Sourcefire VRT Update
Date: 2007-02-01
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.
The format of the file is:
sid - Message (rule group)
New rules: 10084 <-> WEB-CLIENT NCTAudioFile2 ActiveX clsid access (web-client.rules) 10085 <-> WEB-CLIENT NCTAudioFile2 ActiveX clsid unicode access (web-client.rules) 10086 <-> WEB-CLIENT NCTAudioFile2 ActiveX function call access (web-client.rules) 10087 <-> EXPLOIT VNC password request buffer overflow attempt (exploit.rules) 10088 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by smtp (spyware-put.rules) 10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules) 10090 <-> SPYWARE-PUT Trickler zango easymessenger runtime detection (spyware-put.rules) 10091 <-> SPYWARE-PUT Hacker-Tool spylply.a runtime detection (spyware-put.rules) 10092 <-> SPYWARE-PUT Trackware russian searchbar runtime detection (spyware-put.rules) 10093 <-> SPYWARE-PUT Hijacker kuaiso toolbar runtime detection (spyware-put.rules) 10094 <-> SPYWARE-PUT Adware borlan runtime detection (spyware-put.rules) 10095 <-> SPYWARE-PUT Trackware bydou runtime detection (spyware-put.rules) 10096 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - keylog (spyware-put.rules) 10097 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection (spyware-put.rules) 10098 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - get system info (spyware-put.rules) 10099 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection (spyware-put.rules) 10100 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - open website (spyware-put.rules) 10101 <-> BACKDOOR crossfires trojan 3.0 runtime detection - delete file (backdoor.rules) 10102 <-> BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim (backdoor.rules) 10103 <-> BACKDOOR hav-rat 1.1 runtime detection (backdoor.rules) 10104 <-> BACKDOOR hav-rat 1.1 runtime detection (backdoor.rules) 10105 <-> BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info (backdoor.rules) 10106 <-> BACKDOOR icmp cmd 1.0 runtime detection - download file (backdoor.rules) 10107 <-> BACKDOOR icmp cmd 1.0 runtime detection - pslist (backdoor.rules) 10108 <-> BACKDOOR icmp cmd 1.0 runtime detection - pskill (backdoor.rules) 10109 <-> BACKDOOR k-msnrat 1.0.0 runtime detection - init connection (backdoor.rules) 10110 <-> BACKDOOR poison ivy 2.1.2 runtime detection (backdoor.rules) 10111 <-> BACKDOOR poison ivy 2.1.2 runtime detection - init connection (backdoor.rules) 10112 <-> BACKDOOR rix3 1.0 runtime detection - init connection (backdoor.rules) 10113 <-> SPECIFIC-THREATS Trojan Peacomm command and control propagation detected (specific-threats.rules) 10114 <-> SPECIFIC-THREATS Trojan Peacomm command and control propagation detected (specific-threats.rules) 10115 <-> WEB-CLIENT Microsoft WMF denial of service attempt (web-client.rules) 10116 <-> WEB-CLIENT AIM GoChat URL access attempt (web-client.rules) 10117 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName little endian object call overflow attempt (netbios.rules) 10118 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt (netbios.rules) 10119 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName object call overflow attempt (netbios.rules) 10120 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules) 10121 <-> NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt (netbios.rules) 10122 <-> NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules) 10123 <-> SPECIFIC-THREATS PA168 Chipset Based IP Phone Default Password Attempt (specific-threats.rules) 10124 <-> SPECIFIC-THREATS PA168 Chipset Based IP Phone Authentication Bypass (specific-threats.rules) 10125 <-> MISC bomberclone buffer overflow attempt (misc.rules) Updated rules: 1411 <-> SNMP public access udp (snmp.rules) 1417 <-> SNMP request udp (snmp.rules) 1917 <-> SCAN UPnP service discover attempt (scan.rules) 1923 <-> RPC portmap proxy attempt UDP (rpc.rules) 2002 <-> WEB-PHP remote include path (web-php.rules) 2338 <-> FTP LIST buffer overflow attempt (ftp.rules) 7204 <-> WEB-CLIENT excel object ftCmo overflow attempt (web-client.rules) 9801 <-> WEB-CLIENT Windows Media Player or Explorer Malformed RIFF File denial of service attempt (web-client.rules)
