Sourcefire VRT Rules Update

Date: 2007-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.

The format of the file is:

sid - Message (rule group)

New rules:
12015 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid access (web-client.rules)
12016 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid unicode access (web-client.rules)
12017 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call access (web-client.rules)
12018 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call unicode access (web-client.rules)
12019 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid access (web-client.rules)
12020 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid unicode access (web-client.rules)
12021 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call access (web-client.rules)
12022 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call unicode access (web-client.rules)
12023 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid access (deleted.rules)
12024 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid unicode access (deleted.rules)
12025 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call access (deleted.rules)
12026 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call unicode access (deleted.rules)
12027 <-> SQL Ingres Database uuid_from_char buffer overflow attempt (sql.rules)
12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules)
12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules)
12043 <-> DOS Microsoft XML parser IIS WebDAV attack attempt (dos.rules)
12044 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules)
12045 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules)
12046 <-> RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (rpc.rules)
12047 <-> SPYWARE-PUT Adware yayad runtime detection (spyware-put.rules)
12048 <-> SPYWARE-PUT Keylogger computer Keylogger runtime detection (spyware-put.rules)
12049 <-> SPYWARE-PUT Keylogger apophis spy 1.0 runtime detection (spyware-put.rules)
12050 <-> SPYWARE-PUT Hijacker ez-greets toolbar runtime detection (spyware-put.rules)
12051 <-> BACKDOOR ultimate rat 2.1 runtime detection (backdoor.rules)
12052 <-> BACKDOOR the[x] 1.2 runtime detection - execute command (backdoor.rules)
12053 <-> BACKDOOR trail of destruction 2.0 runtime detection - get system info (backdoor.rules)
12054 <-> BACKDOOR tron runtime detection - init connection - flowbit set (backdoor.rules)
12055 <-> BACKDOOR tron runtime detection - init connection (backdoor.rules)

Updated rules:
 144 <-> FTP ADMw0rm ftp login attempt (ftp.rules)
 253 <-> DNS SPOOF query response PTR with TTL of 1 min. and no authority (dns.rules)
 254 <-> DNS SPOOF query response with TTL of 1 min. and no authority (dns.rules)
 255 <-> DNS zone transfer TCP (dns.rules)
 256 <-> DNS named authors attempt (dns.rules)
 257 <-> DNS named version attempt (dns.rules)
 258 <-> DNS EXPLOIT named 8.2->8.2.1 (dns.rules)
 259 <-> DNS EXPLOIT named overflow ADM (dns.rules)
 260 <-> DNS EXPLOIT named overflow ADMROCKS (dns.rules)
 261 <-> DNS EXPLOIT named overflow attempt (dns.rules)
 262 <-> DNS EXPLOIT x86 Linux overflow attempt (dns.rules)
 264 <-> DNS EXPLOIT x86 Linux overflow attempt (dns.rules)
 265 <-> DNS EXPLOIT x86 Linux overflow attempt ADMv2 (dns.rules)
 266 <-> DNS EXPLOIT x86 FreeBSD overflow attempt (dns.rules)
 267 <-> DNS EXPLOIT sparc overflow attempt (dns.rules)
 303 <-> DNS EXPLOIT named tsig overflow attempt (dns.rules)
 314 <-> DNS EXPLOIT named tsig overflow attempt (dns.rules)
