Sourcefire VRT Rules Update
Date: 2008-04-22
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group)
New rules: 13679 <-> WEB-CLIENT IBiz EBanking Integrator ActiveX clsid access (web-client.rules) 13680 <-> WEB-CLIENT IBiz EBanking Integrator ActiveX clsid unicode access (web-client.rules) 13681 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX clsid access (web-client.rules) 13682 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX clsid unicode access (web-client.rules) 13683 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX function call access (web-client.rules) 13684 <-> WEB-CLIENT CDNetworks Nefficient Download ActiveX function call unicode access (web-client.rules) 13685 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX clsid access (web-client.rules) 13686 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX clsid unicode access (web-client.rules) 13687 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX function call access (web-client.rules) 13688 <-> WEB-CLIENT Chilkat HTTP 1 ActiveX function call unicode access (web-client.rules) 13689 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX clsid access (web-client.rules) 13690 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX clsid unicode access (web-client.rules) 13691 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX function call access (web-client.rules) 13692 <-> WEB-CLIENT Chilkat HTTP 2 ActiveX function call unicode access (web-client.rules) 13693 <-> VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite (voip.rules) 13694 <-> EXPLOIT RealNetworks Helix RTSP long get request exploit attempt (exploit.rules) 13695 <-> EXPLOIT RealNetworks Helix RTSP long setup request exploit attempt (exploit.rules) 13696 <-> POLICY TOR proxy connection initiation (policy.rules) 13697 <-> POLICY TOR proxy connection initiation alternate port (policy.rules) 13698 <-> POLICY TOR proxy connection initiation second alternate port (policy.rules) 13699 <-> WEB-CLIENT CA DSM gui_cm_ctrls ActiveX clsid access (web-client.rules) 13700 <-> WEB-CLIENT CA DSM gui_cm_ctrls ActiveX clsid unicode access (web-client.rules) 13709 <-> MYSQL yaSSL SSLv2 Server_Hello request (mysql.rules) 13710 <-> MYSQL yaSSL TLSv1 Server_Hello request (mysql.rules) 13711 <-> MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt (mysql.rules) 13712 <-> MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt (mysql.rules) 13713 <-> MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt (mysql.rules) 13714 <-> MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt (mysql.rules) 13715 <-> WEB-MISC HP OpenView Network Node Manager HTTP Handling buffer overflow attempt (web-misc.rules) Updated rules: 1054 <-> WEB-MISC weblogic/tomcat .jsp view source attempt (web-misc.rules) 1859 <-> WEB-MISC Sun JavaServer default password login attempt (web-misc.rules) 2050 <-> MS-SQL version overflow attempt (sql.rules) 3076 <-> IMAP UNSUBSCRIBE overflow attempt (imap.rules) 5947 <-> SPYWARE-PUT Adware weirdontheweb runtime detection - log url (spyware-put.rules) 7177 <-> SPYWARE-PUT Keylogger ab system spy runtime detection - info send through email (spyware-put.rules) 7184 <-> SPYWARE-PUT Keylogger 007 spy software runtime detection - smtp (spyware-put.rules) 7541 <-> SPYWARE-PUT Keylogger starlogger runtime detection (spyware-put.rules) 9343 <-> SPECIFIC-THREATS kadra smtp propagation detection (specific-threats.rules) 10506 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10507 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10508 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10509 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10510 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10511 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10512 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 10513 <-> DELETED SHELLCODE Canvas shellcode basic encoder (deleted.rules) 11687 <-> WEB-MISC Apache SSI error page cross-site scripting (web-misc.rules) 12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules) 12422 <-> EXPLOIT RealNetworks Helix RTSP long describe request exploit attempt (exploit.rules) 13678 <-> Microsoft EMF metafile access detected (misc.rules)
