Sourcefire VRT Rules Update

Date: 2007-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
12114 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules)
12115 <-> IMAP Ipswitch IMail search command buffer overflow attempt (imap.rules)
12116 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid access (web-client.rules)
12117 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid unicode access (web-client.rules)
12118 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call access (web-client.rules)
12119 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call unicode access (web-client.rules)
12120 <-> SPYWARE-PUT Adware pprich runtime detection - version check (spyware-put.rules)
12121 <-> SPYWARE-PUT Adware pprich runtime detection - udp info sent out (spyware-put.rules)
12122 <-> SPYWARE-PUT Trackware spynova runtime detection (spyware-put.rules)
12123 <-> SPYWARE-PUT Hijacker lookquick runtime detection - hijack ie (spyware-put.rules)
12124 <-> SPYWARE-PUT Hijacker lookquick runtime detection - monitor and collect user info (spyware-put.rules)
12125 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - hijack ie search assistant (spyware-put.rules)
12126 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - collect user information (spyware-put.rules)
12127 <-> SPYWARE-PUT Trackware lookster toolbar runtime detection - ads (spyware-put.rules)
12128 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - init connection (spyware-put.rules)
12129 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules)
12130 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info (spyware-put.rules)
12131 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules)
12132 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging (spyware-put.rules)
12133 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules)
12134 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url (spyware-put.rules)
12135 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules)
12136 <-> SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun (spyware-put.rules)
12137 <-> SPYWARE-PUT Keylogger Keylogger king home 2.3 runtime detection (spyware-put.rules)
12138 <-> SPYWARE-PUT Adware zamingo runtime detection (spyware-put.rules)
12139 <-> SPYWARE-PUT Trackware stealth website logger 3.4 runtime detection (spyware-put.rules)
12140 <-> SPYWARE-PUT Hijacker cnnic update runtime detection (spyware-put.rules)
12141 <-> SPYWARE-PUT Keylogger logit v1.0 runtime detection (spyware-put.rules)
12142 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules)
12143 <-> BACKDOOR access remote pc runtime detection - init connection (backdoor.rules)
12144 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules)
12145 <-> BACKDOOR access remote pc runtime detection - rpc setup (backdoor.rules)
12146 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules)
12147 <-> BACKDOOR blue eye 1.0b runtime detection - init connection (backdoor.rules)
12148 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules)
12149 <-> BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection (backdoor.rules)
12150 <-> BACKDOOR cafeini 1.0 runtime detection - init connection (backdoor.rules)
12151 <-> BACKDOOR cafeini 1.0 runtime detection (backdoor.rules)
12152 <-> BACKDOOR optix pro v1.32 runtime detection - init connection (backdoor.rules)
12153 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
12154 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
12155 <-> BACKDOOR optix pro v1.32 runtime detection - download file (backdoor.rules)
12156 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules)
12157 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules)
12158 <-> BACKDOOR optix pro v1.32 runtime detection - upload file (backdoor.rules)
12159 <-> BACKDOOR optix pro v1.32 runtime detection - keylogging (backdoor.rules)
12160 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules)
12161 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules)
12162 <-> BACKDOOR optix pro v1.32 runtime detection - screen capturing (backdoor.rules)
12163 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules)
12164 <-> BACKDOOR cobra uploader 1.0 runtime detection (backdoor.rules)
12165 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules)
12166 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules)
12168 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (web-client.rules)
12169 <-> WEB-CLIENT Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid unicode access (web-client.rules)
12182 <-> POLICY Adobe FLV file transfer (policy.rules)
12183 <-> EXPLOIT Adobe FLV long string script data buffer overflow (exploit.rules)
12184 <-> MISC Microsoft Excel workbook workspace designation handling arbitrary code execution attempt (misc.rules)
12185 <-> RPC portmap 2112 tcp request (rpc.rules)
12186 <-> RPC portmap 2112 udp request (rpc.rules)
12187 <-> RPC portmap 2112 tcp rename_principal attempt (rpc.rules)
