Sourcefire VRT Rules Update

Date: 2008-02-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group)

New rules:
13479 <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules)
13480 <-> SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection (spyware-put.rules)
13481 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - hijacks search engine (spyware-put.rules)
13482 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - discloses information (spyware-put.rules)
13483 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically (spyware-put.rules)
13484 <-> SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically (spyware-put.rules)
13485 <-> SPYWARE-PUT Hijacker sofa toolbar runtime detection - hijacks search engine (spyware-put.rules)
13486 <-> SPYWARE-PUT Hijacker sofa toolbar runtime detection - records search information (spyware-put.rules)
13487 <-> SPYWARE-PUT Adware elite protector runtime detection (spyware-put.rules)
13488 <-> SPYWARE-PUT Hijacker people pal toolbar runtime detection - automatic upgrade (spyware-put.rules)
13489 <-> SPYWARE-PUT Hijacker people pal toolbar runtime detection - traffic for searching (spyware-put.rules)
13490 <-> SPYWARE-PUT Adware spy shredder 2.1 runtime detection - presale request (spyware-put.rules)
13491 <-> SPYWARE-PUT Adware spy shredder 2.1 runtime detection - update (spyware-put.rules)
13492 <-> SPYWARE-PUT Hijacker deepdo toolbar runtime detection - redirects search engine (spyware-put.rules)
13493 <-> SPYWARE-PUT Hijacker deepdo toolbar runtime detection - automatic update (spyware-put.rules)
13494 <-> SPYWARE-PUT Keylogger smart pc Keylogger runtime detection (spyware-put.rules)
13495 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 1 (spyware-put.rules)
13496 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 2 (spyware-put.rules)
13497 <-> SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - tracking traffic (spyware-put.rules)
13498 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 1 (spyware-put.rules)
13499 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 2 (spyware-put.rules)
13500 <-> SPYWARE-PUT Hijacker hbtbar runtime detection - log information (spyware-put.rules)
13501 <-> SPYWARE-PUT Adware contravirus runtime detection - presale request (spyware-put.rules)
13502 <-> SPYWARE-PUT Adware contravirus runtime detection - update (spyware-put.rules)
13503 <-> SPYWARE-PUT Hijacker dealio toolbar runtime detection user-agent detected (spyware-put.rules)
13504 <-> SPYWARE-PUT Adware iedefender runtime detection - presale request (spyware-put.rules)
13505 <-> SPYWARE-PUT Adware iedefender runtime detection - update (spyware-put.rules)
13506 <-> BACKDOOR evilotus 1.3.2 runtime detection - init connection (backdoor.rules)
13507 <-> BACKDOOR evilotus 1.3.2 runtime detection - init connection (backdoor.rules)
13508 <-> BACKDOOR xploit 1.4.5 runtime detection (backdoor.rules)
13509 <-> BACKDOOR xploit 1.4.5 pc runtime detection (backdoor.rules)
13512 <-> SQL generic sql exec injection attempt (sql.rules)
13513 <-> SQL generic sql insert injection atttempt (sql.rules)
13514 <-> SQL generic sql update injection attempt (sql.rules)
13515 <-> WEB-CLIENT Quicktime user agent (web-client.rules)
13516 <-> WEB-CLIENT Quicktime HTTP error response buffer overflow (web-client.rules)
13517 <-> EXPLOIT Apple QTIF malformed idsc atom (exploit.rules)
13518 <-> DELETED WEB-CLIENT Internet Explorer malformed CSS memory corruption attempt (deleted.rules)
13519 <-> EXPLOIT Citrix MetaFrame IMA buffer overflow attempt (exploit.rules)
13520 <-> EXPLOIT Winamp uvox malicious metadata (exploit.rules)
13521 <-> EXPLOIT Winamp uvox malicious metadata (exploit.rules)
13522 <-> EXPLOIT Firebird Database Server username handling buffer overflow (exploit.rules)

