Sourcefire VRT Rules Update
Date: 2007-09-11
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group)
New rules: 12363 <-> SPYWARE-PUT Other-Technologies malware-stopper runtime detection (spyware-put.rules) 12364 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - get cfg information (spyware-put.rules) 12365 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - redirect searches (spyware-put.rules) 12366 <-> SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - toolbar search function (spyware-put.rules) 12367 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie searches (spyware-put.rules) 12368 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie side search (spyware-put.rules) 12369 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - collect user information (spyware-put.rules) 12370 <-> SPYWARE-PUT Hijacker imesh mediabar runtime detection - auto update (spyware-put.rules) 12371 <-> SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string (spyware-put.rules) 12372 <-> SPYWARE-PUT Keylogger mg-shadow 2.0 runtime detection (spyware-put.rules) 12373 <-> BACKDOOR radmin 3.0 runtime detection - initial connection (backdoor.rules) 12374 <-> BACKDOOR radmin 3.0 runtime detection - initial connection (backdoor.rules) 12375 <-> BACKDOOR radmin 3.0 runtime detection - login & remote control (backdoor.rules) 12376 <-> BACKDOOR radmin 3.0 runtime detection - login & remote control (backdoor.rules) 12377 <-> BACKDOOR shark 2.3.2 runtime detection (backdoor.rules) 12378 <-> BACKDOOR shark 2.3.2 runtime detection (backdoor.rules) 12379 <-> SPYWARE-PUT Keylogger PaqKeylogger 5.1 runtime detection - ftp (spyware-put.rules) 12380 <-> WEB-CLIENT Oracle JInitiator ActiveX clsid access (web-client.rules) 12381 <-> WEB-CLIENT Oracle JInitiator ActiveX clsid unicode access (web-client.rules) 12382 <-> WEB-CLIENT EasyMail Objects ActiveX clsid access (web-client.rules) 12383 <-> WEB-CLIENT EasyMail Objects ActiveX clsid unicode access (web-client.rules) 12384 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX clsid access (web-client.rules) 12385 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX clsid unicode access (web-client.rules) 12386 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX function call access (web-client.rules) 12387 <-> WEB-CLIENT Yahoo Messenger YVerInfo ActiveX function call unicode access (web-client.rules) 12388 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid access (web-client.rules) 12389 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid unicode access (web-client.rules) 12390 <-> POLICY Yahoo Webmail client chat applet (policy.rules) 12391 <-> POLICY Google Webmail client chat applet (policy.rules) 12392 <-> IMAP GNU Mailutils request tag format string vulnerability (imap.rules) 12393 <-> WEB-CLIENT Intuit QuickBooks Online Edition 1 ActiveX clsid access (web-client.rules) 12394 <-> WEB-CLIENT Intuit QuickBooks Online Edition 1 ActiveX clsid unicode access (web-client.rules) 12395 <-> WEB-CLIENT Intuit QuickBooks Online Edition 2 ActiveX clsid access (web-client.rules) 12396 <-> WEB-CLIENT Intuit QuickBooks Online Edition 2 ActiveX clsid unicode access (web-client.rules) 12397 <-> WEB-CLIENT Intuit QuickBooks Online Edition 3 ActiveX clsid access (web-client.rules) 12398 <-> WEB-CLIENT Intuit QuickBooks Online Edition 3 ActiveX clsid unicode access (web-client.rules) 12399 <-> WEB-CLIENT Intuit QuickBooks Online Edition 4 ActiveX clsid access (web-client.rules) 12400 <-> WEB-CLIENT Intuit QuickBooks Online Edition 4 ActiveX clsid unicode access (web-client.rules) 12401 <-> WEB-CLIENT Intuit QuickBooks Online Edition 5 ActiveX clsid access (web-client.rules) 12402 <-> WEB-CLIENT Intuit QuickBooks Online Edition 5 ActiveX clsid unicode access (web-client.rules) 12403 <-> WEB-CLIENT Intuit QuickBooks Online Edition 6 ActiveX clsid access (web-client.rules) 12404 <-> WEB-CLIENT Intuit QuickBooks Online Edition 6 ActiveX clsid unicode access (web-client.rules) 12405 <-> WEB-CLIENT Intuit QuickBooks Online Edition 7 ActiveX clsid access (web-client.rules) 12406 <-> WEB-CLIENT Intuit QuickBooks Online Edition 7 ActiveX clsid unicode access (web-client.rules) 12407 <-> WEB-CLIENT Intuit QuickBooks Online Edition 8 ActiveX clsid access (web-client.rules) 12408 <-> WEB-CLIENT Intuit QuickBooks Online Edition 8 ActiveX clsid unicode access (web-client.rules) 12409 <-> WEB-CLIENT Intuit QuickBooks Online Edition 9 ActiveX clsid access (web-client.rules) 12410 <-> WEB-CLIENT Intuit QuickBooks Online Edition 9 ActiveX clsid unicode access (web-client.rules) 12411 <-> WEB-CLIENT Intuit QuickBooks Online Edition 10 ActiveX clsid access (web-client.rules) 12412 <-> WEB-CLIENT Intuit QuickBooks Online Edition 10 ActiveX clsid unicode access (web-client.rules) 12413 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX clsid access (web-client.rules) 12414 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX clsid unicode access (web-client.rules) 12415 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX function call access (web-client.rules) 12416 <-> WEB-CLIENT Earth Resource Mapper NCSView ActiveX function call unicode access (web-client.rules) 12417 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid access (web-client.rules) 12418 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid unicode access (web-client.rules) 12419 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call access (web-client.rules) 12420 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call unicode access (web-client.rules) 12421 <-> EXPLOIT RealNetworks Helix RTSP long transport header (exploit.rules) 