 320 <-> FINGER cmd_rootsh backdoor attempt (finger.rules)
 321 <-> FINGER account enumeration attempt (finger.rules)
 322 <-> FINGER search query (finger.rules)
 323 <-> FINGER root query (finger.rules)
 324 <-> FINGER null request (finger.rules)
 326 <-> FINGER remote command execution attempt (finger.rules)
 327 <-> FINGER remote command pipe execution attempt (finger.rules)
 328 <-> FINGER bomb attempt (finger.rules)
 330 <-> FINGER redirection attempt (finger.rules)
 331 <-> FINGER cybercop query (finger.rules)
 332 <-> FINGER 0 query (finger.rules)
 333 <-> FINGER . query (finger.rules)
 334 <-> FTP .forward (ftp.rules)
 335 <-> FTP .rhosts (ftp.rules)
 336 <-> FTP CWD ~root attempt (ftp.rules)
 337 <-> FTP CEL overflow attempt (ftp.rules)
 353 <-> FTP adm scan (ftp.rules)
 354 <-> FTP iss scan (ftp.rules)
 355 <-> FTP pass wh00t (ftp.rules)
 356 <-> FTP passwd retrieval attempt (ftp.rules)
 357 <-> FTP piss scan (ftp.rules)
 358 <-> FTP saint scan (ftp.rules)
 359 <-> FTP satan scan (ftp.rules)
 360 <-> FTP serv-u directory transversal (ftp.rules)
 361 <-> FTP SITE EXEC attempt (ftp.rules)
 362 <-> FTP tar parameters (ftp.rules)
 631 <-> SMTP ehlo cybercop attempt (smtp.rules)
 632 <-> SMTP expn cybercop attempt (smtp.rules)
 654 <-> SMTP RCPT TO overflow (smtp.rules)
 655 <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 657 <-> SMTP chameleon overflow (smtp.rules)
 658 <-> SMTP exchange mime DOS (smtp.rules)
 659 <-> SMTP expn decode (smtp.rules)
 660 <-> SMTP expn root (smtp.rules)
 661 <-> SMTP majordomo ifs (smtp.rules)
 662 <-> SMTP sendmail 5.5.5 exploit (smtp.rules)
 663 <-> SMTP rcpt to command attempt (smtp.rules)
 664 <-> SMTP RCPT TO decode attempt (smtp.rules)
 665 <-> SMTP sendmail 5.6.5 exploit (smtp.rules)
 667 <-> SMTP sendmail 8.6.10 exploit (smtp.rules)
 668 <-> SMTP sendmail 8.6.10 exploit (smtp.rules)
 669 <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 670 <-> SMTP sendmail 8.6.9 exploit (smtp.rules)
 671 <-> SMTP sendmail 8.6.9c exploit (smtp.rules)
 672 <-> SMTP vrfy decode (smtp.rules)
1225 <-> X11 MIT Magic Cookie detected (x11.rules)
1226 <-> X11 xopen (x11.rules)
1229 <-> FTP CWD ... (ftp.rules)
1377 <-> FTP wu-ftp bad file completion attempt [ (ftp.rules)
1378 <-> FTP wu-ftp bad file completion attempt { (ftp.rules)
1379 <-> FTP STAT overflow attempt (ftp.rules)
1435 <-> DNS named authors attempt (dns.rules)
1446 <-> SMTP vrfy root (smtp.rules)
1450 <-> SMTP expn *@ (smtp.rules)
1529 <-> FTP SITE overflow attempt (ftp.rules)
1541 <-> FINGER version query (finger.rules)
1549 <-> SMTP HELO overflow attempt (smtp.rules)
1550 <-> SMTP ETRN overflow attempt (smtp.rules)
1562 <-> FTP SITE CHOWN overflow attempt (ftp.rules)
1616 <-> DNS named version attempt (dns.rules)
1621 <-> FTP CMD overflow attempt (ftp.rules)
1622 <-> FTP RNFR ././ attempt (ftp.rules)
1623 <-> FTP invalid MODE (ftp.rules)
1624 <-> FTP PWD overflow attempt (ftp.rules)
1625 <-> FTP SYST overflow attempt (ftp.rules)
1672 <-> FTP CWD ~ attempt (ftp.rules)
1734 <-> FTP USER overflow attempt (ftp.rules)
1755 <-> IMAP partial body buffer overflow attempt (imap.rules)
1777 <-> FTP EXPLOIT STAT * dos attempt (ftp.rules)
1778 <-> FTP EXPLOIT STAT ? dos attempt (ftp.rules)
1842 <-> IMAP login buffer overflow attempt (imap.rules)
1844 <-> IMAP authenticate overflow attempt (imap.rules)
1845 <-> IMAP list literal overflow attempt (imap.rules)
1864 <-> FTP SITE NEWER attempt (ftp.rules)
1888 <-> FTP SITE CPWD overflow attempt (ftp.rules)
1902 <-> IMAP lsub literal overflow attempt (imap.rules)
