Sourcefire VRT Rules Update

Date: 2008-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

Updated rules:
 569 <-> RPC snmpXdmi overflow attempt TCP (rpc.rules)
 588 <-> RPC portmap ttdbserv request UDP (rpc.rules)
 593 <-> RPC portmap snmpXdmi request TCP (rpc.rules)
 709 <-> TELNET 4Dgifts SGI account attempt (telnet.rules)
 710 <-> TELNET EZsetup account attempt (telnet.rules)
 711 <-> TELNET SGI telnetd format bug (telnet.rules)
 803 <-> WEB-CGI HyperSeek hsx.cgi directory traversal attempt (web-cgi.rules)
 817 <-> WEB-CGI dcboard.cgi invalid user addition attempt (web-cgi.rules)
 829 <-> WEB-CGI nph-test-cgi access (web-cgi.rules)
 833 <-> WEB-CGI rguest.exe access (web-cgi.rules)
 852 <-> WEB-CGI wguest.exe access (web-cgi.rules)
 904 <-> WEB-COLDFUSION exampleapp application.cfm (web-coldfusion.rules)
 905 <-> WEB-COLDFUSION application.cfm access (web-coldfusion.rules)
 906 <-> WEB-COLDFUSION getfile.cfm access (web-coldfusion.rules)
 973 <-> WEB-IIS *.idc attempt (web-iis.rules)
 975 <-> WEB-IIS Alternate Data streams ASP file access attempt (web-iis.rules)
 984 <-> WEB-IIS JET VBA access (web-iis.rules)
 985 <-> WEB-IIS JET VBA access (web-iis.rules)
 995 <-> WEB-IIS ism.dll access (web-iis.rules)
1001 <-> WEB-MISC carbo.dll access (web-misc.rules)
1005 <-> WEB-IIS codebrowser SDK access (web-iis.rules)
1017 <-> WEB-IIS idc-srch attempt (web-iis.rules)
1019 <-> WEB-IIS Malformed Hit-Highlighting Argument File Access Attempt (web-iis.rules)
1020 <-> WEB-IIS isc$data attempt (web-iis.rules)
1180 <-> WEB-MISC get32.exe access (web-misc.rules)
1248 <-> WEB-FRONTPAGE rad fp30reg.dll access (web-frontpage.rules)
1249 <-> WEB-FRONTPAGE frontpage rad fp4areg.dll access (web-frontpage.rules)
1252 <-> TELNET bsd telnet exploit response (telnet.rules)
1253 <-> TELNET bsd exploit client finishing (telnet.rules)
1423 <-> WEB-PHP content-disposition memchr overflow (web-php.rules)
1618 <-> WEB-IIS .asp chunked Transfer-Encoding (web-iis.rules)
1762 <-> WEB-CGI phf arbitrary command execution attempt (web-cgi.rules)
1763 <-> WEB-CGI Nortel Contivity cgiproc DOS attempt (web-cgi.rules)
1764 <-> WEB-CGI Nortel Contivity cgiproc DOS attempt (web-cgi.rules)
1765 <-> WEB-CGI Nortel Contivity cgiproc access (web-cgi.rules)
1806 <-> WEB-IIS .htr chunked Transfer-Encoding (web-iis.rules)
1808 <-> WEB-MISC apache chunked encoding memory corruption exploit attempt (web-misc.rules)
1957 <-> RPC sadmind UDP PING (rpc.rules)
2090 <-> WEB-IIS WEBDAV exploit attempt (web-iis.rules)
2091 <-> WEB-IIS WEBDAV nessus safe scan attempt (web-iis.rules)
2222 <-> WEB-CGI nph-exploitscanget.cgi access (web-cgi.rules)
2226 <-> WEB-PHP pmachine remote file include attempt (web-php.rules)
2253 <-> SMTP XEXCH50 overflow attempt (smtp.rules)
2331 <-> WEB-PHP MatrikzGB privilege escalation attempt (web-php.rules)
2386 <-> WEB-IIS NTLM ASN1 vulnerability scan attempt (web-iis.rules)
2394 <-> WEB-MISC Compaq web-based management agent denial of service attempt (web-misc.rules)
2406 <-> TELNET APC SmartSlot default admin account attempt (telnet.rules)
2430 <-> NNTP newgroup overflow attempt (nntp.rules)
2431 <-> NNTP rmgroup overflow attempt (nntp.rules)
2437 <-> WEB-CLIENT RealPlayer arbitrary javascript command attempt (web-client.rules)
2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules)
2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules)
2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules)
2502 <-> POP3 SSLv3 invalid data version attempt (pop3.rules)
2504 <-> SMTP SSLv3 invalid data version attempt (smtp.rules)
2582 <-> WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt (web-misc.rules)
2588 <-> WEB-PHP TUTOS path disclosure attempt (web-php.rules)
2597 <-> WEB-MISC Samba SWAT Authorization overflow attempt (web-misc.rules)
2598 <-> WEB-MISC Samba SWAT Authorization port 901 overflow attempt (web-misc.rules)
2663 <-> WEB-CGI WhatsUpGold instancename overflow attempt (web-cgi.rules)
3147 <-> TELNET login buffer overflow attempt (telnet.rules)
3156 <-> NETBIOS DCERPC DIRECT msqueue alter context attempt (netbios.rules)
