Sourcefire VRT Rules Update

Date: 2007-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules)
12673 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information (spyware-put.rules)
12674 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity (spyware-put.rules)
12675 <-> BACKDOOR Versi TheTheef Detection (backdoor.rules)
12676 <-> SPYWARE-PUT Conspy Update Checking Detected (spyware-put.rules)
12677 <-> SPYWARE-PUT Adware ISTBar runtime detection - softwares (spyware-put.rules)
12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules)
12679 <-> SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection (spyware-put.rules)
12680 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt - TCP (voip.rules)
12681 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules)
12682 <-> VOIP-SIP From header field buffer overflow attempt - TCP (voip.rules)
12683 <-> VOIP-SIP From header field buffer overflow attempt - UDP (voip.rules)
12684 <-> BACKDOOR Sygate Remote Administration Engine (backdoor.rules)
12685 <-> EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow (exploit.rules)
12686 <-> POLICY AIM Express Usage (policy.rules)
12687 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules)
12688 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules)
12689 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid access (web-client.rules)
12690 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access (web-client.rules)
12691 <-> P2P Outbound Joltid PeerEnabler traffic detected (p2p.rules)
12693 <-> SPYWARE-PUT Hijacker personalweb runtime detection (spyware-put.rules)
12694 <-> SPYWARE-PUT Adware avsystemcare runtime detection (spyware-put.rules)
12695 <-> SPYWARE-PUT Adware coopen 3.6.1 runtime detection - initial connection (spyware-put.rules)
12696 <-> SPYWARE-PUT Adware coopen 3.6.1 runtime detection - automatic upgrade (spyware-put.rules)
12697 <-> SPYWARE-PUT Trackware browser accelerator runtime detection - pass user information to server (spyware-put.rules)
12698 <-> SPYWARE-PUT Keylogger net vizo 5.2 runtime detection (spyware-put.rules)
12699 <-> BACKDOOR poison ivy 2.3.0 runtime detection - init connection (backdoor.rules)
12700 <-> BACKDOOR poison ivy 2.3.0 runtime detection - init connection (backdoor.rules)
12701 <-> BACKDOOR poison ivy 2.3.0 runtime detection - server connection (backdoor.rules)
12702 <-> BACKDOOR poison ivy 2.3.0 runtime detection - server connection (backdoor.rules)
12703 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call unicode access (web-client.rules)
12704 <-> SMTP Lotus Notes MIF viewer MIFFILE comment overflow (smtp.rules)
12705 <-> SMTP Lotus Notes MIF viewer statement overflow (smtp.rules)
12706 <-> SMTP Lotus Notes MIF viewer statement data overflow (smtp.rules)

Updated rules:
 117 <-> BACKDOOR Infector.1.x (backdoor.rules)
 238 <-> DDOS TFN server response (ddos.rules)
 305 <-> EXPLOIT delegate proxy overflow (exploit.rules)
 566 <-> POLICY PCAnywhere server response (policy.rules)
 879 <-> WEB-CGI admin.pl access (web-cgi.rules)
 955 <-> WEB-FRONTPAGE access.cnf access (web-frontpage.rules)
 958 <-> WEB-FRONTPAGE service.cnf access (web-frontpage.rules)
 961 <-> WEB-FRONTPAGE services.cnf access (web-frontpage.rules)
 963 <-> WEB-FRONTPAGE svcacl.cnf access (web-frontpage.rules)
 965 <-> WEB-FRONTPAGE writeto.cnf access (web-frontpage.rules)
 977 <-> WEB-IIS .cnf access (web-iis.rules)
1087 <-> DELETED WEB-MISC whisker tab splice attack (deleted.rules)
1171 <-> DELETED WEB-MISC whisker HEAD with large datagram (deleted.rules)
1253 <-> TELNET bsd exploit client finishing (telnet.rules)
1261 <-> EXPLOIT AIX pdnsd overflow (exploit.rules)
1408 <-> DOS MSDTC attempt (dos.rules)
1636 <-> MISC Xtramail Username overflow attempt (misc.rules)
1751 <-> EXPLOIT cachefsd buffer overflow attempt (exploit.rules)
1756 <-> WEB-IIS NewsPro administration authentication attempt (web-iis.rules)
1987 <-> MISC xfs overflow attempt (misc.rules)
2126 <-> MISC Microsoft PPTP Start Control Request buffer overflow attempt (misc.rules)
2332 <-> FTP MKD format string attempt (ftp.rules)
2417 <-> FTP format string attempt (ftp.rules)
3074 <-> IMAP subscribe overflow attempt (imap.rules)
5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules)
6469 <-> EXPLOIT RealVNC connection attempt (exploit.rules)
6470 <-> EXPLOIT RealVNC authentication types sent attempt (exploit.rules)
8738 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid access (web-client.rules)
8739 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid unicode access (web-client.rules)
8740 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call access (web-client.rules)
10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules)
10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules)
10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules)
11973 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt (voip.rules)
11976 <-> VOIP-SIP Overflow In URI Type - SIP (voip.rules)
11977 <-> VOIP-SIP Overflow In URI Type - Tel (voip.rules)
11978 <-> VOIP-SIP From Header Field Buffer Overflow Attempt (voip.rules)
11980 <-> VOIP-SIP SDP Attribute Possible Buffer Overflow Attempt (voip.rules)
11981 <-> VOIP-SIP MultiTech INVITE Field Buffer Overflow Attempt (voip.rules)
11985 <-> VOIP-SIP Expires Header Overflow Attempt (voip.rules)
12113 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules)
12167 <-> VOIP-SIP Multiple At Signs In SIP URI (voip.rules)
12488 <-> DELETED SPYWARE-PUT Adware adblaster 2.0 runtime detection (deleted.rules)
12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules)
12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules)
12665 <-> EXPLOIT CA BrightStor LGSever username buffer overflow attempt (exploit.rules)
12668 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (web-client.rules)
12669 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (web-client.rules)
12670 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (web-client.rules)
12671 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (web-client.rules)