1903 <-> IMAP rename overflow attempt (imap.rules)
1904 <-> IMAP find overflow attempt (imap.rules)
1919 <-> FTP CWD overflow attempt (ftp.rules)
1920 <-> FTP SITE NEWER overflow attempt (ftp.rules)
1921 <-> FTP SITE ZIPCHK overflow attempt (ftp.rules)
1927 <-> FTP authorized_keys (ftp.rules)
1928 <-> FTP shadow retrieval attempt (ftp.rules)
1930 <-> IMAP auth literal overflow attempt (imap.rules)
1942 <-> FTP RMDIR overflow attempt (ftp.rules)
1948 <-> DNS zone transfer UDP (dns.rules)
1971 <-> FTP SITE EXEC format string attempt (ftp.rules)
1972 <-> FTP PASS overflow attempt (ftp.rules)
1973 <-> FTP MKD overflow attempt (ftp.rules)
1974 <-> FTP REST overflow attempt (ftp.rules)
1975 <-> FTP DELE overflow attempt (ftp.rules)
1976 <-> FTP RMD overflow attempt (ftp.rules)
1992 <-> FTP LIST directory traversal attempt (ftp.rules)
1993 <-> IMAP login literal buffer overflow attempt (imap.rules)
2046 <-> IMAP partial body.peek buffer overflow attempt (imap.rules)
2087 <-> SMTP From comment overflow attempt (smtp.rules)
2105 <-> IMAP authenticate literal overflow attempt (imap.rules)
2106 <-> IMAP lsub overflow attempt (imap.rules)
2107 <-> IMAP create buffer overflow attempt (imap.rules)
2118 <-> IMAP list overflow attempt (imap.rules)
2119 <-> IMAP rename literal overflow attempt (imap.rules)
2120 <-> IMAP create literal buffer overflow attempt (imap.rules)
2125 <-> FTP CWD Root directory transversal attempt (ftp.rules)
2178 <-> FTP USER format string attempt (ftp.rules)
2179 <-> FTP PASS format string attempt (ftp.rules)
2183 <-> SMTP Content-Transfer-Encoding overflow attempt (smtp.rules)
2253 <-> SMTP XEXCH50 overflow attempt (smtp.rules)
2259 <-> SMTP EXPN overflow attempt (smtp.rules)
2260 <-> SMTP VRFY overflow attempt (smtp.rules)
2261 <-> SMTP SEND FROM sendmail prescan too many addresses overflow (smtp.rules)
2262 <-> SMTP SEND FROM sendmail prescan too long addresses overflow (smtp.rules)
2263 <-> SMTP SAML FROM sendmail prescan too many addresses overflow (smtp.rules)
2264 <-> SMTP SAML FROM sendmail prescan too long addresses overflow (smtp.rules)
2265 <-> SMTP SOML FROM sendmail prescan too many addresses overflow (smtp.rules)
2266 <-> SMTP SOML FROM sendmail prescan too long addresses overflow (smtp.rules)
2267 <-> SMTP MAIL FROM sendmail prescan too many addresses overflow (smtp.rules)
2268 <-> SMTP MAIL FROM sendmail prescan too long addresses overflow (smtp.rules)
2269 <-> SMTP RCPT TO sendmail prescan too many addresses overflow (smtp.rules)
2270 <-> SMTP RCPT TO sendmail prescan too long addresses overflow (smtp.rules)
2272 <-> FTP LIST integer overflow attempt (ftp.rules)
2273 <-> IMAP login brute force attempt (imap.rules)
2275 <-> SMTP AUTH LOGON brute force attempt (smtp.rules)
2330 <-> IMAP auth overflow attempt (imap.rules)
2332 <-> FTP MKDIR format string attempt (ftp.rules)
2333 <-> FTP RENAME format string attempt (ftp.rules)
2334 <-> FTP Yak! FTP server default account login attempt (ftp.rules)
2335 <-> FTP RMD / attempt (ftp.rules)
2338 <-> FTP LIST buffer overflow attempt (ftp.rules)
2340 <-> FTP SITE CHMOD overflow attempt (ftp.rules)
2343 <-> FTP STOR overflow attempt (ftp.rules)
2344 <-> FTP XCWD overflow attempt (ftp.rules)
2373 <-> FTP XMKD overflow attempt (ftp.rules)
2374 <-> FTP NLST overflow attempt (ftp.rules)
2389 <-> FTP RNTO overflow attempt (ftp.rules)
2390 <-> FTP STOU overflow attempt (ftp.rules)
2391 <-> FTP APPE overflow attempt (ftp.rules)
2392 <-> FTP RETR overflow attempt (ftp.rules)
2416 <-> FTP invalid MDTM command attempt (ftp.rules)
