Sourcefire VRT Rules Update

Date: 2008-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group)

New rules:
13720 <-> WEB-CLIENT HP eSupportDiagnostics 3 ActiveX clsid access (web-client.rules)
13721 <-> WEB-CLIENT HP eSupportDiagnostics 3 ActiveX clsid unicode access (web-client.rules)
13722 <-> WEB-CLIENT HP eSupportDiagnostics 4 ActiveX clsid access (web-client.rules)
13723 <-> WEB-CLIENT HP eSupportDiagnostics 4 ActiveX clsid unicode access (web-client.rules)
13724 <-> WEB-CLIENT HP eSupportDiagnostics 5 ActiveX clsid access (web-client.rules)
13725 <-> WEB-CLIENT HP eSupportDiagnostics 5 ActiveX clsid unicode access (web-client.rules)
13726 <-> WEB-CLIENT HP eSupportDiagnostics 6 ActiveX clsid access (web-client.rules)
13727 <-> WEB-CLIENT HP eSupportDiagnostics 6 ActiveX clsid unicode access (web-client.rules)
13728 <-> WEB-CLIENT HP eSupportDiagnostics 7 ActiveX clsid access (web-client.rules)
13729 <-> WEB-CLIENT HP eSupportDiagnostics 7 ActiveX clsid unicode access (web-client.rules)
13730 <-> WEB-CLIENT HP eSupportDiagnostics 8 ActiveX clsid access (web-client.rules)
13731 <-> WEB-CLIENT HP eSupportDiagnostics 8 ActiveX clsid unicode access (web-client.rules)
13732 <-> WEB-CLIENT HP eSupportDiagnostics 9 ActiveX clsid access (web-client.rules)
13733 <-> WEB-CLIENT HP eSupportDiagnostics 9 ActiveX clsid unicode access (web-client.rules)
13734 <-> WEB-CLIENT HP eSupportDiagnostics 10 ActiveX clsid access (web-client.rules)
13735 <-> WEB-CLIENT HP eSupportDiagnostics 10 ActiveX clsid unicode access (web-client.rules)
13736 <-> WEB-CLIENT HP eSupportDiagnostics 11 ActiveX clsid access (web-client.rules)
13737 <-> WEB-CLIENT HP eSupportDiagnostics 11 ActiveX clsid unicode access (web-client.rules)
13738 <-> WEB-CLIENT HP eSupportDiagnostics 12 ActiveX clsid access (web-client.rules)
13739 <-> WEB-CLIENT HP eSupportDiagnostics 12 ActiveX clsid unicode access (web-client.rules)
13740 <-> WEB-CLIENT HP eSupportDiagnostics 13 ActiveX clsid access (web-client.rules)
13741 <-> WEB-CLIENT HP eSupportDiagnostics 13 ActiveX clsid unicode access (web-client.rules)
13742 <-> WEB-CLIENT HP eSupportDiagnostics 14 ActiveX clsid access (web-client.rules)
13743 <-> WEB-CLIENT HP eSupportDiagnostics 14 ActiveX clsid unicode access (web-client.rules)
13744 <-> WEB-CLIENT HP eSupportDiagnostics 15 ActiveX clsid access (web-client.rules)
13745 <-> WEB-CLIENT HP eSupportDiagnostics 15 ActiveX clsid unicode access (web-client.rules)
13746 <-> WEB-CLIENT HP eSupportDiagnostics 16 ActiveX clsid access (web-client.rules)
13747 <-> WEB-CLIENT HP eSupportDiagnostics 16 ActiveX clsid unicode access (web-client.rules)
13748 <-> WEB-CLIENT HP eSupportDiagnostics 17 ActiveX clsid access (web-client.rules)
13749 <-> WEB-CLIENT HP eSupportDiagnostics 17 ActiveX clsid unicode access (web-client.rules)
13750 <-> WEB-CLIENT HP eSupportDiagnostics 18 ActiveX clsid access (web-client.rules)
13751 <-> WEB-CLIENT HP eSupportDiagnostics 18 ActiveX clsid unicode access (web-client.rules)
13752 <-> WEB-CLIENT HP eSupportDiagnostics 19 ActiveX clsid access (web-client.rules)
13753 <-> WEB-CLIENT HP eSupportDiagnostics 19 ActiveX clsid unicode access (web-client.rules)
13754 <-> WEB-CLIENT HP eSupportDiagnostics 20 ActiveX clsid access (web-client.rules)
13755 <-> WEB-CLIENT HP eSupportDiagnostics 20 ActiveX clsid unicode access (web-client.rules)
13756 <-> WEB-CLIENT HP eSupportDiagnostics 21 ActiveX clsid access (web-client.rules)
13757 <-> WEB-CLIENT HP eSupportDiagnostics 21 ActiveX clsid unicode access (web-client.rules)
13758 <-> WEB-CLIENT Microsoft HeartbeatCtl ActiveX clsid access (web-client.rules)
