Sourcefire VRT Rules Update

Date: 2010-04-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16522 <-> WEB-CLIENT Novell QuickFinder server cross-site-scripting attempt (web-client.rules, High)
16523 <-> POLICY PDF with click-to-launch executable (policy.rules, Low)
16524 <-> FTP ProFTPD username sql injection attempt (ftp.rules, High)
16525 <-> CHAT MSN Messenger web login attempt (chat.rules, High)
16526 <-> SPECIFIC-THREATS VanBot IRC communication attempt (specific-threats.rules, High)
16527 <-> SPECIFIC-THREATS Zbot malware config file download request (specific-threats.rules, High)
16528 <-> SPECIFIC-THREATS Zbot malware config file download request (specific-threats.rules, High)
16529 <-> WEB-MISC JPEG file download attempt (web-misc.rules, Low)

Updated rules:
 488 <-> DELETED INFO Connection Closed MSG from Port 80 (deleted.rules, Low)
 489 <-> FTP no password (ftp.rules, Low)
 490 <-> POLICY battle-mail traffic (policy.rules, High)
 491 <-> FTP Bad login (ftp.rules, Medium)
 492 <-> TELNET login failed (telnet.rules, Medium)
 493 <-> POLICY psyBNC access (policy.rules, Medium)
 718 <-> TELNET login incorrect (telnet.rules, Medium)
 721 <-> POLICY Potentially unauthorized file attachment (policy.rules, Medium)
 884 <-> DELETED WEB-CGI formmail access (deleted.rules, Medium)
1287 <-> DELETED WEB-IIS scripts access (deleted.rules, Medium)
1389 <-> DELETED viewcode.jse access (deleted.rules, Medium)
1391 <-> DELETED Phorecast remote code execution attempt (deleted.rules, High)
1403 <-> DELETED WEB-MISC viewcode access (deleted.rules, High)
1404 <-> DELETED WEB-MISC showcode access (deleted.rules, High)
2142 <-> WEB-PHP shoutbox.php access (web-php.rules, Medium)
2229 <-> WEB-PHP viewtopic.php access (web-php.rules, High)
2303 <-> WEB-PHP Advanced Poll popup.php access (web-php.rules, Medium)
2566 <-> WEB-PHP PHPBB viewforum.php access (web-php.rules, Medium)
2706 <-> DELETED WEB-CLIENT JPEG transfer (deleted.rules, Low)
2925 <-> DELETED INFO web bug 1x1 gif attempt (deleted.rules, Low)
2951 <-> DELETED SMB-DS too many stacked requests (deleted.rules, Low)
6395 <-> BACKDOOR a-311 death runtime detection - initial connection server-to-client (backdoor.rules, High)
6396 <-> BACKDOOR a-311 death user-agent string detected (backdoor.rules, High)
12661 <-> BACKDOOR troll.a runtime detection (backdoor.rules, High)
13923 <-> SMTP MailEnable SMTP HELO command denial of service attempt (smtp.rules, Medium)
15263 <-> DELETED BEA WebLogic Apache connector HTTP version denial of service attempt (deleted.rules, Medium)
15476 <-> SPYWARE-PUT Waledac spam bot HTTP POST request (spyware-put.rules, Low)
15490 <-> EXPLOIT Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt (exploit.rules, High)
15906 <-> EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (exploit.rules, Medium)
15907 <-> EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (exploit.rules, Medium)
16026 <-> DELETED WEB-CLIENT midi file download attempt (deleted.rules, Low)
16027 <-> WEB-CLIENT winamp midi file header overflow attempt (web-client.rules, High)
16098 <-> BACKDOOR win32.cekar variant runtime detection (backdoor.rules, High)