Sourcefire VRT Rules Update

Date: 2008-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.

The format of the file is:

sid - Message (rule group)

New rules:
13679 <-> WEB-CLIENT IBiz EBanking Integrator ActiveX clsid access (web-client.rules)
13680 <-> WEB-CLIENT IBiz EBanking Integrator ActiveX clsid unicode access (web-client.rules)
13681 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX clsid access (web-client.rules)
13682 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX clsid unicode access (web-client.rules)
13683 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX function call access (web-client.rules)
13684 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX function call unicode access (web-client.rules)
13685 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX clsid access (web-client.rules)
13686 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX clsid unicode access (web-client.rules)
13687 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX function call access (web-client.rules)
13688 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX function call unicode access (web-client.rules)
13689 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX clsid access (web-client.rules)
13690 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX clsid unicode access (web-client.rules)
13691 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX function call access (web-client.rules)
13692 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX function call unicode access (web-client.rules)
13693 <-> VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite (voip.rules)
13694 <-> EXPLOIT RealNetworks Helix RTSP long get request exploit attempt (exploit.rules)
13695 <-> EXPLOIT RealNetworks Helix RTSP long setup request exploit attempt (exploit.rules)
13696 <-> POLICY TOR proxy connection initiation (policy.rules)
13697 <-> POLICY TOR proxy connection initiation alternate port (policy.rules)
13698 <-> POLICY TOR proxy connection initiation second alternate port (policy.rules)
13699 <-> WEB-CLIENT CA DSM gui_cm_ctrls ActiveX clsid access (web-client.rules)
13700 <-> WEB-CLIENT CA DSM gui_cm_ctrls ActiveX clsid unicode access (web-client.rules)
13709 <-> MYSQL yaSSL SSLv2 Server_Hello request (mysql.rules)
13710 <-> MYSQL yaSSL TLSv1 Server_Hello request (mysql.rules)
13711 <-> MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt (mysql.rules)
13712 <-> MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt (mysql.rules)
13713 <-> MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt (mysql.rules)
13714 <-> MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt (mysql.rules)
13715 <-> WEB-MISC HP OpenView Network Node Manager HTTP Handling buffer overflow attempt (web-misc.rules)

Updated rules:
1054 <-> WEB-MISC weblogic/tomcat .jsp view source attempt (web-misc.rules)
1859 <-> WEB-MISC Sun JavaServer default password login attempt (web-misc.rules)
3076 <-> IMAP UNSUBSCRIBE overflow attempt (imap.rules)
5947 <-> SPYWARE-PUT Adware weirdontheweb runtime detection - log url (spyware-put.rules)
7177 <-> SPYWARE-PUT Keylogger ab system spy runtime detection - info send through email (spyware-put.rules)
7184 <-> SPYWARE-PUT Keylogger 007 spy software runtime detection - smtp (spyware-put.rules)
7541 <-> SPYWARE-PUT Keylogger starlogger runtime detection (spyware-put.rules)
9343 <-> SPECIFIC-THREATS kadra smtp propagation detection (specific-threats.rules)
10506 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10507 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10508 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10509 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10510 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10511 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10512 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
10513 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules)
11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules)
12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules)
12422 <-> EXPLOIT RealNetworks Helix RTSP long describe request exploit attempt (exploit.rules)
13678 <-> Microsoft EMF metafile access detected (misc.rules)