Sourcefire VRT Rules Update

Date: 2008-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
13586 <-> POLICY SSH server detected on non-standard port (policy.rules)
13587 <-> VOIP-SIP OPTIONS request missing RFC-mandated Via field (voip.rules)
13588 <-> VOIP-SIP OPTIONS request missing RFC-mandated Call-ID field (voip.rules)
13589 <-> VOIP-SIP OPTIONS request misplaced Via field - after terminating newline (voip.rules)
13590 <-> VOIP-SIP OPTIONS request misplaced Call-ID field - after terminating newline (voip.rules)
13591 <-> WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt (web-cgi.rules)
13592 <-> POLICY Inbound potentially malicious file download attempt (policy.rules)
13593 <-> SQL MySQL yaSSL SSL Hello Message Buffer Overflow attempt (sql.rules)
13594 <-> SPECIFIC-THREATS Microsoft Windows print spooler little endian DoS attempt (specific-threats.rules)
13595 <-> WEB-CLIENT ICQ Toolbar toolbaru.dll ActiveX clsid access (web-client.rules)
13596 <-> WEB-CLIENT ICQ Toolbar toolbaru.dll ActiveX clsid unicode access (web-client.rules)
13597 <-> WEB-CLIENT ICQ Toolbar toolbaru.dll ActiveX function call access (web-client.rules)
13598 <-> WEB-CLIENT ICQ Toolbar toolbaru.dll ActiveX function call unicode access (web-client.rules)
13599 <-> WEB-CLIENT Kingsoft Antivirus Online Update Module ActiveX clsid access (web-client.rules)
13600 <-> WEB-CLIENT Kingsoft Antivirus Online Update Module ActiveX clsid unicode access (web-client.rules)
13601 <-> WEB-CLIENT Kingsoft Antivirus Online Update Module ActiveX function call access (web-client.rules)
13602 <-> WEB-CLIENT Kingsoft Antivirus Online Update Module ActiveX function call unicode access (web-client.rules)
13603 <-> WEB-CLIENT RealPlayer Download Handler ActiveX function call access (web-client.rules)
13604 <-> WEB-CLIENT RealPlayer Download Handler ActiveX function call unicode access (web-client.rules)
13605 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX function call access (web-client.rules)
13606 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX function call unicode access (web-client.rules)
13607 <-> WEB-CLIENT RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid access (web-client.rules)
13608 <-> WEB-CLIENT RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid unicode access (web-client.rules)
13609 <-> WEB-CLIENT RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call access (web-client.rules)
13610 <-> WEB-CLIENT RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call unicode access (web-client.rules)
13611 <-> EXPLOIT RealVNC client response (exploit.rules)
13612 <-> EXPLOIT RealVNC server authentication bypass attempt (exploit.rules)
13613 <-> SPECIFIC-THREATS Solaris username overflow authentication bypass attempt (specific-threats.rules)
13614 <-> EXPLOIT CVS Argument overflow attempt (exploit.rules)
13615 <-> EXPLOIT CVS Argument overflow attempt (exploit.rules)
13616 <-> SPECIFIC-THREATS CVS Argument overflow (specific-threats.rules)
13617 <-> SPECIFIC-THREATS Oracle database version 8 username buffer overflow attempt (specific-threats.rules)
13618 <-> SPECIFIC-THREATS Oracle database version 9 username buffer overflow attempt (specific-threats.rules)
13619 <-> SPECIFIC-THREATS Microsoft getBulkRequest memory corruption attempt (specific-threats.rules)
13620 <-> SPECIFIC-THREAT CA Brightstor discovery service alternate buffer overflow attempt (specific-threats.rules)
13621 <-> WEB-CLIENT CA BrightStor ListCtrl ActiveX clsid access (web-client.rules)
13622 <-> WEB-CLIENT CA BrightStor ListCtrl ActiveX clsid unicode access (web-client.rules)
13623 <-> WEB-CLIENT CA BrightStor ListCtrl ActiveX function call access (web-client.rules)
13624 <-> WEB-CLIENT CA BrightStor ListCtrl ActiveX function call unicode access (web-client.rules)
13625 <-> BACKDOOR MBR rootkit HTTP POST activity detected (backdoor.rules)
13627 <-> WEB-CLIENT Microsoft Access file download request (web-client.rules)
13628 <-> WEB-CLIENT Microsoft Access file download request (web-client.rules)
13631 <-> MISC McAfee ePolicy Orchestrator Framework Services log handling format string attempt (misc.rules)
13632 <-> WEB-CLIENT Zango adware installation request (web-client.rules)

Updated rules:
2066 <-> WEB-MISC Lotus Notes .pl script source download attempt (web-misc.rules)
7972 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID access (deleted.rules)
7973 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID unicode access (deleted.rules)
8377 <-> WEB-CLIENT RealPlayer Download Handler ActiveX clsid access (web-client.rules)
8378 <-> WEB-CLIENT RealPlayer Download Handler ActiveX clsid unicode access (web-client.rules)
8383 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX clsid access (web-client.rules)
8384 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX clsid unicode access (web-client.rules)
12277 <-> EXPLOIT Microsoft IE CSS memory corruption exploit (exploit.rules)
12766 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid access (web-client.rules)
12767 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid unicode access (web-client.rules)
12768 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call access (web-client.rules)
12769 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call unicode access (web-client.rules)
13419 <-> WEB-CLIENT Facebook Photo Uploader ActiveX clsid access (web-client.rules)
13420 <-> WEB-CLIENT Facebook Photo Uploader ActiveX clsid unicode access (web-client.rules)
13421 <-> WEB-CLIENT Facebook Photo Uploader ActiveX function call access (web-client.rules)
13422 <-> WEB-CLIENT Facebook Photo Uploader ActiveX function call unicode access (web-client.rules)
13551 <-> ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt (oracle.rules)