Sourcefire VRT Rules Update
Date: 2007-08-28
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.
The format of the file is:
sid - Message (rule group)
New rules: 12285 <-> WEB-CLIENT Excel Workspace file download (web-client.rules) 12286 <-> WEB-CLIENT PCRE character class double free overflow attempt (web-client.rules) 12287 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - ebrss request (spyware-put.rules) 12288 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - hijack ie searches (spyware-put.rules) 12289 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - get updates (spyware-put.rules) 12290 <-> SPYWARE-PUT Hijacker newdotnet quick! search runtime detection (spyware-put.rules) 12291 <-> SPYWARE-PUT Trackware vmn toolbar runtime detection (spyware-put.rules) 12292 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - hijack/search (spyware-put.rules) 12293 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info (spyware-put.rules) 12294 <-> SPYWARE-PUT Hijacker 3search runtime detection - counter (spyware-put.rules) 12295 <-> SPYWARE-PUT Hijacker 3search runtime detection - hijacking (spyware-put.rules) 12296 <-> SPYWARE-PUT Hijacker 3search runtime detection - update (spyware-put.rules) 12297 <-> BACKDOOR bifrost v1.2.1 runtime detection (backdoor.rules) 12298 <-> BACKDOOR bifrost v1.2.1 runtime detection (backdoor.rules) 12299 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules) 12300 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules) 12301 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid access (web-client.rules) 12302 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid unicode access (web-client.rules) 12303 <-> POLICY Google Chat web client connection (policy.rules) 12304 <-> POLICY AOL Instant Messenger web client connection (policy.rules) 12305 <-> POLICY Yahoo Messenger web client connection (policy.rules) 12306 <-> POLICY Microsoft Messenger web client connection (policy.rules) 12307 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig little endian attempt (netbios.rules) 12308 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules) 12309 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules) 12310 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian attempt (netbios.rules) 12311 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig object call attempt (netbios.rules) 12312 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian object call attempt (netbios.rules) 12313 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent alter context attempt (netbios.rules) 12314 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent little endian alter context attempt (netbios.rules) 12315 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent bind attempt (netbios.rules) 12316 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent little endian bind attempt (netbios.rules) 12317 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect-earthagent _SetSpntShareConfig little endian attempt (netbios.rules) 12318 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect-earthagent _SetSpntShareConfig attempt (netbios.rules) 12319 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig attempt (netbios.rules) 12320 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig little endian attempt (netbios.rules) 12321 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig object call attempt (netbios.rules) 12322 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig little endian object call attempt (netbios.rules) 12323 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules) 12324 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian attempt (netbios.rules) 12325 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem little endian attempt (netbios.rules) 12326 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules) 12327 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian object call attempt (netbios.rules) 12328 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem object call attempt (netbios.rules) 12329 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile attempt (netbios.rules) 12330 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian attempt (netbios.rules) 12331 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile little endian attempt (netbios.rules) 12332 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile attempt (netbios.rules) 12333 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian object call attempt (netbios.rules) 12334 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile object call attempt (netbios.rules) 12335 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules) 12336 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules) 12337 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian overflow attempt (netbios.rules) 12338 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 little endian overflow attempt (netbios.rules) 12339 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 object call overflow attempt (netbios.rules) 12340 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian object call overflow attempt (netbios.rules) 12341 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian attempt (netbios.rules) 12342 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules) 12343 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules) 12344 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 little endian attempt (netbios.rules) 12345 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian object call attempt (netbios.rules) 12346 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 object call attempt (netbios.rules) 12347 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser little endian attempt (netbios.rules) 12348 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian attempt (netbios.rules) 12349 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules) 12350 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules) 12351 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian object call attempt (netbios.rules) 12352 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser object call attempt (netbios.rules) Updated rules: 12269 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid access (web-client.rules) 12270 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid unicode access (web-client.rules) 12271 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call access (web-client.rules) 12272 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access (web-client.rules) 12277 <-> EXPLOIT Microsoft IE CSS memory corruption exploit (exploit.rules) 12279 <-> WEB-CLIENT Microsoft XML substringData integer overflow attempt (web-client.rules)
