Sourcefire VRT Rules Update
Date: 2010-04-08
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16522 <-> WEB-CLIENT Novell QuickFinder server cross-site-scripting attempt (web-client.rules, High) 16523 <-> POLICY PDF with click-to-launch executable (policy.rules, Low) 16524 <-> FTP ProFTPD username sql injection attempt (ftp.rules, High) 16525 <-> CHAT MSN Messenger web login attempt (chat.rules, High) 16526 <-> SPECIFIC-THREATS VanBot IRC communication attempt (specific-threats.rules, High) 16527 <-> SPECIFIC-THREATS Zbot malware config file download request (specific-threats.rules, High) 16528 <-> SPECIFIC-THREATS Zbot malware config file download request (specific-threats.rules, High) 16529 <-> WEB-MISC JPEG file download attempt (web-misc.rules, Low) Updated rules: 488 <-> DELETED INFO Connection Closed MSG from Port 80 (deleted.rules, Low) 489 <-> FTP no password (ftp.rules, Low) 490 <-> POLICY battle-mail traffic (policy.rules, High) 491 <-> FTP Bad login (ftp.rules, Medium) 492 <-> TELNET login failed (telnet.rules, Medium) 493 <-> POLICY psyBNC access (policy.rules, Medium) 718 <-> TELNET login incorrect (telnet.rules, Medium) 721 <-> POLICY Potentially unauthorized file attachment (policy.rules, Medium) 884 <-> DELETED WEB-CGI formmail access (deleted.rules, Medium) 1287 <-> DELETED WEB-IIS scripts access (deleted.rules, Medium) 1389 <-> DELETED viewcode.jse access (deleted.rules, Medium) 1391 <-> DELETED Phorecast remote code execution attempt (deleted.rules, High) 1403 <-> DELETED WEB-MISC viewcode access (deleted.rules, High) 1404 <-> DELETED WEB-MISC showcode access (deleted.rules, High) 2142 <-> WEB-PHP shoutbox.php access (web-php.rules, Medium) 2229 <-> WEB-PHP viewtopic.php access (web-php.rules, High) 2303 <-> WEB-PHP Advanced Poll popup.php access (web-php.rules, Medium) 2566 <-> WEB-PHP PHPBB viewforum.php access (web-php.rules, Medium) 2706 <-> DELETED WEB-CLIENT JPEG transfer (deleted.rules, Low) 2925 <-> DELETED INFO web bug 1x1 gif attempt (deleted.rules, Low) 2951 <-> DELETED SMB-DS too many stacked requests (deleted.rules, Low) 6395 <-> BACKDOOR a-311 death runtime detection - initial connection server-to-client (backdoor.rules, High) 6396 <-> BACKDOOR a-311 death user-agent string detected (backdoor.rules, High) 12661 <-> BACKDOOR troll.a runtime detection (backdoor.rules, High) 13923 <-> SMTP MailEnable SMTP HELO command denial of service attempt (smtp.rules, Medium) 15263 <-> DELETED BEA WebLogic Apache connector HTTP version denial of service attempt (deleted.rules, Medium) 15476 <-> SPYWARE-PUT Waledac spam bot HTTP POST request (spyware-put.rules, Low) 15490 <-> EXPLOIT Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt (exploit.rules, High) 15906 <-> EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (exploit.rules, Medium) 15907 <-> EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (exploit.rules, Medium) 16026 <-> DELETED WEB-CLIENT midi file download attempt (deleted.rules, Low) 16027 <-> WEB-CLIENT winamp midi file header overflow attempt (web-client.rules, High) 16098 <-> BACKDOOR win32.cekar variant runtime detection (backdoor.rules, High)
