Sourcefire VRT Rules Update
Date: 2008-03-06
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group)
Updated rules: 569 <-> RPC snmpXdmi overflow attempt TCP (rpc.rules) 588 <-> RPC portmap ttdbserv request UDP (rpc.rules) 593 <-> RPC portmap snmpXdmi request TCP (rpc.rules) 709 <-> TELNET 4Dgifts SGI account attempt (telnet.rules) 710 <-> TELNET EZsetup account attempt (telnet.rules) 711 <-> TELNET SGI telnetd format bug (telnet.rules) 803 <-> WEB-CGI HyperSeek hsx.cgi directory traversal attempt (web-cgi.rules) 817 <-> WEB-CGI dcboard.cgi invalid user addition attempt (web-cgi.rules) 829 <-> WEB-CGI nph-test-cgi access (web-cgi.rules) 833 <-> WEB-CGI rguest.exe access (web-cgi.rules) 852 <-> WEB-CGI wguest.exe access (web-cgi.rules) 904 <-> WEB-COLDFUSION exampleapp application.cfm (web-coldfusion.rules) 905 <-> WEB-COLDFUSION application.cfm access (web-coldfusion.rules) 906 <-> WEB-COLDFUSION getfile.cfm access (web-coldfusion.rules) 973 <-> WEB-IIS *.idc attempt (web-iis.rules) 975 <-> WEB-IIS Alternate Data streams ASP file access attempt (web-iis.rules) 984 <-> WEB-IIS JET VBA access (web-iis.rules) 985 <-> WEB-IIS JET VBA access (web-iis.rules) 995 <-> WEB-IIS ism.dll access (web-iis.rules) 1001 <-> WEB-MISC carbo.dll access (web-misc.rules) 1005 <-> WEB-IIS codebrowser SDK access (web-iis.rules) 1017 <-> WEB-IIS idc-srch attempt (web-iis.rules) 1019 <-> WEB-IIS Malformed Hit-Highlighting Argument File Access Attempt (web-iis.rules) 1020 <-> WEB-IIS isc$data attempt (web-iis.rules) 1180 <-> WEB-MISC get32.exe access (web-misc.rules) 1248 <-> WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules) 1249 <-> WEB-FRONTPAGE frontpage rad fp4areg.dll access (web-frontpage.rules) 1252 <-> TELNET bsd telnet exploit response (telnet.rules) 1253 <-> TELNET bsd exploit client finishing (telnet.rules) 1423 <-> WEB-PHP content-disposition memchr overflow (web-php.rules) 1618 <-> WEB-IIS .asp chunked Transfer-Encoding (web-iis.rules) 1762 <-> WEB-CGI phf arbitrary command execution attempt (web-cgi.rules) 1763 <-> WEB-CGI Nortel Contivity cgiproc DOS attempt (web-cgi.rules) 1764 <-> WEB-CGI Nortel Contivity cgiproc DOS attempt (web-cgi.rules) 1765 <-> WEB-CGI Nortel Contivity cgiproc access (web-cgi.rules) 1806 <-> WEB-IIS .htr chunked Transfer-Encoding (web-iis.rules) 1808 <-> WEB-MISC apache chunked encoding memory corruption exploit attempt (web-misc.rules) 1957 <-> RPC sadmind UDP PING (rpc.rules) 2090 <-> WEB-IIS WEBDAV exploit attempt (web-iis.rules) 2091 <-> WEB-IIS WEBDAV nessus safe scan attempt (web-iis.rules) 2222 <-> WEB-CGI nph-exploitscanget.cgi access (web-cgi.rules) 2226 <-> WEB-PHP pmachine remote file include attempt (web-php.rules) 2253 <-> SMTP XEXCH50 overflow attempt (smtp.rules) 2331 <-> WEB-PHP MatrikzGB privilege escalation attempt (web-php.rules) 2386 <-> WEB-IIS NTLM ASN1 vulnerability scan attempt (web-iis.rules) 2394 <-> WEB-MISC Compaq web-based management agent denial of service attempt (web-misc.rules) 2406 <-> TELNET APC SmartSlot default admin account attempt (telnet.rules) 2430 <-> NNTP newgroup overflow attempt (nntp.rules) 2431 <-> NNTP rmgroup overflow attempt (nntp.rules) 2437 <-> WEB-CLIENT RealPlayer arbitrary javascript command attempt (web-client.rules) 2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules) 2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules) 2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules) 2502 <-> POP3 SSLv3 invalid data version attempt (pop3.rules) 2504 <-> SMTP SSLv3 invalid data version attempt (smtp.rules) 2582 <-> WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt (web-misc.rules) 2588 <-> WEB-PHP TUTOS path disclosure attempt (web-php.rules) 2597 <-> WEB-MISC Samba SWAT Authorization overflow attempt (web-misc.rules) 2598 <-> WEB-MISC Samba SWAT Authorization port 901 overflow attempt (web-misc.rules) 2663 <-> WEB-CGI WhatsUpGold instancename overflow attempt (web-cgi.rules) 3147 <-> TELNET login buffer overflow attempt (telnet.rules) 3156 <-> NETBIOS DCERPC DIRECT msqueue alter context attempt (netbios.rules) 