Sourcefire VRT Rules Update
Date: 2008-09-24
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group)
New rules: 2928 <-> NETBIOS SMB-DS nddeapi little endian alter context attempt (netbios.rules) 3527 <-> EXPLOIT Solaris LPD overflow attempt (exploit.rules) 14603 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX clsid access (web-client.rules) 14604 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX clsid unicode access (web-client.rules) 14605 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX function call access (web-client.rules) 14606 <-> WEB-CLIENT Data Dynamics ActiveReport ARViewer2 ActiveX function call unicode access (web-client.rules) 14607 <-> EXPLOIT CA Brightstor SUN RPC malformed string buffer overflow attempt (exploit.rules) 14608 <-> VOIP-SIP SDP T.38 fax rate management attribute possible buffer overflow (voip.rules) 14609 <-> VOIP-SIP SDP T.38 fax UDP EC attribute possible buffer overflow (voip.rules) 14610 <-> WEB-PHP Joomla invalid token administrative password reset attempt (web-php.rules) 14611 <-> WEB-CLIENT VMWare VMCtl Class ActiveX clsid access (web-client.rules) 14612 <-> WEB-CLIENT VMWare VMCtl Class ActiveX clsid unicode access (web-client.rules) 14613 <-> WEB-CLIENT VMWare VMCtl Class ActiveX function call access (web-client.rules) 14614 <-> WEB-CLIENT VMWare VMCtl Class ActiveX function call unicode access (web-client.rules) Updated rules: 1087 <-> DELETED WEB-MISC whisker tab splice attack (deleted.rules) 1171 <-> DELETED WEB-MISC whisker HEAD with large datagram (deleted.rules) 2048 <-> DELETED MISC rsyncd overflow attempt (deleted.rules) 2064 <-> DELETED WEB-MISC Lotus Notes .csp script source download attempt (deleted.rules) 2586 <-> DELETED P2P eDonkey transfer (deleted.rules) 2923 <-> NETBIOS SMB repeated logon failure (netbios.rules) 3132 <-> WEB-CLIENT PNG large image width download attempt (web-client.rules) 3133 <-> WEB-CLIENT PNG large image height download attempt (web-client.rules) 3443 <-> DELETED SQL DNS query with 1 requests (deleted.rules) 3444 <-> DELETED SQL DNS query with 2 requests (deleted.rules) 3445 <-> DELETED SQL DNS query with 3 requests (deleted.rules) 3446 <-> DELETED SQL DNS query with 4 requests (deleted.rules) 3447 <-> DELETED SQL DNS query with 5 requests (deleted.rules) 3448 <-> DELETED SQL DNS query with 6 requests (deleted.rules) 3449 <-> DELETED SQL DNS query with 7 requests (deleted.rules) 3450 <-> DELETED SQL DNS query with 8 requests (deleted.rules) 3451 <-> DELETED SQL DNS query with 9 requests (deleted.rules) 3452 <-> DELETED SQL DNS query with 10 requests (deleted.rules) 3562 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode andx bind attempt (deleted.rules) 3563 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode bind attempt (deleted.rules) 3564 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt (deleted.rules) 3565 <-> DELETED NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt (deleted.rules) 3566 <-> DELETED NETBIOS SMB mqqm andx bind attempt (deleted.rules) 3567 <-> DELETED NETBIOS SMB mqqm bind attempt (deleted.rules) 3568 <-> DELETED NETBIOS SMB mqqm little endian andx bind attempt (deleted.rules) 3569 <-> DELETED NETBIOS SMB mqqm little endian bind attempt (deleted.rules) 3570 <-> DELETED NETBIOS SMB mqqm unicode andx bind attempt (deleted.rules) 3571 <-> DELETED NETBIOS SMB mqqm unicode bind attempt (deleted.rules) 3572 <-> DELETED NETBIOS SMB mqqm unicode little endian andx bind attempt (deleted.rules) 3573 <-> DELETED NETBIOS SMB mqqm unicode little endian bind attempt (deleted.rules) 5804 <-> DELETED SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - ads (deleted.rules) 5806 <-> DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection (deleted.rules) 5931 <-> DELETED SPYWARE-PUT Adware cashbar runtime detection - stats track 1 (deleted.rules) 6000 <-> DELETED P2P Skype client login startup (deleted.rules) 6001 <-> DELETED P2P Skype client login (deleted.rules) 7043 <-> DELETED NETBIOS SMB-DS Trans andx mailslot heap overflow attempt (deleted.rules) 7044 <-> DELETED NETBIOS SMB-DS Trans unicode andx mailslot heap overflow attempt (deleted.rules) 7045 <-> DELETED NETBIOS-DG SMB Trans andx mailslot heap overflow attempt (deleted.rules) 7046 <-> DELETED NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt (deleted.rules) 7725 <-> DELETED BACKDOOR reversable ver1.0 runtime detection - initial connection (deleted.rules) 7960 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules) 7961 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules) 7962 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules) 7963 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules) 7964 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules) 