Sourcefire VRT Rules Update
Date: 2007-08-01
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.
The format of the file is:
sid - Message (rule group)
New rules: 12114 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules) 12115 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules) 12116 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid access (web-client.rules) 12117 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid unicode access (web-client.rules) 12118 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call access (web-client.rules) 12119 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call unicode access (web-client.rules) 12120 <-> SPYWARE-PUT Adware pprich runtime detection - version check (spyware-put.rules) 12121 <-> SPYWARE-PUT Adware pprich runtime detection - udp info sent out (spyware-put.rules) 12122 <-> SPYWARE-PUT Trackware spynova runtime detection (spyware-put.rules) 12123 <-> SPYWARE-PUT Hijacker lookquick runtime detection - hijack ie (spyware-put.rules) 12124 <-> SPYWARE-PUT Hijacker lookquick runtime detection - monitor and collect user info (spyware-put.rules) 12125 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - hijack ie search assistant (spyware-put.rules) 12126 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - collect user information (spyware-put.rules) 12127 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - ads (spyware-put.rules) 12128 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - init connection (spyware-put.rules) 12129 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules) 12130 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules) 12131 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules) 12132 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules) 12133 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules) 12134 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules) 12135 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules) 12136 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules) 12137 <-> SPYWARE-PUT Keylogger Keylogger king home 2.3 runtime detection (spyware-put.rules) 12138 <-> SPYWARE-PUT Adware zamingo runtime detection (spyware-put.rules) 12139 <-> SPYWARE-PUT Trackware stealth website logger 3.4 runtime detection (spyware-put.rules) 12140 <-> SPYWARE-PUT Hijacker cnnic update runtime detection (spyware-put.rules) 12141 <-> SPYWARE-PUT Keylogger logit v1.0 runtime detection (spyware-put.rules) 12142 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules) 12143 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules) 12144 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules) 12145 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules) 12146 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules) 12147 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules) 12148 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules) 12149 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules) 12150 <-> BACKDOOR cafeini 1.0 runtime detection - init connection (backdoor.rules) 12151 <-> BACKDOOR cafeini 1.0 runtime detection (backdoor.rules) 12152 <-> BACKDOOR optix pro v1.32 runtime detection - init connection (backdoor.rules) 12153 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12154 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12155 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules) 12156 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12157 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12158 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules) 12159 <-> BACKDOOR optix pro v1.32 runtime detection - keylogging (backdoor.rules) 12160 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12161 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12162 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules) 12163 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules) 12164 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules) 12165 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules) 12166 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules) 12168 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (web-client.rules) 12169 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid unicode access (web-client.rules) 12182 <-> POLICY Adobe FLV file transfer (policy.rules) 12183 <-> EXPLOIT Adobe FLV long string script data buffer overflow (exploit.rules) 12184 <-> MISC Microsoft Excel workbook workspace designation handling arbitrary code execution attempt (misc.rules) 12185 <-> RPC portmap 2112 tcp request (rpc.rules) 12186 <-> RPC portmap 2112 udp request (rpc.rules) 12187 <-> RPC portmap 2112 tcp rename_principal attempt (rpc.rules) 12188 <-> RPC portmap 2112 udp rename_principal attempt (rpc.rules) 12189 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid access (web-client.rules) 12190 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid unicode access (web-client.rules) 12191 <-> WEB-CLIENT Clever Internet Suite ActiveX function call access (web-client.rules) 12192 <-> WEB-CLIENT Clever Internet Suite ActiveX function call unicode access (web-client.rules) 12193 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid access (web-client.rules) 12194 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid unicode access (web-client.rules) 12195 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call access (web-client.rules) 12196 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call unicode access (web-client.rules) 12197 <-> EXPLOIT CA message queuing server buffer overflow attempt (exploit.rules) 12198 <-> SNMP MS Windows getbulk request (snmp.rules) 12199 <-> DOS RIM BlackBerry SRP negative string size (dos.rules) 12200 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid access (web-client.rules) 12201 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid unicode access (web-client.rules) 12202 <-> DELETED EXPLOIT Ingres long message heap buffer overflow attempt (deleted.rules) Updated rules: 284 <-> POP2 x86 Linux overflow (pop2.rules) 285 <-> POP2 x86 Linux overflow (pop2.rules) 286 <-> POP3 EXPLOIT x86 BSD overflow (pop3.rules) 287 <-> POP3 EXPLOIT x86 BSD overflow (pop3.rules) 288 <-> POP3 EXPLOIT x86 Linux overflow (pop3.rules) 289 <-> POP3 EXPLOIT x86 SCO overflow (pop3.rules) 290 <-> POP3 EXPLOIT qpopper overflow (pop3.rules) 1538 <-> NNTP AUTHINFO USER overflow attempt (nntp.rules) 1634 <-> POP3 PASS overflow attempt (pop3.rules) 1635 <-> POP3 APOP overflow attempt (pop3.rules) 1792 <-> NNTP return code buffer overflow attempt (nntp.rules) 1842 <-> IMAP login buffer overflow attempt (imap.rules) 1866 <-> POP3 USER overflow attempt (pop3.rules) 1934 <-> POP2 FOLD overflow attempt (pop2.rules) 1935 <-> POP2 FOLD arbitrary file attempt (pop2.rules) 1936 <-> POP3 AUTH overflow attempt (pop3.rules) 1937 <-> POP3 LIST overflow attempt (pop3.rules) 1938 <-> POP3 XTND overflow attempt (pop3.rules) 2108 <-> POP3 CAPA overflow attempt (pop3.rules) 2109 <-> POP3 TOP overflow attempt (pop3.rules) 2110 <-> POP3 STAT overflow attempt (pop3.rules) 2111 <-> POP3 DELE overflow attempt (pop3.rules) 2112 <-> POP3 RSET overflow attempt (pop3.rules) 2121 <-> POP3 DELE negative argument attempt (pop3.rules) 2122 <-> POP3 UIDL negative argument attempt (pop3.rules) 2250 <-> POP3 USER format string attempt (pop3.rules) 2274 <-> POP3 login brute force attempt (pop3.rules) 2409 <-> POP3 APOP USER overflow attempt (pop3.rules) 2424 <-> NNTP sendsys overflow attempt (nntp.rules) 2425 <-> NNTP senduuname overflow attempt (nntp.rules) 2426 <-> NNTP version overflow attempt (nntp.rules) 2427 <-> NNTP checkgroups overflow attempt (nntp.rules) 2428 <-> NNTP ihave overflow attempt (nntp.rules) 2429 <-> NNTP sendme overflow attempt (nntp.rules) 2430 <-> NNTP newgroup overflow attempt (nntp.rules) 2431 <-> NNTP rmgroup overflow attempt (nntp.rules) 2432 <-> NNTP article post without path attempt (nntp.rules) 2502 <-> POP3 SSLv3 invalid data version attempt (pop3.rules) 2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules) 2535 <-> POP3 SSLv3 Client_Hello request (pop3.rules) 2536 <-> POP3 SSLv3 Server_Hello request (pop3.rules) 2537 <-> POP3 SSLv3 invalid Client_Hello attempt (pop3.rules) 2666 <-> POP3 PASS format string attempt (pop3.rules) 2927 <-> NNTP XPAT pattern overflow attempt (nntp.rules) 3078 <-> NNTP SEARCH pattern overflow attempt (nntp.rules) 3499 <-> POP3 SSLv2 Client_Hello request (pop3.rules) 3500 <-> POP3 SSLv2 Client_Hello with pad request (pop3.rules) 3501 <-> POP3 TLSv1 Client_Hello request (pop3.rules) 3502 <-> POP3 TLSv1 Client_Hello via SSLv2 handshake request (pop3.rules) 3503 <-> POP3 SSLv2 Server_Hello request (pop3.rules) 3504 <-> POP3 TLSv1 Server_Hello request (pop3.rules) 8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules) 8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules) 8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules) 10418 <-> EXPLOIT lpd Solaris unlink file attempt (exploit.rules) 11617 <-> DELETED EXPLOIT Zenworks password authentication buffer overflow (deleted.rules) 11680 <-> MISC Sun Java web proxy sockd buffer overflow attempt (misc.rules) 11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules) 12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules) 12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules) 12062 <-> WEB-CLIENT HP Instant Support ActiveX clsid access (web-client.rules) 12063 <-> WEB-CLIENT HP Instant Support ActiveX clsid unicode access (web-client.rules) 12080 <-> EXPLOIT Sun Solaris printd arbitrary file deletion vulnerability (exploit.rules) 12081 <-> EXPLOIT BakBone NetVault heap overflow attempt (exploit.rules)
