Sourcefire VRT Rules Update
Date: 2007-11-06
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group)
New rules: 12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules) 12673 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information (spyware-put.rules) 12674 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity (spyware-put.rules) 12675 <-> BACKDOOR Versi TheTheef Detection (backdoor.rules) 12676 <-> SPYWARE-PUT Conspy Update Checking Detected (spyware-put.rules) 12677 <-> SPYWARE-PUT Adware ISTBar runtime detection - softwares (spyware-put.rules) 12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules) 12679 <-> SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection (spyware-put.rules) 12680 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt - TCP (voip.rules) 12681 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules) 12682 <-> VOIP-SIP From header field buffer overflow attempt - TCP (voip.rules) 12683 <-> VOIP-SIP From header field buffer overflow attempt - UDP (voip.rules) 12684 <-> BACKDOOR Sygate Remote Administration Engine (backdoor.rules) 12685 <-> EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow (exploit.rules) 12686 <-> POLICY AIM Express Usage (policy.rules) 12687 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules) 12688 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt (web-client.rules) 12689 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid access (web-client.rules) 12690 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access (web-client.rules) 12691 <-> P2P Outbound Joltid PeerEnabler traffic detected (p2p.rules) 12693 <-> SPYWARE-PUT Hijacker personalweb runtime detection (spyware-put.rules) 12694 <-> SPYWARE-PUT Adware avsystemcare runtime detection (spyware-put.rules) 12695 <-> SPYWARE-PUT Adware coopen 3.6.1 runtime detection - initial connection (spyware-put.rules) 12696 <-> SPYWARE-PUT Adware coopen 3.6.1 runtime detection - automatic upgrade (spyware-put.rules) 12697 <-> SPYWARE-PUT Trackware browser accelerator runtime detection - pass user information to server (spyware-put.rules) 12698 <-> SPYWARE-PUT Keylogger net vizo 5.2 runtime detection (spyware-put.rules) 12699 <-> BACKDOOR poison ivy 2.3.0 runtime detection - init connection (backdoor.rules) 12700 <-> BACKDOOR poison ivy 2.3.0 runtime detection - init connection (backdoor.rules) 12701 <-> BACKDOOR poison ivy 2.3.0 runtime detection - server connection (backdoor.rules) 12702 <-> BACKDOOR poison ivy 2.3.0 runtime detection - server connection (backdoor.rules) 12703 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call unicode access (web-client.rules) 12704 <-> SMTP Lotus Notes MIF viewer MIFFILE comment overflow (smtp.rules) 12705 <-> SMTP Lotus Notes MIF viewer statement overflow (smtp.rules) 12706 <-> SMTP Lotus Notes MIF viewer statement data overflow (smtp.rules) Updated rules: 117 <-> BACKDOOR Infector.1.x (backdoor.rules) 238 <-> DDOS TFN server response (ddos.rules) 305 <-> EXPLOIT delegate proxy overflow (exploit.rules) 566 <-> POLICY PCAnywhere server response (policy.rules) 879 <-> WEB-CGI admin.pl access (web-cgi.rules) 955 <-> WEB-FRONTPAGE access.cnf access (web-frontpage.rules) 958 <-> WEB-FRONTPAGE service.cnf access (web-frontpage.rules) 961 <-> WEB-FRONTPAGE services.cnf access (web-frontpage.rules) 963 <-> WEB-FRONTPAGE svcacl.cnf access (web-frontpage.rules) 965 <-> WEB-FRONTPAGE writeto.cnf access (web-frontpage.rules) 977 <-> WEB-IIS .cnf access (web-iis.rules) 1087 <-> DELETED WEB-MISC whisker tab splice attack (deleted.rules) 1171 <-> DELETED WEB-MISC whisker HEAD with large datagram (deleted.rules) 1253 <-> TELNET bsd exploit client finishing (telnet.rules) 1261 <-> EXPLOIT AIX pdnsd overflow (exploit.rules) 1408 <-> DOS MSDTC attempt (dos.rules) 1636 <-> MISC Xtramail Username overflow attempt (misc.rules) 1751 <-> EXPLOIT cachefsd buffer overflow attempt (exploit.rules) 1756 <-> WEB-IIS NewsPro administration authentication attempt (web-iis.rules) 1987 <-> MISC xfs overflow attempt (misc.rules) 2126 <-> MISC Microsoft PPTP Start Control Request buffer overflow attempt (misc.rules) 2332 <-> FTP MKD format string attempt (ftp.rules) 2417 <-> FTP format string attempt (ftp.rules) 3074 <-> IMAP subscribe overflow attempt (imap.rules) 5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules) 6469 <-> EXPLOIT RealVNC connection attempt (exploit.rules) 6470 <-> EXPLOIT RealVNC authentication types sent attempt (exploit.rules) 8738 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid access (web-client.rules) 8739 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid unicode access (web-client.rules) 8740 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call access (web-client.rules) 10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules) 10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules) 10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules) 11973 <-> VOIP-SIP Via Header Hostname Buffer Overflow Attempt (voip.rules) 11976 <-> VOIP-SIP Overflow In URI Type - SIP (voip.rules) 11977 <-> VOIP-SIP Overflow In URI Type - Tel (voip.rules) 11978 <-> VOIP-SIP From Header Field Buffer Overflow Attempt (voip.rules) 11980 <-> VOIP-SIP SDP Attribute Possible Buffer Overflow Attempt (voip.rules) 11981 <-> VOIP-SIP MultiTech INVITE Field Buffer Overflow Attempt (voip.rules) 11985 <-> VOIP-SIP Expires Header Overflow Attempt (voip.rules) 12113 <-> VOIP-SIP SIP URI Possible Overflow (voip.rules) 12167 <-> VOIP-SIP Multiple At Signs In SIP URI (voip.rules) 12488 <-> DELETED SPYWARE-PUT Adware adblaster 2.0 runtime detection (deleted.rules) 12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules) 12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules) 12665 <-> EXPLOIT CA BrightStor LGSever username buffer overflow attempt (exploit.rules) 12668 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (web-client.rules) 12669 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (web-client.rules) 12670 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (web-client.rules) 12671 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (web-client.rules)