Updated rules:
 223 <-> DDOS Trin00 Daemon to Master PONG message detected (ddos.rules)
 337 <-> FTP CEL overflow attempt (ftp.rules)
 590 <-> RPC portmap ypserv request UDP (rpc.rules)
1379 <-> FTP STAT overflow attempt (ftp.rules)
1734 <-> FTP USER overflow attempt (ftp.rules)
1831 <-> WEB-MISC jigsaw dos attempt (web-misc.rules)
1904 <-> IMAP find overflow attempt (imap.rules)
1920 <-> FTP SITE NEWER overflow attempt (ftp.rules)
1971 <-> FTP SITE EXEC format string attempt (ftp.rules)
1972 <-> FTP PASS overflow attempt (ftp.rules)
1974 <-> FTP REST overflow attempt (ftp.rules)
1975 <-> FTP DELE overflow attempt (ftp.rules)
1976 <-> FTP RMD overflow attempt (ftp.rules)
2090 <-> WEB-IIS WEBDAV exploit attempt (web-iis.rules)
2272 <-> FTP LIST integer overflow attempt (ftp.rules)
2332 <-> FTP MKD format string attempt (ftp.rules)
2333 <-> FTP RENAME format string attempt (ftp.rules)
2334 <-> FTP Yak! FTP server default account login attempt (ftp.rules)
2338 <-> FTP LIST buffer overflow attempt (ftp.rules)
2340 <-> FTP SITE CHMOD overflow attempt (ftp.rules)
2343 <-> FTP STOR overflow attempt (ftp.rules)
2344 <-> FTP XCWD overflow attempt (ftp.rules)
2373 <-> FTP XMKD overflow attempt (ftp.rules)
2374 <-> FTP NLST overflow attempt (ftp.rules)
2389 <-> FTP RNTO overflow attempt (ftp.rules)
2390 <-> FTP STOU overflow attempt (ftp.rules)
2391 <-> FTP APPE overflow attempt (ftp.rules)
2392 <-> FTP RETR overflow attempt (ftp.rules)
2416 <-> FTP invalid MDTM command attempt (ftp.rules)
2449 <-> FTP ALLO overflow attempt (ftp.rules)
2546 <-> FTP MDTM overflow attempt (ftp.rules)
3523 <-> FTP SITE INDEX format string attempt (ftp.rules)
3527 <-> EXPLOIT Solaris LPD overflow attempt (exploit.rules)
3532 <-> FTP ORACLE password buffer overflow attempt (ftp.rules)
3630 <-> FTP ORACLE TEST command buffer overflow attempt (ftp.rules)
3631 <-> FTP ORACLE user name buffer overflow attempt (ftp.rules)
4637 <-> EXPLOIT MailEnable HTTPMail buffer overflow attempt (exploit.rules)
7024 <-> WEB-CLIENT excel style handling overflow attempt (web-client.rules)
8470 <-> BACKDOOR superspy 2.0 beta runtime detection - get system info (backdoor.rules)
8471 <-> BACKDOOR superspy 2.0 beta runtime detection - get system info (backdoor.rules)
8472 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules)
8473 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules)
8474 <-> BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage (backdoor.rules)
8475 <-> BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage (backdoor.rules)
8476 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules)
8477 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules)
8479 <-> FTP HELP overflow attempt (ftp.rules)
8480 <-> FTP PORT overflow attempt (ftp.rules)
9792 <-> FTP PASV overflow attempt (ftp.rules)
11686 <-> SPECIFIC-THREATS WebDAV search overflow attempt (specific-threats.rules)
12082 <-> ORACLE Oracle 9i TNS denial of service attempt (oracle.rules)
12151 <-> BACKDOOR cafeini 1.0 runtime detection (backdoor.rules)
12214 <-> DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt (deleted.rules)
12215 <-> DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt (deleted.rules)
12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules)
12780 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid access (web-client.rules)
12781 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid unicode access (web-client.rules)
12782 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call access (web-client.rules)
12783 <-> WEB-CLIENT Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call unicode access (web-client.rules)
13434 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX clsid access (web-client.rules)
13435 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX clsid unicode access (web-client.rules)
13436 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX function call access (web-client.rules)
13437 <-> WEB-CLIENT Aurigma Image Uploader 4 Property Overflows ActiveX function call unicode access (web-client.rules)
13438 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid access (web-client.rules)
13439 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid unicode access (web-client.rules)
13440 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call access (web-client.rules)
13441 <-> WEB-CLIENT Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call unicode access (web-client.rules)
13442 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX clsid access (web-client.rules)
13443 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX clsid unicode access (web-client.rules)
13444 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX function call access (web-client.rules)
13445 <-> WEB-CLIENT Aurigma Image Uploader 5 Property Overflows ActiveX function call unicode access (web-client.rules)