Sourcefire VRT Rules Update
Date: 2007-10-16
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group)
New rules: 12637 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid access (web-client.rules) 12638 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid unicode access (web-client.rules) 12639 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX function call access (web-client.rules) 12640 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX function call unicode access (web-client.rules) 12641 <-> POLICY Word for Mac 5 file download (policy.rules) 12642 <-> DOS RPC NTLMSSP malformed credentials (dos.rules) 12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules) 12644 <-> WEB-CLIENT PBEmail7 ActiveX clsid access (web-client.rules) 12645 <-> WEB-CLIENT PBEmail7 ActiveX clsid unicode access (web-client.rules) 12646 <-> WEB-CLIENT PBEmail7 ActiveX function call access (web-client.rules) 12647 <-> WEB-CLIENT PBEmail7 ActiveX function call unicode access (web-client.rules) 12648 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX clsid access (web-client.rules) 12649 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX clsid unicode access (web-client.rules) 12650 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX function call access (web-client.rules) 12651 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX function call unicode access (web-client.rules) Updated rules: 634 <-> SCAN Amanda client version request (scan.rules) 635 <-> SCAN XTACACS logout (scan.rules) 636 <-> SCAN cybercop udp bomb (scan.rules) 637 <-> SCAN Webtrends Scanner UDP Probe (scan.rules) 1917 <-> SCAN UPnP service discover attempt (scan.rules) 2004 <-> MS-SQL Worm propagation attempt OUTBOUND (sql.rules) 2050 <-> MS-SQL version overflow attempt (sql.rules) 4989 <-> MS-SQL heap-based overflow attempt (sql.rules) 4990 <-> MS-SQL heap-based overflow attempt (sql.rules) 12220 <-> EXPLOIT IBM Informix Dynamic Server long username (exploit.rules) 12417 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid access (web-client.rules) 12418 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid unicode access (web-client.rules) 12419 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call access (web-client.rules) 12420 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call unicode access (web-client.rules) 12618 <-> WEB-CLIENT Microsoft Visual Basic VBP file reference overflow attempt (web-client.rules) 12631 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules) 12632 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules) 12633 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules) 12634 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules) 12635 <-> DOS RPC NTLMSSP malformed credentials (dos.rules)