3157 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue little endian bind attempt (netbios.rules)
3160 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue alter context attempt (netbios.rules)
3161 <-> NETBIOS DCERPC DIRECT msqueue little endian alter context attempt (netbios.rules)
3162 <-> NETBIOS DCERPC DIRECT msqueue little endian bind attempt (netbios.rules)
3163 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue little endian alter context attempt (netbios.rules)
3164 <-> NETBIOS DCERPC DIRECT msqueue bind attempt (netbios.rules)
3165 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue bind attempt (netbios.rules)
3166 <-> NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 overflow attempt (netbios.rules)
3167 <-> NETBIOS DCERPC DIRECT msqueue function 4 object call overflow attempt (netbios.rules)
3168 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian overflow attempt (netbios.rules)
3169 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt (netbios.rules)
3170 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian object call overflow attempt (netbios.rules)
3171 <-> NETBIOS DCERPC DIRECT v4 msqueue function 4 overflow attempt (netbios.rules)
3172 <-> NETBIOS DCERPC DIRECT msqueue function 4 little endian object call overflow attempt (netbios.rules)
3173 <-> NETBIOS DCERPC DIRECT v4 msqueue function 4 little endian overflow attempt (netbios.rules)
3174 <-> NETBIOS DCERPC DIRECT msqueue function 4 overflow attempt (netbios.rules)
3175 <-> NETBIOS DCERPC DIRECT msqueue function 4 little endian overflow attempt (netbios.rules)
3274 <-> TELNET login buffer non-evasive overflow attempt (telnet.rules)
3470 <-> WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow (web-client.rules)
3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules)
3553 <-> WEB-CLIENT HTML DOM null element insertion attempt (web-client.rules)
3638 <-> WEB-CGI SoftCart.exe CGI buffer overflow attempt (web-cgi.rules)
3686 <-> WEB-CLIENT Internet Explorer Content Advisor attempted overflow (web-client.rules)
3816 <-> WEB-MISC BadBlue ext.dll buffer overflow attempt (web-misc.rules)
4145 <-> WEB-CLIENT Windows Trouble Shooter ActiveX Object Access (web-client.rules)
4167 <-> WEB-CLIENT MSN Heartbeat ActiveX clsid access (web-client.rules)
6403 <-> WEB-PHP horde help module arbitrary command execution attempt (web-php.rules)
6409 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules)
6410 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules)
6411 <-> WEB-FRONTPAGE frontpage server extension long host string overflow attempt (web-frontpage.rules)
7978 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash ActiveX clsid access (web-client.rules)
7979 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash ActiveX clsid unicode access (web-client.rules)
7980 <-> WEB-CLIENT ShockwaveFlash.ShockwaveFlash.9 ActiveX function call access (web-client.rules)
8064 <-> WEB-CLIENT Scriptlet.Typelib ActiveX CLSID access (web-client.rules)
8065 <-> WEB-CLIENT Scriptlet.Typelib ActiveX CLSID unicode access (web-client.rules)
8066 <-> WEB-CLIENT Windows Scripting Host Shell ActiveX CLSID access (web-client.rules)
8067 <-> WEB-CLIENT Windows Scripting Host Shell ActiveX CLSID unicode access (web-client.rules)
8069 <-> WEB-CLIENT Microsoft Virtual Machine ActiveX CLSID access (web-client.rules)
8091 <-> WEB-CLIENT RealPlayer Realpix file format string overflow attempt (web-client.rules)
8381 <-> WEB-CLIENT RealPlayer SMIL Download Handler ActiveX CLSID access (web-client.rules)
8382 <-> WEB-CLIENT RealPlayer SMIL Download Handler ActiveX CLSID unicode access (web-client.rules)
8383 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX CLSID access (web-client.rules)
8384 <-> WEB-CLIENT RealPlayer RAM Download Handler ActiveX CLSID unicode access (web-client.rules)
8385 <-> WEB-CLIENT RealPlayer Playback Handler ActiveX CLSID access (web-client.rules)
8386 <-> WEB-CLIENT RealPlayer Playback Handler ActiveX CLSID unicode access (web-client.rules)
8387 <-> WEB-CLIENT RealPlayer RNX Download Handler ActiveX CLSID access (web-client.rules)
