Sourcefire VRT Rules Update

Date: 2008-08-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
13987 <-> SQL oversized convert statement - possible sql injection obfuscation (sql.rules)
13988 <-> SQL large number of calls to ascii function - possible sql injection obfuscation (sql.rules)
13989 <-> SQL large number of calls to char function - possible sql injection obfuscation (sql.rules)
13990 <-> SQL union select - possible sql injection attempt (sql.rules)
13991 <-> SQL xp_regaddmultistring attempt (sql.rules)
13992 <-> SQL xp_regdeletevalue attempt (sql.rules)
13993 <-> SQL xp_regenumkeys attempt (sql.rules)
13994 <-> SQL xp_regenumvalues attempt (sql.rules)
13995 <-> SQL xp_regremovemultistring attempt (sql.rules)
13996 <-> SQL xp_servicecontrol attempt (sql.rules)
13997 <-> SQL xp_loginconfig attempt (sql.rules)
13998 <-> SQL xp_terminate_process attempt (sql.rules)
14008 <-> SQL large number of calls to concat function - possible sql injection obfuscation (sql.rules)
14013 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX clsid access (web-client.rules)
14014 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX clsid unicode access (web-client.rules)
14015 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX function call access (web-client.rules)
14016 <-> WEB-CLIENT WebEx Meeting Manager atucfobj ActiveX function call unicode access (web-client.rules)
14017 <-> WEB-CLIENT MPEG Layer 3 playlist file download (web-client.rules)
14018 <-> WEB-CLIENT PLS multimedia playlist file download (web-client.rules)
14019 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules)
14020 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules)
14021 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX clsid access (web-client.rules)
14022 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX clsid unicode access (web-client.rules)
14023 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX function call access (web-client.rules)
14024 <-> WEB-CLIENT Microsoft Visual Studio Msmask32 ActiveX function call unicode access (web-client.rules)
14025 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid access (web-client.rules)
14026 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid unicode access (web-client.rules)
14027 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call access (web-client.rules)
14028 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call unicode access (web-client.rules)
14029 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid access (web-client.rules)
14030 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX clsid unicode access (web-client.rules)
14031 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call access (web-client.rules)
14032 <-> WEB-CLIENT Computer Associates gui_cm_ctrls ActiveX function call unicode access (web-client.rules)
14033 <-> WEB-CLIENT Orbit Downloader ActiveX clsid access (web-client.rules)
14034 <-> WEB-CLIENT Orbit Downloader ActiveX clsid unicode access (web-client.rules)
14035 <-> WEB-CLIENT Orbit Downloader ActiveX function call access (web-client.rules)
14036 <-> WEB-CLIENT Orbit Downloader ActiveX function call unicode access (web-client.rules)
14037 <-> WEB-CLIENT Novell iPrint ActiveX operation or printer-url parameter overflow attempt (web-client.rules)
14038 <-> WEB-CLIENT Novell iPrint ActiveX target-frame parameter overflow attempt (web-client.rules)

Updated rules:
1057 <-> SQL ftp attempt (sql.rules)
1058 <-> SQL xp_enumdsn attempt (sql.rules)
1059 <-> SQL xp_filelist attempt (sql.rules)
1060 <-> SQL xp_availablemedia attempt (sql.rules)
1061 <-> SQL xp_cmdshell attempt (sql.rules)
1069 <-> SQL xp_regread attempt (sql.rules)
1077 <-> SQL queryhit.htm access (sql.rules)
1078 <-> SQL counter.exe access (sql.rules)
1524 <-> WEB-MISC Axis Storpoint CD attempt (web-misc.rules)
1631 <-> CHAT AIM login (chat.rules)
1633 <-> CHAT AIM receive message (chat.rules)
5740 <-> WEB-CLIENT Microsoft HTML help workshop file .hhp download attempt (web-client.rules)