Sourcefire VRT Rules Update

Date: 2007-10-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
12608 <-> RPC portmap walld udp request (rpc.rules)
12609 <-> RPC portmap walld udp format string attack attempt (rpc.rules)
12610 <-> WEB-PHP phpBB viewtopic double URL encoding attempt (web-php.rules)
12611 <-> CHAT ebuddy.com login attempt (chat.rules)
12612 <-> WEB-CLIENT Microsoft Windows MFC Library ActiveX clsid access (web-client.rules)
12613 <-> WEB-CLIENT Microsoft Windows MFC Library ActiveX clsid unicode access (web-client.rules)
12614 <-> WEB-CLIENT Microsoft Windows MFC Library ActiveX function call access (web-client.rules)
12615 <-> WEB-CLIENT Microsoft Windows MFC Library ActiveX function call unicode access (web-client.rules)
12616 <-> WEB-CLIENT Microsoft Visual Studio 6 PDWizard.ocx ActiveX function call access (web-client.rules)
12617 <-> WEB-CLIENT Microsoft Visual Studio 6 PDWizard.ocx ActiveX function call unicode access (web-client.rules)
12618 <-> WEB-CLIENT Microsoft Visual Basic VBP file reference overflow attempt (web-client.rules)
12619 <-> EXPLOIT Microsoft Exchange ical/vcal malformed property (exploit.rules)
12620 <-> SPYWARE-PUT Adware drive cleaner 1.0.111 runtime detection (spyware-put.rules)
12621 <-> SPYWARE-PUT Trackware extra toolbar 1.0 runtime detection (spyware-put.rules)
12622 <-> SPYWARE-PUT Trackware extra toolbar 1.0 runtime detection - file download (spyware-put.rules)
12623 <-> SPYWARE-PUT Hijacker onestepsearch 1.0.118 runtime detection (spyware-put.rules)
12624 <-> SPYWARE-PUT Hijacker onestepsearch 1.0.118 runtime detection - upgrade (spyware-put.rules)
12625 <-> SPYWARE-PUT Keylogger windows family safety 2.0 runtime detection (spyware-put.rules)
12626 <-> RPC portmap Solaris sadmin port query udp request (rpc.rules)
12627 <-> RPC portmap Solaris sadmin port query tcp portmapper sadmin port query attempt (rpc.rules)
12628 <-> RPC portmap Solaris sadmin port query udp portmapper sadmin port query attempt (rpc.rules)
12629 <-> WEB-MISC sharepoint cross site scripting attempt (web-misc.rules)
12630 <-> SHELLCODE unescape unicode encoded shellcode (shellcode.rules)
12631 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules)
12632 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules)
12633 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules)
12634 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules)
12635 <-> DOS NTLMSSP malformed credentials (dos.rules)

Updated rules:
3443 <-> DELETED MS-SQL DNS query with 1 requests (deleted.rules)
3444 <-> DELETED MS-SQL DNS query with 2 requests (deleted.rules)
3445 <-> DELETED MS-SQL DNS query with 3 requests (deleted.rules)
3446 <-> DELETED MS-SQL DNS query with 4 requests (deleted.rules)
3447 <-> DELETED MS-SQL DNS query with 5 requests (deleted.rules)
3448 <-> DELETED MS-SQL DNS query with 6 requests (deleted.rules)
3449 <-> DELETED MS-SQL DNS query with 7 requests (deleted.rules)
3450 <-> DELETED MS-SQL DNS query with 8 requests (deleted.rules)
3451 <-> DELETED MS-SQL DNS query with 9 requests (deleted.rules)
3452 <-> DELETED MS-SQL DNS query with 10 requests (deleted.rules)
3821 <-> WEB-CLIENT CHM file transfer attempt (web-client.rules)
4490 <-> NETBIOS SMB-DS v4 spoolss AddPrinterEx unicode little endian andx overflow attempt (netbios.rules)
8405 <-> WEB-CLIENT  ActiveX clsid access (web-client.rules)
8406 <-> WEB-CLIENT  ActiveX clsid unicode access (web-client.rules)
8727 <-> WEB-CLIENT XMLHTTP 4.0 ActiveX clsid access (web-client.rules)
8728 <-> WEB-CLIENT XMLHTTP 4.0 ActiveX clsid unicode access (web-client.rules)
11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)
12360 <-> WEB-PHP PHP function CRLF injection attempt (web-php.rules)
12424 <-> RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (rpc.rules)
12430 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid access (web-client.rules)
12431 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid unicode access (web-client.rules)
12432 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call access (web-client.rules)
12433 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call unicode access (web-client.rules)
12458 <-> RPC portmap Solaris sadmin port query tcp request (rpc.rules)