12188 <-> RPC portmap 2112 udp rename_principal attempt (rpc.rules)
12189 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid access (web-client.rules)
12190 <-> WEB-CLIENT Clever Internet Suite ActiveX clsid unicode access (web-client.rules)
12191 <-> WEB-CLIENT Clever Internet Suite ActiveX function call access (web-client.rules)
12192 <-> WEB-CLIENT Clever Internet Suite ActiveX function call unicode access (web-client.rules)
12193 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid access (web-client.rules)
12194 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX clsid unicode access (web-client.rules)
12195 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call access (web-client.rules)
12196 <-> WEB-CLIENT Yahoo Widgets Engine ActiveX function call unicode access (web-client.rules)
12197 <-> EXPLOIT CA message queuing server buffer overflow attempt (exploit.rules)
12198 <-> SNMP MS Windows getbulk request (snmp.rules)
12199 <-> DOS RIM BlackBerry SRP negative string size (dos.rules)
12200 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid access (web-client.rules)
12201 <-> WEB-CLIENT VMWare IntraProcessLogging ActiveX clsid unicode access (web-client.rules)
12202 <-> DELETED EXPLOIT Ingres long message heap buffer overflow attempt (deleted.rules)

Updated rules:
 284 <-> POP2 x86 Linux overflow (pop2.rules)
 285 <-> POP2 x86 Linux overflow (pop2.rules)
 286 <-> POP3 EXPLOIT x86 BSD overflow (pop3.rules)
 287 <-> POP3 EXPLOIT x86 BSD overflow (pop3.rules)
 288 <-> POP3 EXPLOIT x86 Linux overflow (pop3.rules)
 289 <-> POP3 EXPLOIT x86 SCO overflow (pop3.rules)
 290 <-> POP3 EXPLOIT qpopper overflow (pop3.rules)
1538 <-> NNTP AUTHINFO USER overflow attempt (nntp.rules)
1634 <-> POP3 PASS overflow attempt (pop3.rules)
1635 <-> POP3 APOP overflow attempt (pop3.rules)
1792 <-> NNTP return code buffer overflow attempt (nntp.rules)
1842 <-> IMAP login buffer overflow attempt (imap.rules)
1866 <-> POP3 USER overflow attempt (pop3.rules)
1934 <-> POP2 FOLD overflow attempt (pop2.rules)
1935 <-> POP2 FOLD arbitrary file attempt (pop2.rules)
1936 <-> POP3 AUTH overflow attempt (pop3.rules)
1937 <-> POP3 LIST overflow attempt (pop3.rules)
1938 <-> POP3 XTND overflow attempt (pop3.rules)
2108 <-> POP3 CAPA overflow attempt (pop3.rules)
2109 <-> POP3 TOP overflow attempt (pop3.rules)
2110 <-> POP3 STAT overflow attempt (pop3.rules)
2111 <-> POP3 DELE overflow attempt (pop3.rules)
2112 <-> POP3 RSET overflow attempt (pop3.rules)
2121 <-> POP3 DELE negative argument attempt (pop3.rules)
2122 <-> POP3 UIDL negative argument attempt (pop3.rules)
2250 <-> POP3 USER format string attempt (pop3.rules)
2274 <-> POP3 login brute force attempt (pop3.rules)
2409 <-> POP3 APOP USER overflow attempt (pop3.rules)
2424 <-> NNTP sendsys overflow attempt (nntp.rules)
2425 <-> NNTP senduuname overflow attempt (nntp.rules)
2426 <-> NNTP version overflow attempt (nntp.rules)
2427 <-> NNTP checkgroups overflow attempt (nntp.rules)
2428 <-> NNTP ihave overflow attempt (nntp.rules)
2429 <-> NNTP sendme overflow attempt (nntp.rules)
2430 <-> NNTP newgroup overflow attempt (nntp.rules)
2431 <-> NNTP rmgroup overflow attempt (nntp.rules)
2432 <-> NNTP article post without path attempt (nntp.rules)
2502 <-> POP3 SSLv3 invalid data version attempt (pop3.rules)
2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules)
2535 <-> POP3 SSLv3 Client_Hello request (pop3.rules)
2536 <-> POP3 SSLv3 Server_Hello request (pop3.rules)
2537 <-> POP3 SSLv3 invalid Client_Hello attempt (pop3.rules)
2666 <-> POP3 PASS format string attempt (pop3.rules)
2927 <-> NNTP XPAT pattern overflow attempt (nntp.rules)
3078 <-> NNTP SEARCH pattern overflow attempt (nntp.rules)
3499 <-> POP3 SSLv2 Client_Hello request (pop3.rules)
3500 <-> POP3 SSLv2 Client_Hello with pad request (pop3.rules)
3501 <-> POP3 TLSv1 Client_Hello request (pop3.rules)
3502 <-> POP3 TLSv1 Client_Hello via SSLv2 handshake request (pop3.rules)
3503 <-> POP3 SSLv2 Server_Hello request (pop3.rules)
3504 <-> POP3 TLSv1 Server_Hello request (pop3.rules)
8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules)
8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules)
8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules)
10418 <-> EXPLOIT lpd Solaris unlink file attempt (exploit.rules)
11617 <-> DELETED EXPLOIT Zenworks password authentication buffer overflow (deleted.rules)
11680 <-> MISC Sun Java web proxy sockd buffer overflow attempt (misc.rules)
11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)
12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules)
12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules)
12062 <-> WEB-CLIENT HP Instant Support ActiveX clsid access (web-client.rules)
12063 <-> WEB-CLIENT HP Instant Support ActiveX clsid unicode access (web-client.rules)
12080 <-> EXPLOIT Sun Solaris printd arbitrary file deletion vulnerability (exploit.rules)
12081 <-> EXPLOIT BakBone NetVault heap overflow attempt (exploit.rules)