12422 <-> EXPLOIT RealNetworks Helix RTSP long DESCRIBE URI (exploit.rules) 12423 <-> SMTP Microsoft CDO long header name (smtp.rules) 12424 <-> RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (rpc.rules) 12425 <-> POLICY Ruckus P2P client (policy.rules) 12426 <-> POLICY Ruckus P2P broadcast domain probe (policy.rules) 12427 <-> POLICY Ruckus encrypted authentication connection (policy.rules) 12428 <-> WEB-CLIENT GlobalLink glitemflat.dll ActiveX clsid access (web-client.rules) 12429 <-> WEB-CLIENT GlobalLink glitemflat.dll ActiveX clsid unicode access (web-client.rules) 12430 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid access (web-client.rules) 12431 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX clsid unicode access (web-client.rules) 12432 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call access (web-client.rules) 12433 <-> WEB-CLIENT EDraw Office Viewer Component ActiveX function call unicode access (web-client.rules) 12434 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid access (web-client.rules) 12435 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid unicode access (web-client.rules) 12436 <-> MULTIMEDIA Youtube video player file request (multimedia.rules) 12437 <-> MULTIMEDIA Google video player request (multimedia.rules) 12438 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX clsid access (web-client.rules) 12439 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX clsid unicode access (web-client.rules) 12440 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX function call access (web-client.rules) 12441 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll ActiveX function call unicode access (web-client.rules) 12442 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll 2 ActiveX clsid access (web-client.rules) 12443 <-> WEB-CLIENT Ultra Crypto Component CryptoX.dll 2 ActiveX clsid unicode access (web-client.rules) 12444 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid access (web-client.rules) 12445 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX clsid unicode access (web-client.rules) 12446 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call access (web-client.rules) 12447 <-> WEB-CLIENT Microsoft SQL Server Distributed Management Objects ActiveX function call unicode access (web-client.rules) 12448 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid access (web-client.rules) 12449 <-> WEB-CLIENT Microsoft Agent Control ActiveX clsid unicode access (web-client.rules) 12450 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call access (web-client.rules) 12451 <-> WEB-CLIENT Microsoft Agent Control ActiveX function call unicode access (web-client.rules) 12452 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid access (web-client.rules) 12453 <-> WEB-CLIENT MS Agent File Provider ActiveX clsid unicode access (web-client.rules) 12454 <-> MISC asf file download (misc.rules) 12455 <-> POLICY Crystal reports download request (policy.rules) 12456 <-> POLICY Crystal reports download (policy.rules) 12457 <-> CHAT Microsoft Live chat video feed initiation (chat.rules) Updated rules: 110 <-> BACKDOOR netbus getinfo (backdoor.rules) 115 <-> BACKDOOR NetBus Pro 2.0 connection established (backdoor.rules) 146 <-> BACKDOOR NetSphere access (backdoor.rules) 195 <-> BACKDOOR DeepThroat 3.1 Server Response (backdoor.rules) 208 <-> BACKDOOR PhaseZero Server Active on Network (backdoor.rules) 1428 <-> MULTIMEDIA audio galaxy keepalive (multimedia.rules) 1436 <-> MULTIMEDIA Quicktime User Agent access (multimedia.rules) 1437 <-> MULTIMEDIA Windows Media download (multimedia.rules) 1439 <-> MULTIMEDIA Shoutcast playlist redirection (multimedia.rules) 1440 <-> MULTIMEDIA Icecast playlist redirection (multimedia.rules) 1957 <-> RPC sadmind UDP PING (rpc.rules) 1958 <-> RPC sadmind TCP PING (rpc.rules) 1964 <-> RPC tooltalk UDP overflow attempt (rpc.rules) 1965 <-> RPC tooltalk TCP overflow attempt (rpc.rules) 1980 <-> BACKDOOR DeepThroat 3.1 Connection attempt (backdoor.rules) 1981 <-> BACKDOOR DeepThroat 3.1 Connection attempt [3150] (backdoor.rules) 1982 <-> BACKDOOR DeepThroat 3.1 Server Response [3150] (backdoor.rules) 1983 <-> BACKDOOR DeepThroat 3.1 Connection attempt [4120] (backdoor.rules) 1984 <-> BACKDOOR DeepThroat 3.1 Server Response [4120] (backdoor.rules) 2100 <-> BACKDOOR SubSeven 2.1 Gold server connection response (backdoor.rules) 2419 <-> MULTIMEDIA realplayer .ram playlist download attempt (multimedia.rules) 2420 <-> MULTIMEDIA realplayer .rmp playlist download attempt (multimedia.rules) 2421 <-> MULTIMEDIA realplayer .smi playlist download attempt (multimedia.rules) 2422 <-> MULTIMEDIA realplayer .rt playlist download attempt (multimedia.rules) 2423 <-> MULTIMEDIA realplayer .rp playlist download attempt (multimedia.rules) 2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules) 2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules) 2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules) 2925 <-> INFO web bug 1x1 gif attempt (info.rules) 12116 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid access (web-client.rules) 12117 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX clsid unicode access (web-client.rules) 12118 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call access (web-client.rules) 12119 <-> WEB-CLIENT Zenturi ProgramChecker SASATL ActiveX function call unicode access (web-client.rules) 12182 <-> POLICY Adobe FLV file transfer (policy.rules) 12183 <-> EXPLOIT Adobe FLV long string script data buffer overflow (exploit.rules) 12359 <-> DELETED EXPLOIT Asterisk data length field overflow (deleted.rules)
