Sourcefire VRT Rules Update

Date: 2007-10-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group)

New rules:
12637 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid access (web-client.rules)
12638 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid unicode access (web-client.rules)
12639 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX function call access (web-client.rules)
12640 <-> WEB-CLIENT Kaspersky Online Scanner KAVWebScan.dll ActiveX function call unicode access (web-client.rules)
12641 <-> POLICY Word for Mac 5 file download (policy.rules)
12642 <-> DOS RPC NTLMSSP malformed credentials (dos.rules)
12643 <-> WEB-CLIENT URI External handler arbitrary command attempt (web-client.rules)
12644 <-> WEB-CLIENT PBEmail7 ActiveX clsid access (web-client.rules)
12645 <-> WEB-CLIENT PBEmail7 ActiveX clsid unicode access (web-client.rules)
12646 <-> WEB-CLIENT PBEmail7 ActiveX function call access (web-client.rules)
12647 <-> WEB-CLIENT PBEmail7 ActiveX function call unicode access (web-client.rules)
12648 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX clsid access (web-client.rules)
12649 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX clsid unicode access (web-client.rules)
12650 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX function call access (web-client.rules)
12651 <-> WEB-CLIENT DB Software Laboratory VImpX ActiveX function call unicode access (web-client.rules)

Updated rules:
 634 <-> SCAN Amanda client version request (scan.rules)
 635 <-> SCAN XTACACS logout (scan.rules)
 636 <-> SCAN cybercop udp bomb (scan.rules)
 637 <-> SCAN Webtrends Scanner UDP Probe (scan.rules)
1917 <-> SCAN UPnP service discover attempt (scan.rules)
2004 <-> MS-SQL Worm propagation attempt OUTBOUND (sql.rules)
2050 <-> MS-SQL version overflow attempt (sql.rules)
4989 <-> MS-SQL heap-based overflow attempt (sql.rules)
4990 <-> MS-SQL heap-based overflow attempt (sql.rules)
12220 <-> EXPLOIT IBM Informix Dynamic Server long username (exploit.rules)
12417 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid access (web-client.rules)
12418 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX clsid unicode access (web-client.rules)
12419 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call access (web-client.rules)
12420 <-> WEB-CLIENT Microsoft Visual FoxPro ActiveX function call unicode access (web-client.rules)
12618 <-> WEB-CLIENT Microsoft Visual Basic VBP file reference overflow attempt (web-client.rules)
12631 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules)
12632 <-> EXPLOIT Microsoft Kodak Imaging malformed jpeg tables (exploit.rules)
12633 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules)
12634 <-> EXPLOIT Microsoft Kodak Imaging malformed tiff (exploit.rules)
12635 <-> DOS RPC NTLMSSP malformed credentials (dos.rules)