13759 <-> WEB-CLIENT Microsoft HeartbeatCtl ActiveX clsid unicode access (web-client.rules)
13760 <-> WEB-CLIENT Microsoft HeartbeatCtl ActiveX function call access (web-client.rules)
13761 <-> WEB-CLIENT Microsoft HeartbeatCtl ActiveX function call unicode access (web-client.rules)
13762 <-> SPYWARE-PUT Adware system defender runtime detection (spyware-put.rules)
13763 <-> SPYWARE-PUT Snoopware xpress remote runtime detection - init connection (spyware-put.rules)
13764 <-> SPYWARE-PUT Snoopware xpress remote runtime detection - init connection (spyware-put.rules)
13765 <-> SPYWARE-PUT Adware winxdefender runtime detection - presale request (spyware-put.rules)
13766 <-> SPYWARE-PUT Adware winxdefender runtime detection - auto update (spyware-put.rules)
13767 <-> SPYWARE-PUT Keylogger cyber sitter runtime detection (spyware-put.rules)
13768 <-> SPYWARE-PUT Keylogger cyber sitter runtime detection (spyware-put.rules)
13769 <-> SPYWARE-PUT Hijacker searchnine toolbar runtime detection - hijacks address bar (spyware-put.rules)
13770 <-> SPYWARE-PUT Hijacker searchnine toolbar runtime detection - redirects search function (spyware-put.rules)
13771 <-> SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #1 (spyware-put.rules)
13772 <-> SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #2 (spyware-put.rules)
13774 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #1 (spyware-put.rules)
13775 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #2 (spyware-put.rules)
13776 <-> SPYWARE-PUT Trackware syscleaner runtime detection - presale traffic (spyware-put.rules)
13777 <-> SPYWARE-PUT Trackware syscleaner runtime detection - get update (spyware-put.rules)
13778 <-> SPYWARE-PUT Keylogger kgb employee monitor runtime detection (spyware-put.rules)
13779 <-> SPYWARE-PUT Trackware proofile toolbar runtime detection (spyware-put.rules)
13780 <-> SPYWARE-PUT Hijacker find.fm toolbar runtime detection - automatic updates (spyware-put.rules)
13781 <-> SPYWARE-PUT Hijacker find.fm toolbar runtime detection - hijacks address bar (spyware-put.rules)
13782 <-> SPYWARE-PUT Hijacker ezreward runtime detection (spyware-put.rules)
13783 <-> WEB-CLIENT Yahoo Assistant ActiveX clsid access (web-client.rules)
13784 <-> WEB-CLIENT Yahoo Assistant ActiveX clsid unicode access (web-client.rules)
13785 <-> WEB-CLIENT Ourgame GLWorld ActiveX clsid access (web-client.rules)
13786 <-> WEB-CLIENT Ourgame GLWorld ActiveX clsid unicode access (web-client.rules)
13787 <-> WEB-CLIENT Ourgame GLWorld ActiveX function call access (web-client.rules)
13788 <-> WEB-CLIENT Ourgame GLWorld ActiveX function call unicode access (web-client.rules)
13789 <-> WEB-CLIENT Microsoft Word file download request (web-client.rules)
13791 <-> SQL oversized cast statement - possible sql injection obfuscation (sql.rules)

Updated rules:
 673 <-> SQL sp_start_job - program execution (sql.rules)
 674 <-> DELETED SQL xp_displayparamstmt possible buffer overflow (deleted.rules)
 675 <-> DELETED SQL xp_setsqlsecurity possible buffer overflow (deleted.rules)
 676 <-> SQL sp_start_job - program execution (sql.rules)
 677 <-> SQL sp_password password change (sql.rules)
 678 <-> SQL sp_delete_alert log file deletion (sql.rules)
 679 <-> SQL sp_adduser database user creation (sql.rules)
 680 <-> SQL sa login failed (sql.rules)
 681 <-> SQL xp_cmdshell program execution (sql.rules)
 682 <-> DELETED SQL xp_enumresultset possible buffer overflow (deleted.rules)
 683 <-> SQL sp_password - password change (sql.rules)
 684 <-> SQL sp_delete_alert log file deletion (sql.rules)
