Snort

Sourcefire VRT Rules Update

Date: 2007-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.3.

The format of the file is:

sid - Message (rule group)

New rules:
11826 <-> WEB-CLIENT Microsoft Voice Control ActiveX clsid access (web-client.rules)
11827 <-> WEB-CLIENT Microsoft Voice Control ActiveX clsid unicode access (web-client.rules)
11828 <-> WEB-CLIENT Microsoft Voice Control ActiveX function call access (web-client.rules)
11829 <-> WEB-CLIENT Microsoft Voice Control ActiveX function call unicode access (web-client.rules)
11830 <-> WEB-CLIENT Microsoft Direct Speech Recognition ActiveX clsid access (web-client.rules)
11831 <-> WEB-CLIENT Microsoft Direct Speech Recognition ActiveX clsid unicode access (web-client.rules)
11832 <-> WEB-CLIENT Microsoft Direct Speech Recognition ActiveX function call access (web-client.rules)
11833 <-> WEB-CLIENT Microsoft Direct Speech Recognition ActiveX function call unicode access (web-client.rules)
11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules)
11835 <-> POLICY Visio file download (policy.rules)
11836 <-> MISC Visio version number below 6 - possible exploit (misc.rules)
11837 <-> SMTP MS Windows Mail UNC navigation remote command execution (smtp.rules)

Updated rules:
1546 <-> WEB-MISC Cisco /%% DOS attempt (web-misc.rules)
7904 <-> WEB-CLIENT CDL Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7905 <-> WEB-CLIENT CDL Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7928 <-> WEB-CLIENT file or local Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7929 <-> WEB-CLIENT file or local Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7934 <-> WEB-CLIENT ftp Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7935 <-> WEB-CLIENT ftp Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7938 <-> WEB-CLIENT gopher Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7939 <-> WEB-CLIENT gopher Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7942 <-> WEB-CLIENT http Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7943 <-> WEB-CLIENT http Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7944 <-> WEB-CLIENT https Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7945 <-> WEB-CLIENT https Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7958 <-> WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX clsid access (web-client.rules)
7959 <-> WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX clsid unicode access (web-client.rules)
7960 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7961 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7962 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7963 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7964 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7965 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7966 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7967 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7968 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7969 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)