Sourcefire VRT Rules Update

Date: 2009-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

gid - sid - Message

New:
3 <-> 15847 <-> NETBIOS Telnet-based NTLM replay attack attempt
3 <-> 15848 <-> EXPLOIT WINS replication request memory corruption attempt
3 <-> 15849 <-> EXPLOIT WINS replication inform2 request memory corruption attempt
3 <-> 15850 <-> EXPLOIT Remote Desktop orderType remote code execution attempt
3 <-> 15851 <-> DOS Microsoft ASP.NET bad request denial of service attempt
1 <-> 15852 <-> WEB-ACTIVEX Microsoft Office Web Components Datasource ActiveX clsid access
1 <-> 15853 <-> WEB-ACTIVEX Microsoft Office Web Components Datasource ActiveX clsid unicode access
3 <-> 15854 <-> WEB-CLIENT Microsoft Windows AVIFile media file processing memory corruption attempt
1 <-> 15855 <-> WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX function call access
1 <-> 15856 <-> WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX function call unicode access
3 <-> 15857 <-> WEB-CLIENT Microsoft Windows AVIFile media file invalid header length
1 <-> 15858 <-> WEB-ACTIVEX Microsoft Office Web Components Spreadsheet ActiveX clsid access
1 <-> 15859 <-> WEB-ACTIVEX Microsoft Office Web Components Spreadsheet ActiveX clsid unicode access
3 <-> 15861 <-> WEB-CLIENT WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid access
3 <-> 15862 <-> WEB-CLIENT WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid unicode access
3 <-> 15863 <-> WEB-CLIENT WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call access
3 <-> 15864 <-> WEB-CLIENT WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call unicode access

Updated:
1 <-> 5879 <-> DELETED <-> SPYWARE-PUT Adware trustyfiles v2.4.0.4 runtime detection - update notification
1 <-> 7872 <-> WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX clsid access
1 <-> 7873 <-> WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX clsid unicode access
3 <-> 15009 <-> NETBIOS possible SMB replay attempt - overlapping encryption keys detected
3 <-> 15124 <-> NETBIOS Web-based NTLM replay attack attempt
3 <-> 15453 <-> NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected
1 <-> 15638 <-> WEB-ACTIVEX Microsoft Video 32 ActiveX clsid access
1 <-> 15639 <-> WEB-ACTIVEX Microsoft Video 32 ActiveX clsid unicode access
1 <-> 15670 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access
1 <-> 15671 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid unicode access
3 <-> 15685 <-> WEB-CLIENT Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access
3 <-> 15686 <-> WEB-CLIENT Microsoft Office Web Components 10 Spreadsheet ActiveX clsid unicode access
3 <-> 15687 <-> WEB-CLIENT Microsoft Office Web Components 10 Spreadsheet ActiveX function call access
3 <-> 15688 <-> WEB-CLIENT Microsoft Office Web Components 10 Spreadsheet ActiveX function call unicode access
3 <-> 15689 <-> WEB-CLIENT Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access
3 <-> 15690 <-> WEB-CLIENT Microsoft Office Web Components 11 Spreadsheet ActiveX clsid unicode access
3 <-> 15691 <-> WEB-CLIENT Microsoft Office Web Components 11 Spreadsheet ActiveX function call access
3 <-> 15692 <-> WEB-CLIENT Microsoft Office Web Components 11 Spreadsheet ActiveX function call unicode access