 685 <-> SQL sp_adduser - database user creation (sql.rules)
 686 <-> SQL xp_reg* - registry access (sql.rules)
 687 <-> SQL xp_cmdshell - program execution (sql.rules)
 688 <-> SQL sa login failed (sql.rules)
 689 <-> SQL xp_reg* registry access (sql.rules)
 690 <-> DELETED SQL/SMB xp_printstatements possible buffer overflow (deleted.rules)
 691 <-> SQL shellcode attempt (sql.rules)
 692 <-> SQL shellcode attempt (sql.rules)
 693 <-> SQL shellcode attempt (sql.rules)
 694 <-> SQL shellcode attempt (sql.rules)
 695 <-> SQL xp_sprintf possible buffer overflow (sql.rules)
 696 <-> DELETED SQL/SMB xp_showcolv possible buffer overflow (deleted.rules)
 697 <-> DELETED SQL/SMB xp_peekqueue possible buffer overflow (deleted.rules)
 698 <-> DELETED SQL/SMB xp_proxiedmetadata possible buffer overflow (deleted.rules)
 699 <-> DELETED SQL xp_printstatements possible buffer overflow (deleted.rules)
 700 <-> DELETED SQL/SMB xp_updatecolvbm possible buffer overflow (deleted.rules)
 701 <-> DELETED SQL xp_updatecolvbm possible buffer overflow (deleted.rules)
 702 <-> DELETED SQL/SMB xp_displayparamstmt possible buffer overflow (deleted.rules)
 703 <-> DELETED SQL/SMB xp_setsqlsecurity possible buffer overflow (deleted.rules)
 704 <-> SQL xp_sprintf possible buffer overflow (sql.rules)
 705 <-> DELETED SQL xp_showcolv possible buffer overflow (deleted.rules)
 706 <-> DELETED SQL xp_peekqueue possible buffer overflow (deleted.rules)
 707 <-> DELETED SQL xp_proxiedmetadata possible buffer overflow (deleted.rules)
 708 <-> DELETED SQL/SMB xp_enumresultset possible buffer overflow (deleted.rules)
1386 <-> SQL raiserror possible buffer overflow (sql.rules)
1387 <-> SQL raiserror possible buffer overflow (sql.rules)
1759 <-> SQL xp_cmdshell program execution 445 (sql.rules)
1965 <-> RPC tooltalk TCP overflow attempt (rpc.rules)
2003 <-> SQL Worm propagation attempt (sql.rules)
2004 <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
2049 <-> SQL ping attempt (sql.rules)
2050 <-> SQL version overflow attempt (sql.rules)
2329 <-> SQL probe response overflow attempt (sql.rules)
3152 <-> SQL sa brute force failed login attempt (sql.rules)
3273 <-> SQL sa brute force failed login unicode attempt (sql.rules)
3443 <-> DELETED SQL DNS query with 1 requests (deleted.rules)
3444 <-> DELETED SQL DNS query with 2 requests (deleted.rules)
3445 <-> DELETED SQL DNS query with 3 requests (deleted.rules)
3446 <-> DELETED SQL DNS query with 4 requests (deleted.rules)
3447 <-> DELETED SQL DNS query with 5 requests (deleted.rules)
3448 <-> DELETED SQL DNS query with 6 requests (deleted.rules)
3449 <-> DELETED SQL DNS query with 7 requests (deleted.rules)
3450 <-> DELETED SQL DNS query with 8 requests (deleted.rules)
3451 <-> DELETED SQL DNS query with 9 requests (deleted.rules)
3452 <-> DELETED SQL DNS query with 10 requests (deleted.rules)
3542 <-> SQL SA brute force login attempt (sql.rules)
3543 <-> SQL SA brute force login attempt TDS v7/8 (sql.rules)
4984 <-> SQL sa brute force failed login unicode attempt (sql.rules)
4989 <-> SQL heap-based overflow attempt (sql.rules)
4990 <-> SQL heap-based overflow attempt (sql.rules)
7829 <-> SPYWARE-PUT Adware gator user-agent detected (spyware-put.rules)
8494 <-> SQL formatmessage possible buffer overflow (sql.rules)
8495 <-> SQL formatmessage possible buffer overflow (sql.rules)
8496 <-> SQL sp_oacreate unicode vulnerable function attempt (sql.rules)
8497 <-> SQL sp_oacreate vulnerable function attempt (sql.rules)
8498 <-> SQL sp_oacreate unicode vulnerable function attempt (sql.rules)
8499 <-> SQL xp_displayparamstmt unicode vulnerable function attempt (sql.rules)
