Snort

Sourcefire VRT Rules Update

Date: 2010-05-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16565 <-> WEB-ACTIVEX Ultra Shareware Office ActiveX clsid access (web-activex.rules, High)
16566 <-> WEB-ACTIVEX Tumbleweed SecureTransport ActiveX clsid access (web-activex.rules, High)
16567 <-> WEB-ACTIVEX Tumbleweed SecureTransport ActiveX clsid unicode access (web-activex.rules, High)
16568 <-> WEB-ACTIVEX Altnet Download Manager ADM4 ActiveX clsid access (web-activex.rules, High)
16569 <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid access (web-activex.rules, High)
16570 <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid unicode access (web-activex.rules, High)
16571 <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call access (web-activex.rules, High)
16572 <-> WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call unicode access (web-activex.rules, High)
16573 <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape (web-activex.rules, High)
16574 <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode (web-activex.rules, High)
16575 <-> SPECIFIC-THREATS RKD Software BarCode ActiveX buffer overflow attempt (specific-threats.rules, High)
16576 <-> EXPLOIT RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (exploit.rules, High)
16578 <-> EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt (exploit.rules, High)
16579 <-> CHAT mIRC IRC URL buffer overflow attempt (chat.rules, High)
16580 <-> SPECIFIC-THREATS NCTAudioFile2 ActiveX clsid access via object tag (specific-threats.rules, High)
16581 <-> SPECIFIC-THREATS Persits Software XUpload ActiveX clsid unsafe function access attempt (specific-threats.rules, High)
16582 <-> WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt (web-client.rules, High)
16583 <-> WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt (web-client.rules, High)
16584 <-> WEB-CLIENT Java Web Start arbitrary command execution attempt - Internet Explorer (web-client.rules, High)
16585 <-> WEB-CLIENT Java Web Start arbitrary command execution attempt (web-client.rules, High)
16587 <-> SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities buffer overflow attempt (specific-threats.rules, High)
16588 <-> SPECIFIC-THREATS iseemedia LPViewer ActiveX exploit attempt (specific-threats.rules, High)
16589 <-> SPECIFIC-THREATS iseemedia LPViewer ActiveX buffer overflows attempt (specific-threats.rules, High)
16590 <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 1 (specific-threats.rules, High)
16591 <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 2 (specific-threats.rules, High)

Updated rules:
2923 <-> NETBIOS SMB repeated logon failure (netbios.rules, High)
3085 <-> EXPLOIT AIM goaway message buffer overflow attempt (exploit.rules, Medium)
3143 <-> NETBIOS SMB Trans2 FIND_FIRST2 command response overflow attempt (netbios.rules, Low)
3218 <-> NETBIOS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt (netbios.rules, High)
3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules, High)
5797 <-> POLICY kontiki runtime detection (policy.rules, High)
6407 <-> POLICY Gizmo register VOIP state (policy.rules, High)
8053 <-> WEB-ACTIVEX DirectAnimation.PathControl ActiveX CLSID access (web-activex.rules, High)
8054 <-> WEB-ACTIVEX DirectAnimation.PathControl ActiveX CLSID unicode access (web-activex.rules, High)
8055 <-> WEB-ACTIVEX DirectAnimation.PathControl ActiveX function call access (web-activex.rules, High)
9814 <-> WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX clsid access (web-activex.rules, High)
9815 <-> WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX clsid unicode access (web-activex.rules, High)
9816 <-> WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX function call access (web-activex.rules, High)
11673 <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access (web-activex.rules, High)
11674 <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access (web-activex.rules, High)
11675 <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access (web-activex.rules, High)
11676 <-> WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access (web-activex.rules, High)
11822 <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid access (web-activex.rules, High)
11823 <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid unicode access (web-activex.rules, High)
11824 <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call access (web-activex.rules, High)
11825 <-> WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call unicode access (web-activex.rules, High)
12010 <-> WEB-ACTIVEX RKD Software BarCode ActiveX clsid access (web-activex.rules, High)
12011 <-> WEB-ACTIVEX RKD Software BarCode ActiveX clsid unicode access (web-activex.rules, High)
12012 <-> WEB-ACTIVEX RKD Software BarCode ActiveX function call access (web-activex.rules, High)
12013 <-> WEB-ACTIVEX RKD Software BarCode ActiveX function call unicode access (web-activex.rules, High)
12087 <-> WEB-ACTIVEX McAfee NeoTrace ActiveX clsid access (web-activex.rules, High)
12088 <-> WEB-ACTIVEX McAfee NeoTrace ActiveX clsid unicode access (web-activex.rules, High)
12089 <-> WEB-ACTIVEX McAfee NeoTrace ActiveX function call access (web-activex.rules, High)
12090 <-> WEB-ACTIVEX McAfee NeoTrace ActiveX function call unicode access (web-activex.rules, High)
12095 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access (deleted.rules, High)
12096 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access (deleted.rules, High)
12097 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access (deleted.rules, High)
12098 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access (deleted.rules, High)
12384 <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid access (web-activex.rules, High)
12385 <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid unicode access (web-activex.rules, High)
12386 <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call access (web-activex.rules, High)
12387 <-> WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call unicode access (web-activex.rules, High)
12434 <-> WEB-ACTIVEX BaoFeng Storm MPS.dll ActiveX clsid access (web-activex.rules, High)
12435 <-> WEB-ACTIVEX BaoFeng Storm MPS.dll ActiveX clsid unicode access (web-activex.rules, High)
13232 <-> WEB-ACTIVEX Persits Software XUpload ActiveX clsid access (web-activex.rules, High)
13233 <-> WEB-ACTIVEX Persits Software XUpload ActiveX clsid unicode access (web-activex.rules, High)
13234 <-> WEB-ACTIVEX Persits Software XUpload ActiveX function call access (web-activex.rules, High)
13235 <-> WEB-ACTIVEX Persits Software XUpload ActiveX function call unicode access (web-activex.rules, High)
13520 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13521 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13663 <-> IMAP Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt (imap.rules, High)
13948 <-> DNS large number of NXDOMAIN replies - possible DNS cache poisoning (dns.rules, Medium)
14232 <-> WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX clsid unicode access (web-activex.rules, High)
15436 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt (exploit.rules, High)
15437 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup message length heap corruption attempt (exploit.rules, High)
15473 <-> WEB-CLIENT Multiple media players M3U playlist file handling buffer overflow attempt (web-client.rules, High)
15698 <-> WEB-CLIENT Possible generic javascript heap spray attempt (web-client.rules, High)
16136 <-> SPYWARE-PUT Hijacker xp antispyware 2009 runtime detection - pre-sale webpage (spyware-put.rules, Low)
16305 <-> WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX clsid access (web-activex.rules, High)
16306 <-> WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX clsid unicode access (web-activex.rules, High)
16307 <-> WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX function call access (web-activex.rules, High)
16308 <-> WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX function call unicode access (web-activex.rules, High)
16547 <-> WEB-ACTIVEX Java Web Start ActiveX launch command by CLSID (web-activex.rules, High)
16548 <-> WEB-ACTIVEX Java Web Start ActiveX launch command by JavaScript CLSID (web-activex.rules, High)
16549 <-> WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin (web-client.rules, High)
16550 <-> WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit (web-client.rules, High)