Sourcefire VRT Rules Update
Date: 2007-06-26
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.1.
The format of the file is:
sid - Message (rule group)
New rules: 7724 <-> BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set (backdoor.rules) 11966 <-> WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt (web-client.rules) 11967 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX function call unicode access (web-client.rules) 12009 <-> SQL Firebird SQL Fbserver Buffer Overflow (sql.rules) 12010 <-> WEB-CLIENT RKD Software BarCode ActiveX clsid access (web-client.rules) 12011 <-> WEB-CLIENT RKD Software BarCode ActiveX clsid unicode access (web-client.rules) 12012 <-> WEB-CLIENT RKD Software BarCode ActiveX function call access (web-client.rules) 12013 <-> WEB-CLIENT RKD Software BarCode ActiveX function call unicode access (web-client.rules) 12014 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules) Updated rules: 228 <-> DDOS TFN client command BE (ddos.rules) 251 <-> DDOS - TFN client command LE (ddos.rules) 1079 <-> WEB-MISC WebDAV propfind access (web-misc.rules) 1248 <-> WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules) 4756 <-> NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules) 4757 <-> NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin overflow attempt (netbios.rules) 4824 <-> NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules) 4825 <-> NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin overflow attempt (netbios.rules) 6410 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules) 8441 <-> WEB-MISC McAfee header buffer overflow attempt (web-misc.rules) 8723 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX clsid access (web-client.rules) 8724 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX clsid unicode access (web-client.rules) 9820 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX function call access (web-client.rules) 10130 <-> POLICY VERITAS NetBackup system execution function call access attempt (policy.rules) 10158 <-> DELETED NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules) 10159 <-> DELETED NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules) 10160 <-> DELETED NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules) 10482 <-> RPC portmap CA BrightStor ARCserve tcp request (rpc.rules) 10483 <-> RPC portmap CA BrightStor ARCserve udp request (rpc.rules) 10484 <-> RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (rpc.rules) 10485 <-> RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (rpc.rules) 11616 <-> WEB-MISC Symantec Sygate Policy Manager SQL injection (web-misc.rules) 11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules) 11836 <-> MISC Visio version number anomaly (misc.rules)