8500 <-> SQL xp_displayparamstmt unicode vulnerable function attempt (sql.rules)
8501 <-> SQL xp_displayparamstmt vulnerable function attempt (sql.rules)
8502 <-> SQL xp_enumresultset unicode vulnerable function attempt (sql.rules)
8503 <-> SQL xp_enumresultset unicode vulnerable function attempt (sql.rules)
8504 <-> SQL xp_enumresultset vulnerable function attempt (sql.rules)
8505 <-> SQL xp_oadestroy unicode vulnerable function attempt (sql.rules)
8506 <-> SQL xp_oadestroy unicode vulnerable function attempt (sql.rules)
8507 <-> SQL xp_oadestroy vulnerable function attempt (sql.rules)
8508 <-> SQL xp_oagetproperty unicode vulnerable function attempt (sql.rules)
8509 <-> SQL xp_oagetproperty unicode vulnerable function attempt (sql.rules)
8510 <-> SQL xp_oagetproperty vulnerable function attempt (sql.rules)
8511 <-> SQL xp_oamethod unicode vulnerable function attempt (sql.rules)
8512 <-> SQL xp_oamethod vulnerable function attempt (sql.rules)
8513 <-> SQL xp_oamethod unicode vulnerable function attempt (sql.rules)
8514 <-> SQL xp_oasetproperty unicode vulnerable function attempt (sql.rules)
8515 <-> SQL xp_oasetproperty unicode vulnerable function attempt (sql.rules)
8516 <-> SQL xp_oasetproperty vulnerable function attempt (sql.rules)
8517 <-> SQL xp_peekqueue unicode vulnerable function attempt (sql.rules)
8518 <-> SQL xp_peekqueue unicode vulnerable function attempt (sql.rules)
8519 <-> SQL xp_peekqueue vulnerable function attempt (sql.rules)
8520 <-> SQL xp_printstatements unicode vulnerable function attempt (sql.rules)
8521 <-> SQL xp_printstatements unicode vulnerable function attempt (sql.rules)
8522 <-> SQL xp_printstatements vulnerable function attempt (sql.rules)
8523 <-> SQL xp_proxiedmetadata unicode vulnerable function attempt (sql.rules)
8524 <-> SQL xp_proxiedmetadata unicode vulnerable function attempt (sql.rules)
8525 <-> SQL xp_proxiedmetadata vulnerable function attempt (sql.rules)
8526 <-> SQL xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules)
8527 <-> SQL xp_SetSQLSecurity unicode vulnerable function attempt (sql.rules)
8528 <-> SQL xp_SetSQLSecurity vulnerable function attempt (sql.rules)
8529 <-> SQL xp_showcolv unicode vulnerable function attempt (sql.rules)
8530 <-> SQL xp_showcolv unicode vulnerable function attempt (sql.rules)
8531 <-> SQL xp_showcolv vulnerable function attempt (sql.rules)
8532 <-> SQL xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules)
8533 <-> SQL xp_sqlagent_monitor vulnerable function attempt (sql.rules)
8534 <-> SQL xp_sqlagent_monitor unicode vulnerable function attempt (sql.rules)
8535 <-> SQL xp_sqlinventory unicode vulnerable function attempt (sql.rules)
8536 <-> SQL xp_sqlinventory vulnerable function attempt (sql.rules)
8537 <-> SQL xp_sqlinventory unicode vulnerable function attempt (sql.rules)
8538 <-> SQL xp_updatecolvbm unicode vulnerable function attempt (sql.rules)
8539 <-> SQL xp_updatecolvbm unicode vulnerable function attempt (sql.rules)
8540 <-> SQL xp_updatecolvbm vulnerable function attempt (sql.rules)
11264 <-> SQL Microsoft SQL Server 2000 Server hello buffer overflow attempt (sql.rules)
12353 <-> NETBIOS DCERPC DIRECT ca-alert alter context attempt (netbios.rules)
12354 <-> NETBIOS DCERPC DIRECT ca-alert little endian alter context attempt (netbios.rules)
12355 <-> NETBIOS DCERPC DIRECT ca-alert bind attempt (netbios.rules)
12356 <-> NETBIOS DCERPC DIRECT ca-alert little endian bind attempt (netbios.rules)
13514 <-> SQL generic sql update injection attempt (sql.rules)
13694 <-> EXPLOIT RealNetworks Helix RTSP long get request exploit attempt (exploit.rules)