8388 <-> WEB-CLIENT RealPlayer RNX Download Handler ActiveX CLSID unicode access (web-client.rules)
8389 <-> WEB-CLIENT RealPlayer RMP Download Handler ActiveX CLSID access (web-client.rules)
8485 <-> WEB-COLDFUSION CFNEWINTERNALADMINSECURITY access (web-coldfusion.rules)
8486 <-> WEB-COLDFUSION CFNEWINTERNALREGISTRY access (web-coldfusion.rules)
8487 <-> WEB-COLDFUSION CFADMIN_REGISTRY_SET access (web-coldfusion.rules)
8488 <-> WEB-COLDFUSION CFADMIN_REGISTRY_GET access (web-coldfusion.rules)
8489 <-> WEB-COLDFUSION CFADMIN_REGISTRY_DELETE access (web-coldfusion.rules)
8490 <-> WEB-COLDFUSION viewexample.cfm access (web-coldfusion.rules)
8491 <-> WEB-COLDFUSION eval.cfm access (web-coldfusion.rules)
8492 <-> WEB-COLDFUSION openfile.cfm access (web-coldfusion.rules)
8493 <-> WEB-COLDFUSION sourcewindow.cfm access (web-coldfusion.rules)
8497 <-> MS-SQL sp_oacreate vulnerable function attempt (sql.rules)
8498 <-> MS-SQL/SMB sp_oacreate unicode vulnerable function attempt (sql.rules)
8499 <-> MS-SQL xp_displayparamstmt unicode vulnerable function attempt (sql.rules)
8510 <-> MS-SQL xp_oagetproperty vulnerable function attempt (sql.rules)
8511 <-> MS-SQL xp_oamethod unicode vulnerable function attempt (sql.rules)
8512 <-> MS-SQL xp_oamethod vulnerable function attempt (sql.rules)
8513 <-> MS-SQL/SMB xp_oamethod unicode vulnerable function attempt (sql.rules)
8514 <-> MS-SQL xp_oasetproperty unicode vulnerable function attempt (sql.rules)
8515 <-> MS-SQL/SMB xp_oasetproperty unicode vulnerable function attempt (sql.rules)
8516 <-> MS-SQL xp_oasetproperty vulnerable function attempt (sql.rules)
8517 <-> MS-SQL xp_peekqueue unicode vulnerable function attempt (sql.rules)
8518 <-> MS-SQL/SMB xp_peekqueue unicode vulnerable function attempt (sql.rules)
8519 <-> MS-SQL xp_peekqueue vulnerable function attempt (sql.rules)
8520 <-> MS-SQL xp_printstatements unicode vulnerable function attempt (sql.rules)
8521 <-> MS-SQL/SMB xp_printstatements unicode vulnerable function attempt (sql.rules)
8522 <-> MS-SQL xp_printstatements vulnerable function attempt (sql.rules)
8523 <-> MS-SQL xp_proxiedmetadata unicode vulnerable function attempt (sql.rules)
8524 <-> MS-SQL/SMB xp_proxiedmetadata unicode vulnerable function attempt (sql.rules)
8525 <-> MS-SQL xp_proxiedmetadata vulnerable function attempt (sql.rules)
8526 <-> MS-SQL xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules)
8527 <-> MS-SQL/SMB xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules)
8528 <-> MS-SQL xp_SetSQLSecurity vulnerable function attempt (sql.rules)
8529 <-> MS-SQL xp_showcolv unicode vulnerable function attempt (sql.rules)
8530 <-> MS-SQL/SMB xp_showcolv unicode vulnerable function attempt (sql.rules)
8531 <-> MS-SQL xp_showcolv vulnerable function attempt (sql.rules)
8532 <-> MS-SQL xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules)
8533 <-> MS-SQL xp_sqlagent_monitor vulnerable function attempt (sql.rules)
8534 <-> MS-SQL/SMB xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules)
8535 <-> MS-SQL xp_sqlinventory unicode vulnerable function attempt (sql.rules)
8536 <-> MS-SQL xp_sqlinventory vulnerable function attempt (sql.rules)
8537 <-> MS-SQL/SMB xp_sqlinventory unicode vulnerable function attempt (sql.rules)
8538 <-> MS-SQL xp_updatecolvbm unicode vulnerable function attempt (sql.rules)
8539 <-> MS-SQL/SMB xp_updatecolvbm unicode vulnerable function attempt (sql.rules)
9599 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance attempt (netbios.rules)
9600 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance little endian attempt (netbios.rules)
9617 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance object call attempt (netbios.rules)
9618 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance little endian object call attempt (netbios.rules)
9737 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile attempt (netbios.rules)
9744 <-> NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile little endian attempt (netbios.rules)
9745 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (netbios.rules)
