Sourcefire VRT Rules Update

Date: 2008-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group)

New rules:
2928 <-> NETBIOS SMB-DS nddeapi little endian alter context attempt (netbios.rules)
3527 <-> EXPLOIT Solaris LPD overflow attempt (exploit.rules)
14603 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX clsid access (web-client.rules)
14604 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX clsid unicode access (web-client.rules)
14605 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX function call access (web-client.rules)
14606 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX function call unicode access (web-client.rules)
14608 <-> VOIP-SIP SDP T.38 fax rate management attribute possible buffer overflow (voip.rules)
14609 <-> VOIP-SIP SDP T.38 fax UDP EC attribute possible buffer overflow (voip.rules)
14610 <-> WEB-PHP Joomla invalid token administrative password reset attempt (web-php.rules)
14611 <-> WEB-CLIENT VMWare VMCtl Class ActiveX clsid access (web-client.rules)
14612 <-> WEB-CLIENT VMWare VMCtl Class ActiveX clsid unicode access (web-client.rules)
14613 <-> WEB-CLIENT VMWare VMCtl Class ActiveX function call access (web-client.rules)
14614 <-> WEB-CLIENT VMWare VMCtl Class ActiveX function call unicode access (web-client.rules)

Updated rules:
1087 <-> DELETED WEB-MISC whisker tab splice attack (deleted.rules)
1171 <-> DELETED WEB-MISC whisker HEAD with large datagram (deleted.rules)
2048 <-> DELETED MISC rsyncd overflow attempt (deleted.rules)
2064 <-> DELETED WEB-MISC Lotus Notes .csp script source download attempt (deleted.rules)
2586 <-> DELETED P2P eDonkey transfer (deleted.rules)
2923 <-> NETBIOS SMB repeated logon failure (netbios.rules)
3132 <-> WEB-CLIENT PNG large image width download attempt (web-client.rules)
3133 <-> WEB-CLIENT PNG large image height download attempt (web-client.rules)
3562 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode andx bind attempt (deleted.rules)
3563 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode bind attempt (deleted.rules)
3564 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt (deleted.rules)
3565 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt (deleted.rules)
3566 <-> DELETED NETBIOS SMB mqqm andx bind attempt (deleted.rules)
3567 <-> DELETED NETBIOS SMB mqqm bind attempt (deleted.rules)
3568 <-> DELETED NETBIOS SMB mqqm little endian andx bind attempt (deleted.rules)
3569 <-> DELETED NETBIOS SMB mqqm little endian bind attempt (deleted.rules)
3570 <-> DELETED NETBIOS SMB mqqm unicode andx bind attempt (deleted.rules)
3571 <-> DELETED NETBIOS SMB mqqm unicode bind attempt (deleted.rules)
3572 <-> DELETED NETBIOS SMB mqqm unicode little endian andx bind attempt (deleted.rules)
3573 <-> DELETED NETBIOS SMB mqqm unicode little endian bind attempt (deleted.rules)
5804 <-> DELETED SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - ads (deleted.rules)
5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules)
5931 <-> DELETED SPYWARE-PUT Adware cashbar runtime detection - stats track 1 (deleted.rules)
6000 <-> DELETED P2P Skype client login startup (deleted.rules)
6001 <-> DELETED P2P Skype client login (deleted.rules)
7043 <-> DELETED NETBIOS SMB-DS Trans andx mailslot heap overflow attempt (deleted.rules)
7044 <-> DELETED NETBIOS SMB-DS Trans unicode andx mailslot heap overflow attempt (deleted.rules)
7045 <-> DELETED NETBIOS-DG SMB Trans andx mailslot heap overflow attempt (deleted.rules)
7046 <-> DELETED NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt (deleted.rules)
7725 <-> DELETED BACKDOOR reversable ver1.0 runtime detection - initial connection (deleted.rules)
7960 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7961 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7962 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7963 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7964 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7965 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7966 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7967 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7968 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules)
7969 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules)
7972 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID access (deleted.rules)
7973 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID unicode access (deleted.rules)
8061 <-> DELETED WEB-CLIENT ADODB.Stream ActiveX CLSID access (deleted.rules)
8476 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules)
8477 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules)
8738 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid access (web-client.rules)
8739 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid unicode access (web-client.rules)
8740 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call access (web-client.rules)
9790 <-> EXPLOIT HP-UX lpd command execution attempt (exploit.rules)
10106 <-> DELETED BACKDOOR icmp cmd 1.0 runtime detection - download file (deleted.rules)
11315 <-> DELETED BACKDOOR ykw v375 runtime detection (deleted.rules)
12703 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call unicode access (web-client.rules)
12906 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian alter context attempt (netbios.rules)
12907 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 alter context attempt (netbios.rules)
12908 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian bind attempt (netbios.rules)
12909 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 bind attempt (netbios.rules)
12910 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 4 attempt (netbios.rules)
12911 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt (netbios.rules)
12912 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 4 little endian attempt (netbios.rules)
12913 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian attempt (netbios.rules)
12914 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 object call attempt (netbios.rules)
12915 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian object call attempt (netbios.rules)
12916 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 12 little endian attempt (netbios.rules)
12917 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 12 attempt (netbios.rules)
12918 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian attempt (netbios.rules)
12919 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt (netbios.rules)
12920 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian object call attempt (netbios.rules)
12921 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 object call attempt (netbios.rules)
12922 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 16 little endian attempt (netbios.rules)
12923 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian attempt (netbios.rules)
12924 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 16 attempt (netbios.rules)
12925 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt (netbios.rules)
12926 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian object call attempt (netbios.rules)
12927 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 object call attempt (netbios.rules)
12928 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt (netbios.rules)
12929 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 little endian attempt (netbios.rules)
12930 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 attempt (netbios.rules)
12931 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian attempt (netbios.rules)
12932 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 object call attempt (netbios.rules)
12933 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian object call attempt (netbios.rules)
12934 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 19 attempt (netbios.rules)
12935 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 19 little endian attempt (netbios.rules)
12936 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt (netbios.rules)
12937 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian attempt (netbios.rules)
12938 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 object call attempt (netbios.rules)
12939 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian object call attempt (netbios.rules)
13518 <-> DELETED WEB-CLIENT Internet Explorer malformed CSS memory corruption attempt (deleted.rules)
13693 <-> VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite (voip.rules)