Sourcefire VRT Rules Update

Date: 2007-06-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.1.

The format of the file is:

sid - Message (rule group)

New rules:
11264 <-> MS-SQL Microsoft SQL Server 2000 Server hello buffer overflow attempt (sql.rules)
11620 <-> WEB-CLIENT DXImageTransform.Microsoft.Chroma ActiveX function call access (web-client.rules)
11622 <-> WEB-CLIENT Microsoft Office 2000 OUACTR ActiveX clsid access (web-client.rules)
11623 <-> WEB-CLIENT Microsoft Office 2000 OUACTR ActiveX clsid unicode access (web-client.rules)
11624 <-> WEB-CLIENT LeadTools ISIS ActiveX clsid access (web-client.rules)
11625 <-> WEB-CLIENT LeadTools ISIS ActiveX clsid unicode access (web-client.rules)
11626 <-> WEB-CLIENT LeadTools ISIS ActiveX function call access (web-client.rules)
11627 <-> WEB-CLIENT LeadTools ISIS ActiveX function call unicode access (web-client.rules)
11628 <-> WEB-CLIENT LeadTools JPEG 2000 COM Object ActiveX function call access (web-client.rules)
11630 <-> WEB-CLIENT LeadTools Raster Dialog File Object ActiveX clsid access (web-client.rules)
11631 <-> WEB-CLIENT LeadTools Raster Dialog File Object ActiveX clsid unicode access (web-client.rules)
11632 <-> WEB-CLIENT LeadTools Raster Dialog File Object ActiveX function call access (web-client.rules)
11634 <-> WEB-CLIENT LeadTools Raster Dialog File_D Object ActiveX clsid access (web-client.rules)
11635 <-> WEB-CLIENT LeadTools Raster Dialog File_D Object ActiveX clsid unicode access (web-client.rules)
11636 <-> WEB-CLIENT LeadTools Raster Dialog File_D Object ActiveX function call access (web-client.rules)
11638 <-> WEB-CLIENT LeadTools Raster Document Object Library ActiveX clsid access (web-client.rules)
11639 <-> WEB-CLIENT LeadTools Raster Document Object Library ActiveX clsid unicode access (web-client.rules)
11640 <-> WEB-CLIENT LeadTools Raster Document Object Library ActiveX function call access (web-client.rules)
11642 <-> WEB-CLIENT LeadTools Raster ISIS Object ActiveX clsid access (web-client.rules)
11643 <-> WEB-CLIENT LeadTools Raster ISIS Object ActiveX clsid unicode access (web-client.rules)
11644 <-> WEB-CLIENT LeadTools Raster ISIS Object ActiveX function call access (web-client.rules)
11645 <-> WEB-CLIENT LeadTools Raster ISIS Object ActiveX function call unicode access (web-client.rules)
11646 <-> WEB-CLIENT LeadTools Raster Thumbnail Object Library ActiveX clsid access (web-client.rules)
11647 <-> WEB-CLIENT LeadTools Raster Thumbnail Object Library ActiveX clsid unicode access (web-client.rules)
11648 <-> WEB-CLIENT LeadTools Raster Thumbnail Object Library ActiveX function call access (web-client.rules)
11650 <-> WEB-CLIENT LeadTools Raster Variant Object Library ActiveX clsid access (web-client.rules)
11651 <-> WEB-CLIENT LeadTools Raster Variant Object Library ActiveX clsid unicode access (web-client.rules)
11652 <-> WEB-CLIENT LeadTools Raster Variant Object Library ActiveX function call access (web-client.rules)
11654 <-> WEB-CLIENT LeadTools Thumbnail Browser Control ActiveX clsid access (web-client.rules)
11655 <-> WEB-CLIENT LeadTools Thumbnail Browser Control ActiveX clsid unicode access (web-client.rules)
11656 <-> WEB-CLIENT LeadTools Thumbnail Browser Control ActiveX function call access (web-client.rules)
11657 <-> WEB-CLIENT LeadTools Thumbnail Browser Control ActiveX function call unicode access (web-client.rules)
11658 <-> WEB-CLIENT Dart ZipLite Compression ActiveX clsid access (web-client.rules)
11659 <-> WEB-CLIENT Dart ZipLite Compression ActiveX clsid unicode access (web-client.rules)
11660 <-> WEB-CLIENT EDraw Office Viewer ActiveX clsid access (web-client.rules)
11661 <-> WEB-CLIENT EDraw Office Viewer ActiveX clsid unicode access (web-client.rules)
11662 <-> WEB-CLIENT EDraw Office Viewer ActiveX function call access (web-client.rules)
11664 <-> WEB-PHP sphpblog password.txt access attempt (web-php.rules)
11665 <-> WEB-PHP sphpblog install03_cgi access attempt (web-php.rules)
11666 <-> WEB-PHP sphpblog upload_img_cgi access attempt (web-php.rules)
11667 <-> WEB-PHP sphpblog arbitrary file delete attempt (web-php.rules)
11668 <-> WEB-PHP vbulletin php code injection (web-php.rules)
11669 <-> SPECIFIC-THREATS Eudora 250 command response buffer overflow (specific-threats.rules)
11673 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX clsid access (web-client.rules)
11674 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX clsid unicode access (web-client.rules)
11675 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX function call access (web-client.rules)
11677 <-> WEB-CLIENT Provideo Camimage Class ISSCamControl ActiveX clsid access (web-client.rules)
11678 <-> WEB-CLIENT Provideo Camimage Class ISSCamControl ActiveX clsid unicode access (web-client.rules)
11679 <-> WEB-MISC Apache mod_rewrite buffer overflow attempt (web-misc.rules)
11680 <-> MISC Sun Java web proxy sockd buffer overflow attempt (misc.rules)
11681 <-> EXPLOIT Openview Omni II command bypass attempt (exploit.rules)
11684 <-> EXPLOIT WINS Overflow attempt (exploit.rules)
11685 <-> WEB-MISC Oracle iSQL Plus cross site scripting attempt (web-misc.rules)
11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)
11817 <-> WEB-CGI WhatsUpGold configuration access (web-cgi.rules)
11818 <-> WEB-CLIENT Yahoo Webcam Viewer Wrapper ActiveX clsid access (web-client.rules)
11819 <-> WEB-CLIENT Yahoo Webcam Viewer Wrapper ActiveX clsid unicode access (web-client.rules)
11820 <-> WEB-CLIENT Yahoo Webcam Viewer Wrapper ActiveX function call access (web-client.rules)
11821 <-> WEB-CLIENT Yahoo Webcam Viewer Wrapper ActiveX function call unicode access (web-client.rules)
11822 <-> WEB-CLIENT Yahoo Webcam Upload ActiveX clsid access (web-client.rules)
11823 <-> WEB-CLIENT Yahoo Webcam Upload ActiveX clsid unicode access (web-client.rules)
11824 <-> WEB-CLIENT Yahoo Webcam Upload ActiveX function call access (web-client.rules)
11825 <-> WEB-CLIENT Yahoo Webcam Upload ActiveX function call unicode access (web-client.rules)