9750 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian attempt (netbios.rules)
9754 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile object call attempt (netbios.rules)
9758 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian object call attempt (netbios.rules)
9760 <-> NETBIOS DCERPC DIRECT-UDP msqueue little endian bind attempt (netbios.rules)
9761 <-> NETBIOS DCERPC DIRECT-UDP msqueue little endian alter context attempt (netbios.rules)
9763 <-> NETBIOS DCERPC DIRECT-UDP msqueue alter context attempt (netbios.rules)
9764 <-> NETBIOS DCERPC DIRECT-UDP v4 msqueue function 4 little endian overflow attempt (netbios.rules)
9765 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian overflow attempt (netbios.rules)
9766 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 overflow attempt (netbios.rules)
9767 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 object call overflow attempt (netbios.rules)
9768 <-> NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 little endian overflow attempt (netbios.rules)
9769 <-> NETBIOS DCERPC DIRECT-UDP v4 msqueue function 4 overflow attempt (netbios.rules)
9770 <-> NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 object call overflow attempt (netbios.rules)
9771 <-> NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian object call overflow attempt (netbios.rules)
9801 <-> WEB-CLIENT Windows Media Player or Explorer Malformed RIFF File denial of service attempt (web-client.rules)
9850 <-> NETBIOS SMB tapisrv little endian alter context attempt (netbios.rules)
9851 <-> NETBIOS SMB tapisrv WriteAndX little endian alter context attempt (netbios.rules)
9852 <-> NETBIOS SMB tapisrv unicode little endian alter context attempt (netbios.rules)
9853 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian alter context attempt (netbios.rules)
9858 <-> NETBIOS SMB tapisrv bind attempt (netbios.rules)
9859 <-> NETBIOS SMB tapisrv unicode bind attempt (netbios.rules)
9860 <-> NETBIOS SMB tapisrv WriteAndX bind attempt (netbios.rules)
9861 <-> NETBIOS SMB tapisrv WriteAndX unicode bind attempt (netbios.rules)
9862 <-> NETBIOS SMB tapisrv alter context attempt (netbios.rules)
9863 <-> NETBIOS SMB tapisrv unicode alter context attempt (netbios.rules)
9864 <-> NETBIOS SMB tapisrv WriteAndX alter context attempt (netbios.rules)
9865 <-> NETBIOS SMB tapisrv WriteAndX unicode alter context attempt (netbios.rules)
9874 <-> NETBIOS SMB tapisrv little endian bind attempt (netbios.rules)
9875 <-> NETBIOS SMB tapisrv WriteAndX little endian bind attempt (netbios.rules)
9876 <-> NETBIOS SMB tapisrv unicode little endian bind attempt (netbios.rules)
9877 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian bind attempt (netbios.rules)
9882 <-> NETBIOS SMB tapisrv little endian andx alter context attempt (netbios.rules)
9883 <-> NETBIOS SMB tapisrv WriteAndX little endian andx alter context attempt (netbios.rules)
9884 <-> NETBIOS SMB tapisrv unicode little endian andx alter context attempt (netbios.rules)
9885 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian andx alter context attempt (netbios.rules)
9890 <-> NETBIOS SMB tapisrv andx bind attempt (netbios.rules)
9891 <-> NETBIOS SMB tapisrv unicode andx bind attempt (netbios.rules)
9892 <-> NETBIOS SMB tapisrv WriteAndX andx bind attempt (netbios.rules)
9893 <-> NETBIOS SMB tapisrv WriteAndX unicode andx bind attempt (netbios.rules)
9894 <-> NETBIOS SMB tapisrv andx alter context attempt (netbios.rules)
9895 <-> NETBIOS SMB tapisrv unicode andx alter context attempt (netbios.rules)
9896 <-> NETBIOS SMB tapisrv WriteAndX andx alter context attempt (netbios.rules)
9897 <-> NETBIOS SMB tapisrv WriteAndX unicode andx alter context attempt (netbios.rules)
9906 <-> NETBIOS SMB tapisrv little endian andx bind attempt (netbios.rules)
9907 <-> NETBIOS SMB tapisrv WriteAndX little endian andx bind attempt (netbios.rules)
9908 <-> NETBIOS SMB tapisrv unicode little endian andx bind attempt (netbios.rules)
9909 <-> NETBIOS SMB tapisrv WriteAndX unicode little endian andx bind attempt (netbios.rules)