2417 <-> FTP format string attempt (ftp.rules)
2449 <-> FTP ALLO overflow attempt (ftp.rules)
2487 <-> SMTP WinZip MIME content-type buffer overflow (smtp.rules)
2488 <-> SMTP WinZip MIME content-disposition buffer overflow (smtp.rules)
2497 <-> IMAP SSLv3 invalid data version attempt (imap.rules)
2504 <-> SMTP SSLv3 invalid data version attempt (smtp.rules)
2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules)
2527 <-> SMTP STARTTLS attempt (smtp.rules)
2528 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules)
2529 <-> IMAP SSLv3 Client_Hello request (imap.rules)
2530 <-> IMAP SSLv3 Server_Hello request (imap.rules)
2531 <-> IMAP SSLv3 invalid Client_Hello attempt (imap.rules)
2541 <-> SMTP TLS SSLv3 invalid data version attempt (smtp.rules)
2542 <-> SMTP SSLv3 Client_Hello request (smtp.rules)
2543 <-> SMTP SSLv3 Server_Hello request (smtp.rules)
2544 <-> SMTP SSLv3 invalid Client_Hello attempt (smtp.rules)
2546 <-> FTP MDTM overflow attempt (ftp.rules)
2574 <-> FTP RETR format string attempt (ftp.rules)
2590 <-> SMTP MAIL FROM overflow attempt (smtp.rules)
2664 <-> IMAP login format string attempt (imap.rules)
2665 <-> IMAP login literal format string attempt (imap.rules)
2921 <-> DNS UDP inverse query (dns.rules)
2922 <-> DNS TCP inverse query (dns.rules)
3007 <-> IMAP delete overflow attempt (imap.rules)
3008 <-> IMAP delete literal overflow attempt (imap.rules)
3058 <-> IMAP copy literal overflow attempt (imap.rules)
3065 <-> IMAP append literal overflow attempt (imap.rules)
3066 <-> IMAP append overflow attempt (imap.rules)
3067 <-> IMAP examine literal overflow attempt (imap.rules)
3068 <-> IMAP examine overflow attempt (imap.rules)
3069 <-> IMAP fetch literal overflow attempt (imap.rules)
3070 <-> IMAP fetch overflow attempt (imap.rules)
3071 <-> IMAP status literal overflow attempt (imap.rules)
3072 <-> IMAP status overflow attempt (imap.rules)
3073 <-> IMAP subscribe literal overflow attempt (imap.rules)
3074 <-> IMAP subscribe overflow attempt (imap.rules)
3075 <-> IMAP unsubscribe literal overflow attempt (imap.rules)
3076 <-> IMAP unsubscribe overflow attempt (imap.rules)
3077 <-> FTP RNFR overflow attempt (ftp.rules)
3151 <-> FINGER / execution attempt (finger.rules)
3153 <-> DNS TCP inverse query overflow (dns.rules)
3154 <-> DNS UDP inverse query overflow (dns.rules)
3441 <-> FTP PORT bounce attempt (ftp.rules)
3460 <-> FTP REST with numeric argument (ftp.rules)
3461 <-> SMTP Content-Type overflow attempt (smtp.rules)
3462 <-> SMTP Content-Encoding overflow attempt (smtp.rules)
3487 <-> IMAP SSLv2 Client_Hello request (imap.rules)
3488 <-> IMAP SSLv2 Client_Hello with pad request (imap.rules)
3489 <-> IMAP TLSv1 Client_Hello request (imap.rules)
3490 <-> IMAP TLSv1 Client_Hello via SSLv2 handshake request (imap.rules)
3491 <-> IMAP SSLv2 Server_Hello request (imap.rules)
3492 <-> IMAP TLSv1 Server_Hello request (imap.rules)
3493 <-> SMTP SSLv2 Client_Hello request (smtp.rules)
3494 <-> SMTP SSLv2 Client_Hello with pad request (smtp.rules)
3495 <-> SMTP TLSv1 Client_Hello request (smtp.rules)
3496 <-> SMTP TLSv1 Client_Hello via SSLv2 handshake request (smtp.rules)
3497 <-> SMTP SSLv2 Server_Hello request (smtp.rules)
3498 <-> SMTP TLSv1 Server_Hello request (smtp.rules)
3511 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules)
3523 <-> FTP SITE INDEX format string attempt (ftp.rules)
3532 <-> FTP ORACLE password buffer overflow attempt (ftp.rules)
3630 <-> FTP ORACLE TEST command buffer overflow attempt (ftp.rules)
