Sourcefire VRT Rules Update

Date: 2007-08-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.

The format of the file is:

sid - Message (rule group)

New rules:
12285 <-> WEB-CLIENT Excel Workspace file download (web-client.rules)
12286 <-> WEB-CLIENT PCRE character class double free overflow attempt (web-client.rules)
12287 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - ebrss request (spyware-put.rules)
12288 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - hijack ie searches (spyware-put.rules)
12289 <-> SPYWARE-PUT Hijacker scn toolbar runtime detection - get updates (spyware-put.rules)
12290 <-> SPYWARE-PUT Hijacker newdotnet quick! search runtime detection (spyware-put.rules)
12291 <-> SPYWARE-PUT Trackware vmn toolbar runtime detection (spyware-put.rules)
12292 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - hijack/search (spyware-put.rules)
12293 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info (spyware-put.rules)
12294 <-> SPYWARE-PUT Hijacker 3search runtime detection - counter (spyware-put.rules)
12295 <-> SPYWARE-PUT Hijacker 3search runtime detection - hijacking (spyware-put.rules)
12296 <-> SPYWARE-PUT Hijacker 3search runtime detection - update (spyware-put.rules)
12297 <-> BACKDOOR bifrost v1.2.1 runtime detection (backdoor.rules)
12298 <-> BACKDOOR bifrost v1.2.1 runtime detection (backdoor.rules)
12299 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules)
12300 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules)
12301 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid access (web-client.rules)
12302 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid unicode access (web-client.rules)
12303 <-> POLICY Google Chat web client connection (policy.rules)
12304 <-> POLICY AOL Instant Messenger web client connection (policy.rules)
12305 <-> POLICY Yahoo Messenger web client connection (policy.rules)
12306 <-> POLICY  Microsoft Messenger web client connection (policy.rules)
12307 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig little endian attempt (netbios.rules)
12308 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
12309 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
12310 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian attempt (netbios.rules)
12311 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig object call attempt (netbios.rules)
12312 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian object call attempt (netbios.rules)
12313 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent alter context attempt (netbios.rules)
12314 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent little endian alter context attempt (netbios.rules)
12315 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent bind attempt (netbios.rules)
12316 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent little endian bind attempt (netbios.rules)
12317 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect-earthagent _SetSpntShareConfig little endian attempt (netbios.rules)
12318 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect-earthagent _SetSpntShareConfig attempt (netbios.rules)
12319 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig attempt (netbios.rules)
12320 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig little endian attempt (netbios.rules)
12321 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig object call attempt (netbios.rules)
12322 <-> NETBIOS DCERPC DIRECT trend-serverprotect-earthagent _SetSpntShareConfig little endian object call attempt (netbios.rules)
12323 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
12324 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian attempt (netbios.rules)
12325 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem little endian attempt (netbios.rules)
12326 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
12327 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian object call attempt (netbios.rules)
12328 <-> NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem object call attempt (netbios.rules)
12329 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
12330 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian attempt (netbios.rules)
12331 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile little endian attempt (netbios.rules)
12332 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
12333 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian object call attempt (netbios.rules)
12334 <-> NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile object call attempt (netbios.rules)
12335 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
12336 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
12337 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian overflow attempt (netbios.rules)
12338 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 little endian overflow attempt (netbios.rules)
12339 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 object call overflow attempt (netbios.rules)
12340 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian object call overflow attempt (netbios.rules)
12341 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian attempt (netbios.rules)
12342 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
12343 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
12344 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 little endian attempt (netbios.rules)
12345 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian object call attempt (netbios.rules)
12346 <-> NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 object call attempt (netbios.rules)
12347 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser little endian attempt (netbios.rules)
12348 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian attempt (netbios.rules)
12349 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
12350 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
12351 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian object call attempt (netbios.rules)
12352 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser object call attempt (netbios.rules)

Updated rules:
12269 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid access (web-client.rules)
12270 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX clsid unicode access (web-client.rules)
12271 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call access (web-client.rules)
12272 <-> WEB-CLIENT Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access (web-client.rules)
12277 <-> EXPLOIT Microsoft IE CSS memory corruption exploit (exploit.rules)
12279 <-> WEB-CLIENT Microsoft XML substringData integer overflow attempt (web-client.rules)