Sourcefire VRT Rules Update

Date: 2007-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.4.

The format of the file is:

sid - Message (rule group)

New rules:
12353 <-> NETBIOS DCERPC DIRECT ca-alert alter context attempt (netbios.rules)
12354 <-> NETBIOS DCERPC DIRECT ca-alert little endian alter context attempt (netbios.rules)
12355 <-> NETBIOS DCERPC DIRECT ca-alert bind attempt (netbios.rules)
12356 <-> NETBIOS DCERPC DIRECT ca-alert little endian bind attempt (netbios.rules)
12357 <-> EXPLOIT Apple mDNSresponder excessive HTTP headers (exploit.rules)
12358 <-> EXPLOIT Helix DNA Server RTSP require tag heap overflow (exploit.rules)
12359 <-> EXPLOIT Asterisk data length field overflow (exploit.rules)
12360 <-> WEB-PHP PHP function CRLF injection attempt (web-php.rules)
12361 <-> SPYWARE-PUT Infostealer.Monstres runtime detection (spyware-put.rules)
12362 <-> EXPLOIT Squid HTTP Proxy-Authorization overflow (exploit.rules)

Updated rules:
2048 <-> DELETED MISC rsyncd overflow attempt (deleted.rules)
9790 <-> EXPLOIT HP-UX lpd command execution attempt (exploit.rules)
12189 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid access (web-client.rules)
12190 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid unicode access (web-client.rules)
12191 <-> WEB-CLIENT Clever Internet Suite ActiveX function call access (web-client.rules)
12192 <-> WEB-CLIENT Clever Internet Suite ActiveX function call unicode access (web-client.rules)
12200 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid access (web-client.rules)
12201 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid unicode access (web-client.rules)
12257 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX clsid access (web-client.rules)
12258 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX clsid unicode access (web-client.rules)
12259 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX function call access (web-client.rules)
12260 <-> WEB-CLIENT Microsoft DirectX Media SDK ActiveX function call unicode access (web-client.rules)
12299 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules)
12300 <-> EXPLOIT Cisco NHRP incorrect packet size (exploit.rules)
12301 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid access (web-client.rules)
12302 <-> WEB-CLIENT eCentrex VOIP Client Module ActiveX clsid unicode access (web-client.rules)
12303 <-> POLICY Google Chat web client connection (policy.rules)
12305 <-> POLICY Yahoo Messenger web client connection (policy.rules)
12306 <-> POLICY  Microsoft Messenger web client connection (policy.rules)