7965 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules) 7966 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules) 7967 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules) 7968 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access (deleted.rules) 7969 <-> DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access (deleted.rules) 7972 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID access (deleted.rules) 7973 <-> DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID unicode access (deleted.rules) 8061 <-> DELETED WEB-CLIENT ADODB.Stream ActiveX CLSID access (deleted.rules) 8476 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules) 8477 <-> DELETED BACKDOOR superspy 2.0 beta runtime detection - file management (deleted.rules) 8738 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid access (web-client.rules) 8739 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX clsid unicode access (web-client.rules) 8740 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call access (web-client.rules) 9790 <-> EXPLOIT HP-UX lpd command execution attempt (exploit.rules) 10106 <-> DELETED BACKDOOR icmp cmd 1.0 runtime detection - download file (deleted.rules) 11315 <-> DELETED BACKDOOR ykw v375 runtime detection (deleted.rules) 12703 <-> WEB-CLIENT Macrovision InstallShield Update Service ActiveX function call unicode access (web-client.rules) 12906 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian alter context attempt (netbios.rules) 12907 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 alter context attempt (netbios.rules) 12908 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian bind attempt (netbios.rules) 12909 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 bind attempt (netbios.rules) 12910 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 4 attempt (netbios.rules) 12911 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt (netbios.rules) 12912 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 4 little endian attempt (netbios.rules) 12913 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian attempt (netbios.rules) 12914 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 object call attempt (netbios.rules) 12915 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian object call attempt (netbios.rules) 12916 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 12 little endian attempt (netbios.rules) 12917 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 12 attempt (netbios.rules) 12918 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian attempt (netbios.rules) 12919 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt (netbios.rules) 12920 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian object call attempt (netbios.rules) 12921 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 object call attempt (netbios.rules) 12922 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 16 little endian attempt (netbios.rules) 12923 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian attempt (netbios.rules) 12924 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 16 attempt (netbios.rules) 12925 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt (netbios.rules) 12926 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian object call attempt (netbios.rules) 12927 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 object call attempt (netbios.rules) 12928 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt (netbios.rules) 12929 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 little endian attempt (netbios.rules) 12930 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 attempt (netbios.rules) 12931 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian attempt (netbios.rules) 12932 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 object call attempt (netbios.rules) 12933 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian object call attempt (netbios.rules) 12934 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 19 attempt (netbios.rules) 12935 <-> NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 19 little endian attempt (netbios.rules) 12936 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt (netbios.rules) 12937 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian attempt (netbios.rules) 12938 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 object call attempt (netbios.rules) 12939 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian object call attempt (netbios.rules) 13518 <-> DELETED WEB-CLIENT Internet Explorer malformed CSS memory corruption attempt (deleted.rules) 13693 <-> VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite (voip.rules)
