Sourcefire VRT Rules Update
Date: 2007-08-01
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.
The format of the file is:
sid - Message (rule group)
New rules: 12114 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules) 12115 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules) 12116 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid access (web-client.rules) 12117 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid unicode access (web-client.rules) 12118 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call access (web-client.rules) 12119 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call unicode access (web-client.rules) 12120 <-> SPYWARE-PUT Adware pprich runtime detection - version check (spyware-put.rules) 12121 <-> SPYWARE-PUT Adware pprich runtime detection - udp info sent out (spyware-put.rules) 12122 <-> SPYWARE-PUT Trackware spynova runtime detection (spyware-put.rules) 12123 <-> SPYWARE-PUT Hijacker lookquick runtime detection - hijack ie (spyware-put.rules) 12124 <-> SPYWARE-PUT Hijacker lookquick runtime detection - monitor and collect user info (spyware-put.rules) 12125 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - hijack ie search assistant (spyware-put.rules) 12126 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - collect user information (spyware-put.rules) 12127 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - ads (spyware-put.rules) 12128 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - init connection (spyware-put.rules) 12129 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules) 12130 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules) 12131 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules) 12132 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules) 12133 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules) 12134 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules) 12135 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules) 12136 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules) 12137 <-> SPYWARE-PUT Keylogger Keylogger king home 2.3 runtime detection (spyware-put.rules) 12138 <-> SPYWARE-PUT Adware zamingo runtime detection (spyware-put.rules) 12139 <-> SPYWARE-PUT Trackware stealth website logger 3.4 runtime detection (spyware-put.rules) 12140 <-> SPYWARE-PUT Hijacker cnnic update runtime detection (spyware-put.rules) 12141 <-> SPYWARE-PUT Keylogger logit v1.0 runtime detection (spyware-put.rules) 12142 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules) 12143 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules) 12144 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules) 12145 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules) 12146 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules) 12147 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules) 12148 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules) 12149 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules) 12150 <-> BACKDOOR cafeini 1.0 runtime detection - init connection (backdoor.rules) 12151 <-> BACKDOOR cafeini 1.0 runtime detection (backdoor.rules) 12152 <-> BACKDOOR optix pro v1.32 runtime detection - init connection (backdoor.rules) 12153 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12154 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12155 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12156 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12157 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12158 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12159 <-> BACKDOOR optix pro v1.32 runtime detection - keylogging (backdoor.rules) 12160 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12161 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12162 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12163 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules) 12164 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules) 12165 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules) 12166 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules) 12168 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (web-client.rules) 12169 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid unicode access (web-client.rules) 12182 <-> POLICY Adobe FLV file transfer (policy.rules) 12183 <-> EXPLOIT Adobe FLV long string script data buffer overflow (exploit.rules) 12184 <-> MISC Microsoft Excel workbook workspace designation handling arbitrary code execution attempt (misc.rules) 12185 <-> RPC portmap 2112 tcp request (rpc.rules) 12186 <-> RPC portmap 2112 udp request (rpc.rules) 12187 <-> RPC portmap 2112 tcp rename_principal attempt (rpc.rules) 12188 <-> RPC portmap 2112 udp rename_principal attempt (rpc.rules) 12189 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid access (web-client.rules) 12190 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid unicode access (web-client.rules) 12191 <-> WEB-CLIENT Clever Internet Suite ActiveX function call access (web-client.rules) 12192 <-> WEB-CLIENT Clever Internet Suite ActiveX function call unicode access (web-client.rules) 12193 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid access (web-client.rules) 12194 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid unicode access (web-client.rules) 12195 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call access (web-client.rules) 12196 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call unicode access (web-client.rules) 12197 <-> EXPLOIT CA message queuing server buffer overflow attempt (exploit.rules) 12198 <-> SNMP MS Windows getbulk request (snmp.rules) 12199 <-> DOS RIM BlackBerry SRP negative string size (dos.rules) 12200 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid access (web-client.rules) 12201 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid unicode access (web-client.rules) 12202 <-> DELETED EXPLOIT Ingres long message heap buffer overflow attempt (deleted.rules) Updated rules: 10418 <-> EXPLOIT lpd Solaris unlink file attempt (exploit.rules) 11617 <-> DELETED EXPLOIT Zenworks password authentication buffer overflow (deleted.rules) 11680 <-> MISC Sun Java web proxy sockd buffer overflow attempt (misc.rules) 11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules) 12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules) 12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules) 12062 <-> WEB-CLIENT HP Instant Support ActiveX clsid access (web-client.rules) 12063 <-> WEB-CLIENT HP Instant Support ActiveX clsid unicode access (web-client.rules) 12080 <-> EXPLOIT Sun Solaris printd arbitrary file deletion vulnerability (exploit.rules) 12081 <-> EXPLOIT BakBone NetVault heap overflow attempt (exploit.rules)
