Sourcefire VRT Rules Update
Date: 2008-02-26
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group)
New rules: 13479 <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules) 13480 <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules) 13481 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - hijacks search engine (spyware-put.rules) 13482 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - discloses information (spyware-put.rules) 13483 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically (spyware-put.rules) 13484 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically (spyware-put.rules) 13485 <-> SPYWARE-PUT Hijacker sofa toolbar runtime detection - hijacks search engine (spyware-put.rules) 13486 <-> SPYWARE-PUT Hijacker sofa toolbar runtime detection - records search information (spyware-put.rules) 13487 <-> SPYWARE-PUT Adware elite protector runtime detection (spyware-put.rules) 13488 <-> SPYWARE-PUT Hijacker people pal toolbar runtime detection - automatic upgrade (spyware-put.rules) 13489 <-> SPYWARE-PUT Hijacker people pal toolbar runtime detection - traffic for searching (spyware-put.rules) 13490 <-> SPYWARE-PUT Adware spy shredder 2.1 runtime detection - presale request (spyware-put.rules) 13491 <-> SPYWARE-PUT Adware spy shredder 2.1 runtime detection - update (spyware-put.rules) 13492 <-> SPYWARE-PUT Hijacker deepdo toolbar runtime detection - redirects search engine (spyware-put.rules) 13493 <-> SPYWARE-PUT Hijacker deepdo toolbar runtime detection - automatic update (spyware-put.rules) 13494 <-> SPYWARE-PUT Keylogger smart pc Keylogger runtime detection (spyware-put.rules) 13495 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 1 (spyware-put.rules) 13496 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 2 (spyware-put.rules) 13497 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - tracking traffic (spyware-put.rules) 13498 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 1 (spyware-put.rules) 13499 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 2 (spyware-put.rules) 13500 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - log information (spyware-put.rules) 13501 <-> SPYWARE-PUT Adware contravirus runtime detection - presale request (spyware-put.rules) 13502 <-> SPYWARE-PUT Adware contravirus runtime detection - update (spyware-put.rules) 13503 <-> SPYWARE-PUT Hijacker dealio toolbar runtime detection user-agent detected (spyware-put.rules) 13504 <-> SPYWARE-PUT Adware iedefender runtime detection - presale request (spyware-put.rules) 13505 <-> SPYWARE-PUT Adware iedefender runtime detection - update (spyware-put.rules) 13506 <-> BACKDOOR evilotus 1.3.2 runtime detection - init connection (backdoor.rules) 13507 <-> BACKDOOR evilotus 1.3.2 runtime detection - init connection (backdoor.rules) 13508 <-> BACKDOOR xploit 1.4.5 runtime detection (backdoor.rules) 13509 <-> BACKDOOR xploit 1.4.5 pc runtime detection (backdoor.rules) 13512 <-> SQL generic sql exec injection attempt (sql.rules) 13513 <-> SQL generic sql insert injection atttempt (sql.rules) 13514 <-> SQL generic sql update injection attempt (sql.rules) 13515 <-> WEB-CLIENT Quicktime user agent (web-client.rules) 13516 <-> WEB-CLIENT Quicktime HTTP error response buffer overflow (web-client.rules) 13517 <-> EXPLOIT Apple QTIF malformed idsc atom (exploit.rules) 13518 <-> DELETED WEB-CLIENT Internet Explorer malformed CSS memory corruption attempt (deleted.rules) 13519 <-> EXPLOIT Citrix MetaFrame IMA buffer overflow attempt (exploit.rules) 13520 <-> EXPLOIT Winamp uvox malicious metadata (exploit.rules) 13521 <-> EXPLOIT Winamp uvox malicious metadata (exploit.rules) 13522 <-> EXPLOIT Firebird Database Server username handling buffer overflow (exploit.rules) Updated rules: 337 <-> FTP CEL overflow attempt (ftp.rules) 1379 <-> FTP STAT overflow attempt (ftp.rules) 1734 <-> FTP USER overflow attempt (ftp.rules) 1831 <-> WEB-MISC jigsaw dos attempt (web-misc.rules) 1904 <-> IMAP find overflow attempt (imap.rules) 1920 <-> FTP SITE NEWER overflow attempt (ftp.rules) 1971 <-> FTP SITE EXEC format string attempt (ftp.rules) 1972 <-> FTP PASS overflow attempt (ftp.rules) 1974 <-> FTP REST overflow attempt (ftp.rules) 1975 <-> FTP DELE overflow attempt (ftp.rules) 1976 <-> FTP RMD overflow attempt (ftp.rules) 2090 <-> WEB-IIS WEBDAV exploit attempt (web-iis.rules) 2272 <-> FTP LIST integer overflow attempt (ftp.rules) 2332 <-> FTP MKD format string attempt (ftp.rules) 2333 <-> FTP RENAME format string attempt (ftp.rules) 2334 <-> FTP Yak! FTP server default account login attempt (ftp.rules) 2338 <-> FTP LIST buffer overflow attempt (ftp.rules) 2340 <-> FTP SITE CHMOD overflow attempt (ftp.rules) 2343 <-> FTP STOR overflow attempt (ftp.rules) 2344 <-> FTP XCWD overflow attempt (ftp.rules) 2373 <-> FTP XMKD overflow attempt (ftp.rules) 2374 <-> FTP NLST overflow attempt (ftp.rules) 2389 <-> FTP RNTO overflow attempt (ftp.rules) 2390 <-> FTP STOU overflow attempt (ftp.rules) 2391 <-> FTP APPE overflow attempt (ftp.rules) 2392 <-> FTP RETR overflow attempt (ftp.rules) 2416 <-> FTP invalid MDTM command attempt (ftp.rules) 2449 <-> FTP ALLO overflow attempt (ftp.rules) 2546 <-> FTP MDTM overflow attempt (ftp.rules) 3523 <-> FTP SITE INDEX format string attempt (ftp.rules) 3527 <-> EXPLOIT Solaris LPD overflow attempt (exploit.rules) 3532 <-> FTP ORACLE password buffer overflow attempt (ftp.rules) 3630 <-> FTP ORACLE TEST command buffer overflow attempt (ftp.rules) 3631 <-> FTP ORACLE user name buffer overflow attempt (ftp.rules) 4637 <-> EXPLOIT MailEnable HTTPMail buffer overflow attempt (exploit.rules) 7024 <-> WEB-CLIENT excel style handling overflow attempt (web-client.rules) 8470 <-> BACKDOOR superspy 2.0 beta runtime detection - get system info (backdoor.rules) 8471 <-> BACKDOOR superspy 2.0 beta runtime detection - get system info (backdoor.rules) 8472 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules) 8473 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules) 8474 <-> BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage (backdoor.rules) 8475 <-> BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage (backdoor.rules) 8476 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules) 8477 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules) 8479 <-> FTP HELP overflow attempt (ftp.rules) 8480 <-> FTP PORT overflow attempt (ftp.rules) 9792 <-> FTP PASV overflow attempt (ftp.rules) 11686 <-> SPECIFIC-THREATS WebDAV search overflow attempt (specific-threats.rules) 12082 <-> ORACLE Oracle 9i TNS denial of service attempt (oracle.rules) 12151 <-> BACKDOOR cafeini 1.0 runtime detection (backdoor.rules) 12214 <-> DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt (deleted.rules) 12215 <-> DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt (deleted.rules) 12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules) 12780 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid access (web-client.rules) 12781 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid unicode access (web-client.rules) 12782 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call access (web-client.rules) 12783 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call unicode access (web-client.rules) 13434 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX clsid access (web-client.rules) 13435 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX clsid unicode access (web-client.rules) 13436 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX function call access (web-client.rules) 13437 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX function call unicode access (web-client.rules) 13438 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid access (web-client.rules) 13439 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid unicode access (web-client.rules) 13440 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call access (web-client.rules) 13441 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call unicode access (web-client.rules) 13442 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX clsid access (web-client.rules) 13443 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX clsid unicode access (web-client.rules) 13444 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX function call access (web-client.rules) 13445 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX function call unicode access (web-client.rules)
