Sourcefire VRT Rules Update
Date: 2007-12-04
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.
The format of the file is:
sid - Message (rule group)
New rules: 12743 <-> WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt (web-client.rules) 12744 <-> WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt (web-client.rules) 12745 <-> WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt (web-client.rules) 12746 <-> EXPLOIT Apple QuickTime STSD atom overflow attempt (exploit.rules) 12747 <-> WEB-CLIENT BitDefender Online Scanner ActiveX clsid access (web-client.rules) 12748 <-> WEB-CLIENT BitDefender Online Scanner ActiveX clsid unicode access (web-client.rules) 12749 <-> WEB-CLIENT BitDefender Online Scanner ActiveX function call access (web-client.rules) 12750 <-> WEB-CLIENT BitDefender Online Scanner ActiveX function call unicode access (web-client.rules) 12751 <-> WEB-CLIENT RichFX Basic Player ActiveX clsid access (web-client.rules) 12752 <-> WEB-CLIENT RichFX Basic Player ActiveX clsid unicode access (web-client.rules) 12753 <-> WEB-CLIENT RichFX Basic Player ActiveX function call access (web-client.rules) 12754 <-> WEB-CLIENT RichFX Basic Player ActiveX function call unicode access (web-client.rules) 12755 <-> WEB-CLIENT PPStream PowerList ActiveX clsid access (web-client.rules) 12756 <-> WEB-CLIENT PPStream PowerList ActiveX clsid unicode access (web-client.rules) 12757 <-> WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt (web-client.rules) 12758 <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules) 12759 <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules) 12760 <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules) 12761 <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules) 12762 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX clsid access (web-client.rules) 12763 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX clsid unicode access (web-client.rules) 12764 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX function call access (web-client.rules) 12765 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX function call unicode access (web-client.rules) 12766 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid access (web-client.rules) 12767 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid unicode access (web-client.rules) 12768 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call access (web-client.rules) 12769 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call unicode access (web-client.rules) 12770 <-> SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt (specific-threats.rules) 12771 <-> SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (specific-threats.rules) 12772 <-> SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt (specific-threats.rules) 12773 <-> SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (specific-threats.rules) 12774 <-> SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (specific-threats.rules) 12775 <-> SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt (specific-threats.rules) 12776 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid access (deleted.rules) 12777 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid unicode access (deleted.rules) 12778 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call access (deleted.rules) 12779 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call unicode access (deleted.rules) 12780 <-> WEB-CLIENT Aurigma Image Uploader ActiveX clsid access (web-client.rules) 12781 <-> WEB-CLIENT Aurigma Image Uploader ActiveX clsid unicode access (web-client.rules) 12782 <-> WEB-CLIENT Aurigma Image Uploader ActiveX function call access (web-client.rules) 12783 <-> WEB-CLIENT Aurigma Image Uploader ActiveX function call unicode access (web-client.rules) 12784 <-> EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupLog second argument overflow (exploit.rules) 12785 <-> EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupComplete overflow attemp (exploit.rules) 12786 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDataGrowthScheduleAndFilter overflow attempt (exploit.rules) 12787 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDefaultConfigName overflow attempt (exploit.rules) 12788 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDefaultConfigName overflow attempt (exploit.rules) Updated rules: 5804 <-> DELETED SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - ads (deleted.rules) 5931 <-> DELETED SPYWARE-PUT Adware cashbar runtime detection - stats track 1 (deleted.rules) 8711 <-> WEB-MISC Novell eDirectory HTTP redirection buffer overflow attempt (web-misc.rules) 10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules) 10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules) 10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules) 12388 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid access (web-client.rules) 12389 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid unicode access (web-client.rules) 12434 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid access (web-client.rules) 12435 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid unicode access (web-client.rules) 12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules) 12668 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (deleted.rules) 12669 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (deleted.rules) 12670 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (deleted.rules) 12671 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (deleted.rules) 12689 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid access (web-client.rules) 12690 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access (web-client.rules) 12723 <-> SPYWARE-PUT Trackware winzix 2.2.0 runtime detection (spyware-put.rules) 12737 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX clsid access (web-client.rules) 12738 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX clsid unicode access (web-client.rules) 12739 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX function call access (web-client.rules) 12740 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX function call unicode access (web-client.rules) 12741 <-> EXPLOIT Apple Quicktime TCP RTSP sdp type buffer overflow attempt (exploit.rules)
