Sourcefire VRT Rules Update
Date: 2007-07-03
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group)
New rules: 12015 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid access (web-client.rules) 12016 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid unicode access (web-client.rules) 12017 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call access (web-client.rules) 12018 <-> WEB-CLIENT NCTAudioStudio2 NCT WavChunksEditor ActiveX function call unicode access (web-client.rules) 12019 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid access (web-client.rules) 12020 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid unicode access (web-client.rules) 12021 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call access (web-client.rules) 12022 <-> WEB-CLIENT NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call unicode access (web-client.rules) 12023 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid access (deleted.rules) 12024 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid unicode access (deleted.rules) 12025 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call access (deleted.rules) 12026 <-> DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call unicode access (deleted.rules) 12027 <-> SQL Ingres Database uuid_from_char buffer overflow attempt (sql.rules) 12029 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid access (web-client.rules) 12030 <-> WEB-CLIENT HP Digital Imaging hpqxml.dll ActiveX clsid unicode access (web-client.rules) 12043 <-> DOS Microsoft XML parser IIS WebDAV attack attempt (dos.rules) 12044 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules) 12045 <-> ORACLE Oracle Web Cache denial of service attempt (oracle.rules) 12046 <-> RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt (rpc.rules) 12047 <-> SPYWARE-PUT Adware yayad runtime detection (spyware-put.rules) 12048 <-> SPYWARE-PUT Keylogger computer Keylogger runtime detection (spyware-put.rules) 12049 <-> SPYWARE-PUT Keylogger apophis spy 1.0 runtime detection (spyware-put.rules) 12050 <-> SPYWARE-PUT Hijacker ez-greets toolbar runtime detection (spyware-put.rules) 12051 <-> BACKDOOR ultimate rat 2.1 runtime detection (backdoor.rules) 12052 <-> BACKDOOR the[x] 1.2 runtime detection - execute command (backdoor.rules) 12053 <-> BACKDOOR trail of destruction 2.0 runtime detection - get system info (backdoor.rules) 12054 <-> BACKDOOR tron runtime detection - init connection - flowbit set (backdoor.rules) 12055 <-> BACKDOOR tron runtime detection - init connection (backdoor.rules) Updated rules: 9601 <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt (netbios.rules)
