Sourcefire VRT Rules Update

Date: 2009-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15878 <-> WEB-ACTIVEX AcerCtrls.APlunch ActiveX clsid access (web-activex.rules, High)
15879 <-> WEB-ACTIVEX AcerCtrls.APlunch ActiveX clsid unicode access (web-activex.rules, High)
15881 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters Name Field attempt (netbios.rules, Low)
15902 <-> SHELLCODE x86 win2k-2k3 decoder base shellcode (shellcode.rules, High)
15903 <-> SHELLCODE x86 PoC CVE-2003-0605 (shellcode.rules, High)
15904 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX function call access (web-activex.rules, High)
15905 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access (web-activex.rules, High)
15906 <-> BAD-TRAFFIC Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (bad-traffic.rules, Medium)
15907 <-> BAD-TRAFFIC Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (bad-traffic.rules, Medium)
15908 <-> WEB-MISC Trend Micro OfficeScan multiple CGI modules HTTP form processing buffer overflow attempt (web-misc.rules, High)
15909 <-> WEB-CLIENT Apple QuickTime VR Track Header Atom heap corruption attempt (web-client.rules, High)
15910 <-> SPECIFIC-THREATS Microsoft IE objects handling memory corruption attempt (specific-threats.rules, High)
15911 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt (netbios.rules, Low)

Updated rules:
 524 <-> BAD-TRAFFIC tcp port 0 traffic (bad-traffic.rules, Low)
 525 <-> BAD-TRAFFIC udp port 0 traffic (bad-traffic.rules, Low)
1429 <-> DELETED POLICY poll.gotomypc.com access (deleted.rules, Low)
1973 <-> FTP MKD overflow attempt (ftp.rules, High)
2186 <-> BAD-TRAFFIC IP Proto 53 SWIPE (bad-traffic.rules, Medium)
2187 <-> BAD-TRAFFIC IP Proto 55 IP Mobility (bad-traffic.rules, Medium)
2188 <-> BAD-TRAFFIC IP Proto 77 Sun ND (bad-traffic.rules, Medium)
2189 <-> BAD-TRAFFIC IP Proto 103 PIM (bad-traffic.rules, Medium)
2374 <-> FTP NLST overflow attempt (ftp.rules, High)
2705 <-> WEB-CLIENT JPEG parser heap overflow attempt (web-client.rules, High)
2927 <-> NNTP XPAT pattern overflow attempt (nntp.rules, High)
3078 <-> NNTP SEARCH pattern overflow attempt (nntp.rules, High)
5831 <-> SPYWARE-PUT Hijacker comet systems runtime detection - update requests (spyware-put.rules, Low)
5847 <-> SPYWARE-PUT Adware warez_p2p runtime detection - p2p client home (spyware-put.rules, Low)
5848 <-> SPYWARE-PUT Adware warez_p2p runtime detection - ip.php request (spyware-put.rules, Low)
5849 <-> SPYWARE-PUT Adware warez_p2p runtime detection - update request (spyware-put.rules, Low)
5850 <-> SPYWARE-PUT Adware warez_p2p runtime detection - check update (spyware-put.rules, Low)
5851 <-> SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and .lst requests (spyware-put.rules, Low)
5852 <-> SPYWARE-PUT Adware warez_p2p runtime detection - cache.dat request (spyware-put.rules, Low)
5853 <-> SPYWARE-PUT Adware warez_p2p runtime detection - download ads (spyware-put.rules, Low)
5854 <-> SPYWARE-PUT Adware warez_p2p runtime detection - pass user information (spyware-put.rules, Low)
5932 <-> SPYWARE-PUT Adware cashbar runtime detection - stats track (spyware-put.rules, Low)
6226 <-> SPYWARE-PUT Adware exact.bargainbuddy runtime detection - ads - request (spyware-put.rules, Low)
6271 <-> SPYWARE-PUT Trickler bundleware runtime detection (spyware-put.rules, Low)
6368 <-> SPYWARE-PUT Adware flashtrack media/spoton runtime detection - update request (spyware-put.rules, Low)
7103 <-> BACKDOOR gwboy 0.92 runtime detection - init connection (backdoor.rules, High)
7190 <-> SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - host retrieval (spyware-put.rules, Low)
12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules, Medium)
12746 <-> EXPLOIT Apple QuickTime STSD atom overflow attempt (exploit.rules, High)
14019 <-> WEB-CLIENT CyberLink PowerDVD playlist m3u file handling stack overflow attempt (web-client.rules, High)
14020 <-> WEB-CLIENT CyberLink PowerDVD playlist pls file handling stack overflow attempt (web-client.rules, High)
15670 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access (web-activex.rules, High)
15671 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid unicode access (web-activex.rules, High)
15894 <-> SPECIFIC-THREATS Microsoft Color Management Module remote code execution attempt (specific-threats.rules, High)