Sourcefire VRT Rules Update

Date: 2007-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
12015 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid access (web-client.rules)
12016 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid unicode access (web-client.rules)
12017 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call access (web-client.rules)
12018 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call unicode access (web-client.rules)
12019 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid access (web-client.rules)
12020 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid unicode access (web-client.rules)
12021 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call access (web-client.rules)
12022 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call unicode access (web-client.rules)
12023 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid access (deleted.rules)
12024 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid unicode access (deleted.rules)
12025 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call access (deleted.rules)
12026 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call unicode access (deleted.rules)
12027 <-> SQL Ingres Database uuid_from_char buffer overflow attempt (sql.rules)
12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules)
12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules)
12043 <-> DOS Microsoft XML parser IIS WebDAV attack attempt (dos.rules)
12044 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules)
12045 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules)
12046 <-> RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (rpc.rules)
12047 <-> SPYWARE-PUT Adware yayad runtime detection (spyware-put.rules)
12048 <-> SPYWARE-PUT Keylogger computer Keylogger runtime detection (spyware-put.rules)
12049 <-> SPYWARE-PUT Keylogger apophis spy 1.0 runtime detection (spyware-put.rules)
12050 <-> SPYWARE-PUT Hijacker ez-greets toolbar runtime detection (spyware-put.rules)
12051 <-> BACKDOOR ultimate rat 2.1 runtime detection (backdoor.rules)
12052 <-> BACKDOOR the[x] 1.2 runtime detection - execute command (backdoor.rules)
12053 <-> BACKDOOR trail of destruction 2.0 runtime detection - get system info (backdoor.rules)
12054 <-> BACKDOOR tron runtime detection - init connection - flowbit set (backdoor.rules)
12055 <-> BACKDOOR tron runtime detection - init connection (backdoor.rules)

Updated rules:
9601 <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt (netbios.rules)