3631 <-> FTP ORACLE user name buffer overflow attempt (ftp.rules)
3653 <-> SMTP SAML overflow attempt (smtp.rules)
3654 <-> SMTP SOML overflow attempt (smtp.rules)
3655 <-> SMTP SEND overflow attempt (smtp.rules)
3656 <-> SMTP MAIL overflow attempt (smtp.rules)
3682 <-> SMTP spoofed MIME-Type auto-execution attempt (smtp.rules)
3815 <-> SMTP eXchange POP3 mail server overflow attempt (smtp.rules)
3824 <-> SMTP AUTH user overflow attempt (smtp.rules)
4645 <-> IMAP search format string attempt (imap.rules)
4646 <-> IMAP search literal format string attempt (imap.rules)
5685 <-> SMTP TLSv1 Client_Hello via SSLv2 handshake request (smtp.rules)
5686 <-> SMTP TLSv1 Server_Hello request (smtp.rules)
5687 <-> SMTP SSLv2 Client_Hello request (smtp.rules)
5688 <-> SMTP SSLv2 Client_Hello with pad request (smtp.rules)
5689 <-> SMTP TLSv1 Client_Hello request (smtp.rules)
5690 <-> SMTP SSLv3 Client_Hello request (smtp.rules)
5691 <-> SMTP SSLv2 Server_Hello request (smtp.rules)
5696 <-> IMAP delete directory traversal attempt (imap.rules)
5697 <-> IMAP examine directory traversal attempt (imap.rules)
5698 <-> IMAP list directory traversal attempt (imap.rules)
5699 <-> IMAP lsub directory traversal attempt (imap.rules)
5700 <-> IMAP rename directory traversal attempt (imap.rules)
5701 <-> IMAP status directory traversal attempt (imap.rules)
5702 <-> IMAP subscribe directory traversal attempt (imap.rules)
5703 <-> IMAP unsubscribe directory traversal attempt (imap.rules)
5704 <-> IMAP SELECT overflow attempt (imap.rules)
5705 <-> IMAP CAPABILITY overflow attempt (imap.rules)
5714 <-> SMTP x-unix-mode executable mail attachment (smtp.rules)
5739 <-> SMTP headers too long server response (smtp.rules)
6412 <-> SMTP Windows Address Book attachment detected (smtp.rules)
6413 <-> SMTP Base64 encoded Windows Address Book attachment detected (smtp.rules)
8415 <-> FTP SIZE overflow attempt (ftp.rules)
8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules)
8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules)
8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules)
8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules)
8436 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules)
8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules)
8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules)
8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules)
8479 <-> FTP HELP overflow attempt (ftp.rules)
8480 <-> FTP PORT overflow attempt (ftp.rules)
8481 <-> FTP Microsoft NLST * dos attempt (ftp.rules)
8704 <-> SMTP YPOPS Banner (smtp.rules)
8705 <-> SMTP YPOPS buffer overflow attempt (smtp.rules)
8707 <-> FTP WZD-FTPD SITE arbitrary command execution attempt (ftp.rules)
8709 <-> DNS Windows NAT helper components tcp denial of service attempt (dns.rules)
8710 <-> DNS Windows NAT helper components udp denial of service attempt (dns.rules)
9601 <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt (netbios.rules)
9792 <-> FTP PASV overflow attempt (ftp.rules)
9841 <-> SMTP Microsoft Outlook VEVENT overflow attempt (smtp.rules)
10011 <-> IMAP Novell NetMail APPEND command buffer overflow attempt (imap.rules)
10012 <-> SMTP Microsoft Outlook VEVENT non-TZID overflow attempt (smtp.rules)
10186 <-> SMTP ClamAV mime parsing directory traversal (smtp.rules)
10188 <-> FTP Wsftp XMD5 overflow attempt (ftp.rules)
10995 <-> SMTP possible BDAT DoS attempt (smtp.rules)
11004 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules)
11222 <-> SMTP Exchange MODPROPS denial of service attempt (smtp.rules)