Sourcefire VRT Rules Update
Date: 2008-08-19
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.6.
The format of the file is:
sid - Message (rule group)
New rules: 13987 <-> SQL oversized convert statement - possible sql injection obfuscation (sql.rules) 13988 <-> SQL large number of calls to ascii function - possible sql injection obfuscation (sql.rules) 13989 <-> SQL large number of calls to char function - possible sql injection obfuscation (sql.rules) 13990 <-> SQL union select - possible sql injection attempt (sql.rules) 13991 <-> SQL xp_regaddmultistring attempt (sql.rules) 13992 <-> SQL xp_regdeletevalue attempt (sql.rules) 13993 <-> SQL xp_regenumkeys attempt (sql.rules) 13994 <-> SQL xp_regenumvalues attempt (sql.rules) 13995 <-> SQL xp_regremovemultistring attempt (sql.rules) 13996 <-> SQL xp_servicecontrol attempt (sql.rules) 13997 <-> SQL xp_loginconfig attempt (sql.rules) 13998 <-> SQL xp_terminate_process attempt (sql.rules) 14008 <-> SQL large number of calls to concat function - possible sql injection obfuscation (sql.rules) 14013 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX clsid access (web-client.rules) 14014 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX clsid unicode access (web-client.rules) 14015 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX function call access (web-client.rules) 14016 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX function call unicode access (web-client.rules) 14017 <-> WEB-CLIENT MPEG Layer 3 playlist file download (web-client.rules) 14018 <-> WEB-CLIENT PLS multimedia playlist file download (web-client.rules) 14019 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules) 14020 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules) 14021 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX clsid access (web-client.rules) 14022 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX clsid unicode access (web-client.rules) 14023 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX function call access (web-client.rules) 14024 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX function call unicode access (web-client.rules) 14025 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid access (web-client.rules) 14026 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid unicode access (web-client.rules) 14027 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call access (web-client.rules) 14028 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call unicode access (web-client.rules) 14029 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid access (web-client.rules) 14030 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid unicode access (web-client.rules) 14031 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call access (web-client.rules) 14032 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call unicode access (web-client.rules) 14033 <-> WEB-CLIENT Orbit Downloader ActiveX clsid access (web-client.rules) 14034 <-> WEB-CLIENT Orbit Downloader ActiveX clsid unicode access (web-client.rules) 14035 <-> WEB-CLIENT Orbit Downloader ActiveX function call access (web-client.rules) 14036 <-> WEB-CLIENT Orbit Downloader ActiveX function call unicode access (web-client.rules) 14037 <-> WEB-CLIENT Novell iPrint ActiveX operation or printer-url parameter overflow attempt (web-client.rules) 14038 <-> WEB-CLIENT Novell iPrint ActiveX target-frame parameter overflow attempt (web-client.rules) Updated rules: 1057 <-> SQL ftp attempt (sql.rules) 1058 <-> SQL xp_enumdsn attempt (sql.rules) 1059 <-> SQL xp_filelist attempt (sql.rules) 1060 <-> SQL xp_availablemedia attempt (sql.rules) 1061 <-> SQL xp_cmdshell attempt (sql.rules) 1069 <-> SQL xp_regread attempt (sql.rules) 1077 <-> SQL queryhit.htm access (sql.rules) 1078 <-> SQL counter.exe access (sql.rules) 1524 <-> WEB-MISC Axis Storpoint CD attempt (web-misc.rules) 1631 <-> CHAT AIM login (chat.rules) 1633 <-> CHAT AIM receive message (chat.rules) 5740 <-> WEB-CLIENT Microsoft HTML help workshop file .hhp download attempt (web-client.rules)
