Sourcefire VRT Update

Date: 2007-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.

The format of the file is:

sid - Message (rule group)

New rules:
10084 <-> WEB-CLIENT NCTAudioFile2 ActiveX clsid access (web-client.rules)
10085 <-> WEB-CLIENT NCTAudioFile2 ActiveX clsid unicode access (web-client.rules)
10086 <-> WEB-CLIENT NCTAudioFile2 ActiveX function call access (web-client.rules)
10087 <-> EXPLOIT VNC password request buffer overflow attempt (exploit.rules)
10088 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by smtp (spyware-put.rules)
10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules)
10090 <-> SPYWARE-PUT Trickler zango easymessenger runtime detection (spyware-put.rules)
10091 <-> SPYWARE-PUT Hacker-Tool spylply.a runtime detection (spyware-put.rules)
10092 <-> SPYWARE-PUT Trackware russian searchbar runtime detection (spyware-put.rules)
10093 <-> SPYWARE-PUT Hijacker kuaiso toolbar runtime detection (spyware-put.rules)
10094 <-> SPYWARE-PUT Adware borlan runtime detection (spyware-put.rules)
10095 <-> SPYWARE-PUT Trackware bydou runtime detection (spyware-put.rules)
10096 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - keylog (spyware-put.rules)
10097 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection (spyware-put.rules)
10098 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - get system info (spyware-put.rules)
10099 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection (spyware-put.rules)
10100 <-> SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - open website (spyware-put.rules)
10101 <-> BACKDOOR crossfires trojan 3.0 runtime detection - delete file (backdoor.rules)
10102 <-> BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim (backdoor.rules)
10103 <-> BACKDOOR hav-rat 1.1 runtime detection (backdoor.rules)
10104 <-> BACKDOOR hav-rat 1.1 runtime detection (backdoor.rules)
10105 <-> BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info (backdoor.rules)
10106 <-> BACKDOOR icmp cmd 1.0 runtime detection - download file (backdoor.rules)
10107 <-> BACKDOOR icmp cmd 1.0 runtime detection - pslist (backdoor.rules)
10108 <-> BACKDOOR icmp cmd 1.0 runtime detection - pskill (backdoor.rules)
10109 <-> BACKDOOR k-msnrat 1.0.0 runtime detection - init connection (backdoor.rules)
10110 <-> BACKDOOR poison ivy 2.1.2 runtime detection (backdoor.rules)
10111 <-> BACKDOOR poison ivy 2.1.2 runtime detection - init connection (backdoor.rules)
10112 <-> BACKDOOR rix3 1.0 runtime detection - init connection (backdoor.rules)
10113 <-> SPECIFIC-THREATS Trojan Peacomm command and control propagation detected (specific-threats.rules)
10114 <-> SPECIFIC-THREATS Trojan Peacomm command and control propagation detected (specific-threats.rules)
10115 <-> WEB-CLIENT Microsoft WMF denial of service attempt (web-client.rules)
10116 <-> WEB-CLIENT AIM GoChat URL access attempt (web-client.rules)
10117 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName little endian object call overflow attempt (netbios.rules)
10118 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt (netbios.rules)
10119 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName object call overflow attempt (netbios.rules)
10120 <-> NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules)
10121 <-> NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt (netbios.rules)
10122 <-> NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName overflow attempt (netbios.rules)
10123 <-> SPECIFIC-THREATS PA168 Chipset Based IP Phone Default Password Attempt (specific-threats.rules)
10124 <-> SPECIFIC-THREATS PA168 Chipset Based IP Phone Authentication Bypass (specific-threats.rules)
10125 <-> MISC bomberclone buffer overflow attempt (misc.rules)

Updated rules:
1411 <-> SNMP public access udp (snmp.rules)
1417 <-> SNMP request udp (snmp.rules)
1917 <-> SCAN UPnP service discover attempt (scan.rules)
1923 <-> RPC portmap proxy attempt UDP (rpc.rules)
2002 <-> WEB-PHP remote include path (web-php.rules)
2338 <-> FTP LIST buffer overflow attempt (ftp.rules)
7204 <-> WEB-CLIENT excel object ftCmo overflow attempt (web-client.rules)
9801 <-> WEB-CLIENT Windows Media Player or Explorer Malformed RIFF File denial of service attempt (web-client.rules)