3157 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue little endian bind attempt (netbios.rules) 3160 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue alter context attempt (netbios.rules) 3161 <-> NETBIOS DCERPC DIRECT msqueue little endian alter context attempt (netbios.rules) 3162 <-> NETBIOS DCERPC DIRECT msqueue little endian bind attempt (netbios.rules) 3163 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue little endian alter context attempt (netbios.rules) 3164 <-> NETBIOS DCERPC DIRECT msqueue bind attempt (netbios.rules) 3165 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue bind attempt (netbios.rules) 3166 <-> NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 overflow attempt (netbios.rules) 3167 <-> NETBIOS DCERPC DIRECT msqueue function 4 object call overflow attempt (netbios.rules) 3168 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian overflow attempt (netbios.rules) 3169 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt (netbios.rules) 3170 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian object call overflow attempt (netbios.rules) 3171 <-> NETBIOS DCERPC DIRECT v4 msqueue function 4 overflow attempt (netbios.rules) 3172 <-> NETBIOS DCERPC DIRECT msqueue function 4 little endian object call overflow attempt (netbios.rules) 3173 <-> NETBIOS DCERPC DIRECT v4 msqueue function 4 little endian overflow attempt (netbios.rules) 3174 <-> NETBIOS DCERPC DIRECT msqueue function 4 overflow attempt (netbios.rules) 3175 <-> NETBIOS DCERPC DIRECT msqueue function 4 little endian overflow attempt (netbios.rules) 3274 <-> TELNET login buffer non-evasive overflow attempt (telnet.rules) 3470 <-> WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow (web-client.rules) 3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules) 3553 <-> WEB-CLIENT HTML DOM null element insertion attempt (web-client.rules) 3638 <-> WEB-CGI SoftCart.exe CGI buffer overflow attempt (web-cgi.rules) 3686 <-> WEB-CLIENT Internet Explorer Content Advisor attempted overflow (web-client.rules) 3816 <-> WEB-MISC BadBlue ext.dll buffer overflow attempt (web-misc.rules) 4145 <-> WEB-CLIENT Windows Trouble Shooter ActiveX Object Access (web-client.rules) 4167 <-> WEB-CLIENT MSN Heartbeat ActiveX clsid access (web-client.rules) 6403 <-> WEB-PHP horde help module arbitrary command execution attempt (web-php.rules) 6409 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules) 6410 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules) 6411 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules) 7978 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash ActiveX clsid access (web-client.rules) 7979 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash ActiveX clsid unicode access (web-client.rules) 7980 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash.9 ActiveX function call access (web-client.rules) 8064 <-> WEB-CLIENT Scriptlet.Typelib ActiveX CLSID access (web-client.rules) 8065 <-> WEB-CLIENT Scriptlet.Typelib ActiveX CLSID unicode access (web-client.rules) 8066 <-> WEB-CLIENT Windows Scripting Host Shell ActiveX CLSID access (web-client.rules) 8067 <-> WEB-CLIENT Windows Scripting Host Shell ActiveX CLSID unicode access (web-client.rules) 8069 <-> WEB-CLIENT Microsoft Virtual Machine ActiveX CLSID access (web-client.rules) 8091 <-> WEB-CLIENT RealPlayer Realpix file format string overflow attempt (web-client.rules) 8381 <-> WEB-CLIENT RealPlayer SMIL Download Handler ActiveX CLSID access (web-client.rules) 8382 <-> WEB-CLIENT RealPlayer SMIL Download Handler ActiveX CLSID unicode access (web-client.rules) 8383 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX CLSID access (web-client.rules) 8384 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX CLSID unicode access (web-client.rules) 8385 <-> WEB-CLIENT RealPlayer Playback Handler ActiveX CLSID access (web-client.rules) 8386 <-> WEB-CLIENT RealPlayer Playback Handler ActiveX CLSID unicode access (web-client.rules) 8387 <-> WEB-CLIENT RealPlayer RNX Download Handler ActiveX CLSID access (web-client.rules) 8388 <-> WEB-CLIENT RealPlayer RNX Download Handler ActiveX CLSID unicode access (web-client.rules) 8389 <-> WEB-CLIENT RealPlayer RMP Download Handler ActiveX CLSID access (web-client.rules) 8485 <-> WEB-COLDFUSION CFNEWINTERNALADMINSECURITY access (web-coldfusion.rules) 8486 <-> WEB-COLDFUSION CFNEWINTERNALREGISTRY access (web-coldfusion.rules) 8487 <-> WEB-COLDFUSION CFADMIN_REGISTRY_SET access (web-coldfusion.rules) 8488 <-> WEB-COLDFUSION CFADMIN_REGISTRY_GET access (web-coldfusion.rules) 8489 <-> WEB-COLDFUSION CFADMIN_REGISTRY_DELETE access (web-coldfusion.rules) 8490 <-> WEB-COLDFUSION viewexample.cfm access (web-coldfusion.rules) 8491 <-> WEB-COLDFUSION eval.cfm access (web-coldfusion.rules) 8492 <-> WEB-COLDFUSION openfile.cfm access (web-coldfusion.rules) 8493 <-> WEB-COLDFUSION sourcewindow.cfm access (web-coldfusion.rules) 8497 <-> MS-SQL sp_oacreate vulnerable function attempt (sql.rules) 8498 <-> MS-SQL/SMB sp_oacreate unicode vulnerable function attempt (sql.rules) 8499 <-> MS-SQL xp_displayparamstmt unicode vulnerable function attempt (sql.rules) 8510 <-> MS-SQL xp_oagetproperty vulnerable function attempt (sql.rules) 8511 <-> MS-SQL xp_oamethod unicode vulnerable function attempt (sql.rules) 8512 <-> MS-SQL xp_oamethod vulnerable function attempt (sql.rules) 8513 <-> MS-SQL/SMB xp_oamethod unicode vulnerable function attempt (sql.rules) 8514 <-> MS-SQL xp_oasetproperty unicode vulnerable function attempt (sql.rules) 8515 <-> MS-SQL/SMB xp_oasetproperty unicode vulnerable function attempt (sql.rules) 8516 <-> MS-SQL xp_oasetproperty vulnerable function attempt (sql.rules) 8517 <-> MS-SQL xp_peekqueue unicode vulnerable function attempt (sql.rules) 8518 <-> MS-SQL/SMB xp_peekqueue unicode vulnerable function attempt (sql.rules) 8519 <-> MS-SQL xp_peekqueue vulnerable function attempt (sql.rules) 8520 <-> MS-SQL xp_printstatements unicode vulnerable function attempt (sql.rules) 8521 <-> MS-SQL/SMB xp_printstatements unicode vulnerable function attempt (sql.rules) 8522 <-> MS-SQL xp_printstatements vulnerable function attempt (sql.rules) 8523 <-> MS-SQL xp_proxiedmetadata unicode vulnerable function attempt (sql.rules) 8524 <-> MS-SQL/SMB xp_proxiedmetadata unicode vulnerable function attempt (sql.rules) 8525 <-> MS-SQL xp_proxiedmetadata vulnerable function attempt (sql.rules) 8526 <-> MS-SQL xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules) 8527 <-> MS-SQL/SMB xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules) 8528 <-> MS-SQL xp_SetSQLSecurity vulnerable function attempt (sql.rules) 8529 <-> MS-SQL xp_showcolv unicode vulnerable function attempt (sql.rules) 8530 <-> MS-SQL/SMB xp_showcolv unicode vulnerable function attempt (sql.rules) 8531 <-> MS-SQL xp_showcolv vulnerable function attempt (sql.rules) 8532 <-> MS-SQL xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules) 8533 <-> MS-SQL xp_sqlagent_monitor vulnerable function attempt (sql.rules) 8534 <-> MS-SQL/SMB xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules) 8535 <-> MS-SQL xp_sqlinventory unicode vulnerable function attempt (sql.rules) 8536 <-> MS-SQL xp_sqlinventory vulnerable function attempt (sql.rules) 8537 <-> MS-SQL/SMB xp_sqlinventory unicode vulnerable function attempt (sql.rules) 8538 <-> MS-SQL xp_updatecolvbm unicode vulnerable function attempt (sql.rules) 8539 <-> MS-SQL/SMB xp_updatecolvbm unicode vulnerable function attempt (sql.rules) 9599 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance attempt (netbios.rules) 9600 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance little endian attempt (netbios.rules) 9617 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance object call attempt (netbios.rules) 9618 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance little endian object call attempt (netbios.rules) 9737 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile attempt (netbios.rules) 9744 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile little endian attempt (netbios.rules) 9745 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (netbios.rules) 