Sourcefire VRT Rules Update

Date: 2007-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
12075 <-> RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (rpc.rules)
12076 <-> DOS Ipswitch WS_FTP log server long unicode string (dos.rules)
12077 <-> BACKDOOR c99shell.php command request (backdoor.rules)
12078 <-> EXPLOIT CA BrightStor LGServer Heap Buffer Overflow (exploit.rules)
12079 <-> EXPLOIT CA BrightStor LGServer Stack Buffer Overflow (exploit.rules)
12080 <-> EXPLOIT Sun Solaris Printd arbitrary file deletion attempt (exploit.rules)
12081 <-> EXPLOIT BakBone NetVault heap overflow attempt (exploit.rules)
12082 <-> ORACLE Oracle 9i TNS denial of service attempt (oracle.rules)
12083 <-> WEB-CLIENT Data Dynamics ActiveBar Actbar3 ActiveX clsid access (web-client.rules)
12084 <-> WEB-CLIENT Data Dynamics ActiveBar Actbar3 ActiveX clsid unicode access (web-client.rules)
12085 <-> WEB-CLIENT Data Dynamics ActiveBar Actbar3 ActiveX function call access (web-client.rules)
12086 <-> WEB-CLIENT Data Dynamics ActiveBar Actbar3 ActiveX function call unicode access (web-client.rules)
12087 <-> WEB-CLIENT McAfee NeoTrace ActiveX clsid access (web-client.rules)
12088 <-> WEB-CLIENT McAfee NeoTrace ActiveX clsid unicode access (web-client.rules)
12089 <-> WEB-CLIENT McAfee NeoTrace ActiveX function call access (web-client.rules)
12090 <-> WEB-CLIENT McAfee NeoTrace ActiveX function call unicode access (web-client.rules)
12091 <-> WEB-CLIENT EldoS SecureBlackbox PGPBBox ActiveX clsid access (web-client.rules)
12092 <-> WEB-CLIENT EldoS SecureBlackbox PGPBBox ActiveX clsid unicode access (web-client.rules)
12093 <-> WEB-CLIENT EldoS SecureBlackbox PGPBBox ActiveX function call access (web-client.rules)
12094 <-> WEB-CLIENT EldoS SecureBlackbox PGPBBox ActiveX function call unicode access (web-client.rules)
12095 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX clsid access (web-client.rules)
12096 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX clsid unicode access (web-client.rules)
12097 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX function call access (web-client.rules)
12098 <-> WEB-CLIENT Zenturi ProgramChecker ActiveX function call unicode access (web-client.rules)
12099 <-> MISC Microsoft Excel rtWindow1 record handling arbitrary code execution attempt (misc.rules)
12100 <-> NETBIOS DCERPC DIRECT v4 ca-alert function 16 overflow attempt (netbios.rules)
12101 <-> NETBIOS DCERPC DIRECT v4 ca-alert function 16 little endian overflow attempt (netbios.rules)
12102 <-> NETBIOS DCERPC DIRECT ca-alert function 16 overflow attempt (netbios.rules)
12103 <-> NETBIOS DCERPC DIRECT ca-alert function 16 little endian overflow attempt (netbios.rules)
12104 <-> NETBIOS DCERPC DIRECT ca-alert function 16 object call overflow attempt (netbios.rules)
12105 <-> NETBIOS DCERPC DIRECT ca-alert function 16 little endian object call overflow attempt (netbios.rules)
12106 <-> NETBIOS DCERPC DIRECT v4 ca-alert function 23 overflow attempt (netbios.rules)
12107 <-> NETBIOS DCERPC DIRECT ca-alert function 23 little endian overflow attempt (netbios.rules)
12108 <-> NETBIOS DCERPC DIRECT v4 ca-alert function 23 little endian overflow attempt (netbios.rules)
12109 <-> NETBIOS DCERPC DIRECT ca-alert function 23 overflow attempt (netbios.rules)
12110 <-> NETBIOS DCERPC DIRECT ca-alert function 23 little endian object call overflow attempt (netbios.rules)
12111 <-> NETBIOS DCERPC DIRECT ca-alert function 23 object call overflow attempt (netbios.rules)

Updated rules:
 873 <-> DELETED WEB-CGI scriptalias access (deleted.rules)
1775 <-> MYSQL root login attempt (mysql.rules)
1776 <-> MYSQL show databases attempt (mysql.rules)
2656 <-> WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt (web-misc.rules)
3456 <-> MYSQL 4.0 root login attempt (mysql.rules)
3528 <-> MYSQL CREATE FUNCTION attempt (mysql.rules)
3665 <-> MYSQL server greeting (mysql.rules)
3666 <-> MYSQL server greeting finished (mysql.rules)
3667 <-> MYSQL protocol 41 client authentication bypass attempt (mysql.rules)
3668 <-> MYSQL client authentication bypass attempt (mysql.rules)
3669 <-> MYSQL protocol 41 secure client overflow attempt (mysql.rules)
3670 <-> MYSQL secure client overflow attempt (mysql.rules)
3671 <-> MYSQL protocol 41 client overflow attempt (mysql.rules)
3672 <-> MYSQL client overflow attempt (mysql.rules)
4649 <-> MYSQL CREATE FUNCTION buffer overflow attempt (mysql.rules)
7796 <-> BACKDOOR incommand 1.7 runtime detection - init connection (backdoor.rules)
8057 <-> MYSQL Date_Format denial of service attempt (mysql.rules)
10123 <-> SPECIFIC-THREATS PA168 chipset based IP phone default password attempt (specific-threats.rules)
10124 <-> SPECIFIC-THREATS PA168 chipset based IP phone authentication bypass (specific-threats.rules)
10396 <-> DELETED WEB-IIS Internet Data Query query.idq directory traversal attempt (deleted.rules)
10397 <-> DELETED WEB-IIS Internet Data Query exair query.idq directory traversal attempt (deleted.rules)
10398 <-> DELETED WEB-IIS Internet Data Query exair search.idq directory traversal attempt (deleted.rules)
10399 <-> DELETED WEB-IIS Internet Data Query iissamples fastq.idq directory traversal attempt (deleted.rules)
10400 <-> DELETED WEB-IIS Internet Data Query iissamples query.idq directory traversal attempt (deleted.rules)
10401 <-> DELETED WEB-IIS Internet Data Query prxdocs prxrch.idq directory traversal attempt (deleted.rules)
10999 <-> WEB-CGI chetcpasswd access (web-cgi.rules)
11196 <-> EXPLOIT MaxDB WebDBM get buffer overflow (exploit.rules)
11616 <-> WEB-MISC Symantec Sygate Policy Manager SQL injection (web-misc.rules)
11669 <-> SPECIFIC-THREATS Eudora 250 command response buffer overflow attempt (specific-threats.rules)
11682 <-> SPECIFIC-THREATS Metasploit niprint_lpd module attack attempt (specific-threats.rules)
11683 <-> SPECIFIC-THREATS CA BrightStor Agent for Microsoft SQL overflow attempt (specific-threats.rules)
11686 <-> SPECIFIC-THREATS WebDAV search overflow attempt (specific-threats.rules)
11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)