Updated rules:
1321 <-> BAD-TRAFFIC 0 ttl (bad-traffic.rules)
1394 <-> SHELLCODE x86 NOOP (shellcode.rules)
1399 <-> WEB-PHP PHP-Nuke remote file include attempt (web-php.rules)
1882 <-> ATTACK-RESPONSES id check returned userid (attack-responses.rules)
2002 <-> WEB-PHP remote include path (web-php.rules)
2143 <-> WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt (web-php.rules)
2147 <-> WEB-PHP BLNews objects.inc.php4 remote file include attempt (web-php.rules)
2150 <-> WEB-PHP ttCMS header.php remote file include attempt (web-php.rules)
2155 <-> WEB-PHP ttforum remote file include attempt (web-php.rules)
2226 <-> WEB-PHP pmachine remote file include attempt (web-php.rules)
2306 <-> WEB-PHP gallery remote file include attempt (web-php.rules)
2307 <-> WEB-PHP PayPal Storefront remote file include attempt (web-php.rules)
2575 <-> WEB-PHP Opt-X header.php remote file include attempt (web-php.rules)
2582 <-> WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt (web-misc.rules)
2597 <-> WEB-MISC Samba SWAT Authorization overflow attempt (web-misc.rules)
2598 <-> WEB-MISC Samba SWAT Authorization port 901 overflow attempt (web-misc.rules)
4638 <-> EXPLOIT RSVP Protocol zero length object DoS attempt (exploit.rules)
5694 <-> P2P Skype client setup get newest version attempt (p2p.rules)
7908 <-> WEB-CLIENT DXImageTransform.Microsoft.Chroma ActiveX clsid access (web-client.rules)
7909 <-> WEB-CLIENT DXImageTransform.Microsoft.Chroma ActiveX clsid unicode access (web-client.rules)
10106 <-> DELETED BACKDOOR icmp cmd 1.0 runtime detection - download file (deleted.rules)
11193 <-> WEB-MISC Oracle iSQL Plus cross site scripting attempt (web-misc.rules)
11194 <-> WEB-MISC Oracle iSQL Plus cross site scripting attempt (web-misc.rules)
11223 <-> WEB-MISC google proxystylesheet arbitrary command execution attempt (web-misc.rules)
11273 <-> WEB-MISC Apache header parsing space saturation denial of service attempt (web-misc.rules)
11315 <-> DELETED BACKDOOR ykw v375 runtime detection (deleted.rules)
11616 <-> WEB-MISC Symantec Sygate Policy Manager SQL injection (web-misc.rules)