Sourcefire VRT Rules Update
Date: 2007-10-26
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group)
New rules: 12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules) 12673 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information (spyware-put.rules) 12674 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity (spyware-put.rules) 12675 <-> BACKDOOR Versi TheTheef Detection (backdoor.rules) 12676 <-> SPYWARE-PUT Conspy Update Checking Detected (spyware-put.rules) 12677 <-> SPYWARE-PUT Adware ISTBar runtime detection - softwares (spyware-put.rules) 12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules) 12679 <-> SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection (spyware-put.rules) 12680 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt - TCP (voip.rules) 12681 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules) 12682 <-> VOIP-SIP From header field buffer overflow attempt - TCP (voip.rules) 12683 <-> VOIP-SIP From header field buffer overflow attempt - UDP (voip.rules) 12684 <-> BACKDOOR Sygate Remote Administration Engine (backdoor.rules) 12685 <-> EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow (exploit.rules) 12686 <-> POLICY AIM Express Usage (policy.rules) 12687 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules) 12688 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules) Updated rules: 238 <-> DDOS TFN server response (ddos.rules) 566 <-> POLICY PCAnywhere server response (policy.rules) 2332 <-> FTP MKD format string attempt (ftp.rules) 5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules) 10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules) 10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules) 10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules) 11973 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt (voip.rules) 11976 <-> VOIP-SIP Overflow In URI Type - SIP (voip.rules) 11977 <-> VOIP-SIP Overflow In URI Type - Tel (voip.rules) 11978 <-> VOIP-SIP From Header Field Buffer Overflow Attempt (voip.rules) 11980 <-> VOIP-SIP SDP Attribute Possible Buffer Overflow Attempt (voip.rules) 11981 <-> VOIP-SIP MultiTech INVITE Field Buffer Overflow Attempt (voip.rules) 11985 <-> VOIP-SIP Expires Header Overflow Attempt (voip.rules) 12113 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules) 12167 <-> VOIP-SIP Multiple At Signs In SIP URI (voip.rules) 12488 <-> DELETED SPYWARE-PUT Adware adblaster 2.0 runtime detection (deleted.rules) 12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules) 12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules) 12665 <-> EXPLOIT CA BrightStor LGSever username buffer overflow attempt (exploit.rules) 12668 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (web-client.rules) 12669 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (web-client.rules) 12670 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (web-client.rules) 12671 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (web-client.rules)
