Sourcefire VRT Rules Update

Date: 2007-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.1.

The format of the file is:

sid - Message (rule group)

New rules:
7724 <-> BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set (backdoor.rules)
11966 <-> WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt (web-client.rules)
11967 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX function call unicode access (web-client.rules)
12009 <-> SQL Firebird SQL Fbserver Buffer Overflow (sql.rules)
12010 <-> WEB-CLIENT RKD Software BarCode ActiveX clsid access (web-client.rules)
12011 <-> WEB-CLIENT RKD Software BarCode ActiveX clsid unicode access (web-client.rules)
12012 <-> WEB-CLIENT RKD Software BarCode ActiveX function call access (web-client.rules)
12013 <-> WEB-CLIENT RKD Software BarCode ActiveX function call unicode access (web-client.rules)
12014 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)

Updated rules:
 228 <-> DDOS TFN client command BE (ddos.rules)
 251 <-> DDOS - TFN client command LE (ddos.rules)
1079 <-> WEB-MISC WebDAV propfind access (web-misc.rules)
1248 <-> WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules)
4756 <-> NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
4757 <-> NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
4824 <-> NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin little endian overflow attempt (netbios.rules)
4825 <-> NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin overflow attempt (netbios.rules)
6410 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules)
8441 <-> WEB-MISC McAfee header buffer overflow attempt (web-misc.rules)
8723 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX clsid access (web-client.rules)
8724 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX clsid unicode access (web-client.rules)
9820 <-> WEB-CLIENT Microsoft Office Data Source Control 11.0 ActiveX function call access (web-client.rules)
10130 <-> POLICY VERITAS NetBackup system execution function call access attempt (policy.rules)
10158 <-> DELETED NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules)
10159 <-> DELETED NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules)
10160 <-> DELETED NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt (deleted.rules)
10482 <-> RPC portmap CA BrightStor ARCserve tcp request (rpc.rules)
10483 <-> RPC portmap CA BrightStor ARCserve udp request (rpc.rules)
10484 <-> RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt (rpc.rules)
10485 <-> RPC portmap CA BrightStor ARCserve udp procedure 191 attempt (rpc.rules)
11616 <-> WEB-MISC Symantec Sygate Policy Manager SQL injection (web-misc.rules)
11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)
11836 <-> MISC Visio version number anomaly (misc.rules)