware-put.rules, Low) 16125 <-> SPYWARE-PUT Keylogger spyyahoo v2.2 runtime detection (spyware-put.rules, Medium) 16126 <-> SPYWARE-PUT Trickler virusremover 2008 runtime detection (spyware-put.rules, Low) 16127 <-> SPYWARE-PUT Adware superiorads runtime detection (spyware-put.rules, Low) 16128 <-> SPYWARE-PUT Keylogger aspy v2.12 runtime detection (spyware-put.rules, Medium) 16129 <-> SPYWARE-PUT Keylogger kamyab Keylogger v.3 runtime detection (spyware-put.rules, Medium) 16130 <-> SPYWARE-PUT Keylogger lord spy pro 1.4 runtime detection (spyware-put.rules, Medium) 16131 <-> SPYWARE-PUT Trackware adclicker trojan zlob.dnz runtime detection - ads (spyware-put.rules, Medium) 16132 <-> SPYWARE-PUT Trackware owlforce runtime detection - remote server #1 (spyware-put.rules, Medium) 16133 <-> SPYWARE-PUT Trackware owlforce runtime detection - remote server #2 (spyware-put.rules, Medium) 16134 <-> SPYWARE-PUT Adware spyware guard 2008 runtime detection - contacts remote server (spyware-put.rules, Low) 16135 <-> SPYWARE-PUT Adware spyware guard 2008 runtime detection - purchase page (spyware-put.rules, Low) 16136 <-> SPYWARE-PUT Hijacker xp antispyware 2009 runtime detection - pre-sale webpage (spyware-put.rules, Low) 16137 <-> SPYWARE-PUT Keylogger cheat monitor runtime detection (spyware-put.rules, Medium) 16138 <-> SPYWARE-PUT Hacker-Tool 0desa msn pass stealer 8.5 runtime detection (spyware-put.rules, Low) 16139 <-> SPYWARE-PUT downloader_trojan.gen2 runtime detection - scanner page (spyware-put.rules, Low) 16140 <-> BACKDOOR torpig-mebroot command and control checkin (backdoor.rules, High) 16141 <-> SPECIFIC-THREATS Kaspersky Online Scanner trojaned Dll download attempt (specific-threats.rules, High) 16142 <-> SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt (specific-threats.rules, High) 16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low) 16144 <-> SPECIFIC-THREATS Bredolab downloader communication with server attempt (specific-threats.rules, High) 16145 <-> SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt (specific-threats.rules, High) Updated rules: 2436 <-> WEB-CLIENT Microsoft wmf metafile access (web-client.rules, High) 6504 <-> WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt (web-client.rules, High) 12455 <-> POLICY Crystal reports download request (policy.rules, High) 13473 <-> EXPLOIT Microsoft Publisher file download (exploit.rules, Low) 13678 <-> MISC Microsoft EMF metafile access detected (misc.rules, High) 13801 <-> WEB-CLIENT RTF file download request (web-client.rules, Low) 13982 <-> WEB-CLIENT Microsoft Powerpoint file download attempt (web-client.rules, Low) 14017 <-> WEB-CLIENT MPEG Layer 3 playlist file request (web-client.rules, Low) 14018 <-> WEB-CLIENT PLS multimedia playlist file request (web-client.rules, Low) 15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low) 15444 <-> WEB-MISC Core Audio Format file download attempt (web-misc.rules, Low) 15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low) 15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low) 15516 <-> WEB-CLIENT AVI multimedia file request (web-client.rules, Low) 15585 <-> WEB-CLIENT Excel file download request (web-client.rules, Low) 15586 <-> WEB-CLIENT Powerpoint file download request (web-client.rules, Low) 15587 <-> WEB-CLIENT Word file download request (web-client.rules, Low) 15987 <-> WEB-MISC Microsoft Visio DXF file download request (web-misc.rules, Low)