9750 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian attempt (netbios.rules) 9754 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile object call attempt (netbios.rules) 9758 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian object call attempt (netbios.rules) 9760 <-> NETBIOS DCERPC DIRECT-UDP msqueue little endian bind attempt (netbios.rules) 9761 <-> NETBIOS DCERPC DIRECT-UDP msqueue little endian alter context attempt (netbios.rules) 9763 <-> NETBIOS DCERPC DIRECT-UDP msqueue alter context attempt (netbios.rules) 9764 <-> NETBIOS DCERPC DIRECT-UDP v4 msqueue function 4 little endian overflow attempt (netbios.rules) 9765 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian overflow attempt (netbios.rules) 9766 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 overflow attempt (netbios.rules) 9767 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 object call overflow attempt (netbios.rules) 9768 <-> NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 little endian overflow attempt (netbios.rules) 9769 <-> NETBIOS DCERPC DIRECT-UDP v4 msqueue function 4 overflow attempt (netbios.rules) 9770 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 object call overflow attempt (netbios.rules) 9771 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian object call overflow attempt (netbios.rules) 9801 <-> WEB-CLIENT Windows Media Player or Explorer Malformed RIFF File denial of service attempt (web-client.rules) 9850 <-> NETBIOS SMB tapisrv little endian alter context attempt (netbios.rules) 9851 <-> NETBIOS SMB tapisrv WriteAndX little endian alter context attempt (netbios.rules) 9852 <-> NETBIOS SMB tapisrv unicode little endian alter context attempt (netbios.rules) 9853 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian alter context attempt (netbios.rules) 9858 <-> NETBIOS SMB tapisrv bind attempt (netbios.rules) 9859 <-> NETBIOS SMB tapisrv unicode bind attempt (netbios.rules) 9860 <-> NETBIOS SMB tapisrv WriteAndX bind attempt (netbios.rules) 9861 <-> NETBIOS SMB tapisrv WriteAndX unicode bind attempt (netbios.rules) 9862 <-> NETBIOS SMB tapisrv alter context attempt (netbios.rules) 9863 <-> NETBIOS SMB tapisrv unicode alter context attempt (netbios.rules) 9864 <-> NETBIOS SMB tapisrv WriteAndX alter context attempt (netbios.rules) 9865 <-> NETBIOS SMB tapisrv WriteAndX unicode alter context attempt (netbios.rules) 9874 <-> NETBIOS SMB tapisrv little endian bind attempt (netbios.rules) 9875 <-> NETBIOS SMB tapisrv WriteAndX little endian bind attempt (netbios.rules) 9876 <-> NETBIOS SMB tapisrv unicode little endian bind attempt (netbios.rules) 9877 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian bind attempt (netbios.rules) 9882 <-> NETBIOS SMB tapisrv little endian andx alter context attempt (netbios.rules) 9883 <-> NETBIOS SMB tapisrv WriteAndX little endian andx alter context attempt (netbios.rules) 9884 <-> NETBIOS SMB tapisrv unicode little endian andx alter context attempt (netbios.rules) 9885 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian andx alter context attempt (netbios.rules) 9890 <-> NETBIOS SMB tapisrv andx bind attempt (netbios.rules) 9891 <-> NETBIOS SMB tapisrv unicode andx bind attempt (netbios.rules) 9892 <-> NETBIOS SMB tapisrv WriteAndX andx bind attempt (netbios.rules) 9893 <-> NETBIOS SMB tapisrv WriteAndX unicode andx bind attempt (netbios.rules) 9894 <-> NETBIOS SMB tapisrv andx alter context attempt (netbios.rules) 9895 <-> NETBIOS SMB tapisrv unicode andx alter context attempt (netbios.rules) 9896 <-> NETBIOS SMB tapisrv WriteAndX andx alter context attempt (netbios.rules) 9897 <-> NETBIOS SMB tapisrv WriteAndX unicode andx alter context attempt (netbios.rules) 9906 <-> NETBIOS SMB tapisrv little endian andx bind attempt (netbios.rules) 9907 <-> NETBIOS SMB tapisrv WriteAndX little endian andx bind attempt (netbios.rules) 9908 <-> NETBIOS SMB tapisrv unicode little endian andx bind attempt (netbios.rules) 9909 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian andx bind attempt (netbios.rules)
