Sourcefire VRT Rules Update

Date: 2007-10-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules)
12673 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information (spyware-put.rules)
12674 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity (spyware-put.rules)
12675 <-> BACKDOOR Versi TheTheef Detection (backdoor.rules)
12676 <-> SPYWARE-PUT Conspy Update Checking Detected (spyware-put.rules)
12677 <-> SPYWARE-PUT Adware ISTBar runtime detection - softwares (spyware-put.rules)
12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules)
12679 <-> SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection (spyware-put.rules)
12680 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt - TCP (voip.rules)
12681 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules)
12682 <-> VOIP-SIP From header field buffer overflow attempt - TCP (voip.rules)
12683 <-> VOIP-SIP From header field buffer overflow attempt - UDP (voip.rules)
12684 <-> BACKDOOR Sygate Remote Administration Engine (backdoor.rules)
12685 <-> EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow (exploit.rules)
12686 <-> POLICY AIM Express Usage (policy.rules)
12687 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules)
12688 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules)

Updated rules:
 238 <-> DDOS TFN server response (ddos.rules)
 566 <-> POLICY PCAnywhere server response (policy.rules)
2332 <-> FTP MKD format string attempt (ftp.rules)
5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules)
10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules)
10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules)
10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules)
11973 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt (voip.rules)
11976 <-> VOIP-SIP Overflow In URI Type - SIP (voip.rules)
11977 <-> VOIP-SIP Overflow In URI Type - Tel (voip.rules)
11978 <-> VOIP-SIP From Header Field Buffer Overflow Attempt (voip.rules)
11980 <-> VOIP-SIP SDP Attribute Possible Buffer Overflow Attempt (voip.rules)
11981 <-> VOIP-SIP MultiTech INVITE Field Buffer Overflow Attempt (voip.rules)
11985 <-> VOIP-SIP Expires Header Overflow Attempt (voip.rules)
12113 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules)
12167 <-> VOIP-SIP Multiple At Signs In SIP URI (voip.rules)
12488 <-> DELETED SPYWARE-PUT Adware adblaster 2.0 runtime detection (deleted.rules)
12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules)
12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules)
12665 <-> EXPLOIT CA BrightStor LGSever username buffer overflow attempt (exploit.rules)
12668 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (web-client.rules)
12669 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (web-client.rules)
12670 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (web-client.rules)
12671 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (web-client.rules)