Sourcefire VRT Rules Update

Date: 2007-12-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group)

New rules:
12743 <-> WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt (web-client.rules)
12744 <-> WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt (web-client.rules)
12745 <-> WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt (web-client.rules)
12746 <-> EXPLOIT Apple QuickTime STSD atom overflow attempt (exploit.rules)
12747 <-> WEB-CLIENT BitDefender Online Scanner ActiveX clsid access (web-client.rules)
12748 <-> WEB-CLIENT BitDefender Online Scanner ActiveX clsid unicode access (web-client.rules)
12749 <-> WEB-CLIENT BitDefender Online Scanner ActiveX function call access (web-client.rules)
12750 <-> WEB-CLIENT BitDefender Online Scanner ActiveX function call unicode access (web-client.rules)
12751 <-> WEB-CLIENT RichFX Basic Player ActiveX clsid access (web-client.rules)
12752 <-> WEB-CLIENT RichFX Basic Player ActiveX clsid unicode access (web-client.rules)
12753 <-> WEB-CLIENT RichFX Basic Player ActiveX function call access (web-client.rules)
12754 <-> WEB-CLIENT RichFX Basic Player ActiveX function call unicode access (web-client.rules)
12755 <-> WEB-CLIENT PPStream PowerList ActiveX clsid access (web-client.rules)
12756 <-> WEB-CLIENT PPStream PowerList ActiveX clsid unicode access (web-client.rules)
12757 <-> WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt (web-client.rules)
12758 <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules)
12759 <-> SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection (spyware-put.rules)
12760 <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules)
12761 <-> SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection (spyware-put.rules)
12762 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX clsid access (web-client.rules)
12763 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX clsid unicode access (web-client.rules)
12764 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX function call access (web-client.rules)
12765 <-> WEB-CLIENT Yahoo Toolbar Helper Class ActiveX function call unicode access (web-client.rules)
12766 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid access (web-client.rules)
12767 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX clsid unicode access (web-client.rules)
12768 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call access (web-client.rules)
12769 <-> WEB-CLIENT RealPlayer RMOC3260.DLL ActiveX function call unicode access (web-client.rules)
12770 <-> SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt (specific-threats.rules)
12771 <-> SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt (specific-threats.rules)
12772 <-> SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt (specific-threats.rules)
12773 <-> SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt (specific-threats.rules)
12774 <-> SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt (specific-threats.rules)
12775 <-> SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt (specific-threats.rules)
12776 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid access (deleted.rules)
12777 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid unicode access (deleted.rules)
12778 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call access (deleted.rules)
12779 <-> DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call unicode access (deleted.rules)
12780 <-> WEB-CLIENT Aurigma Image Uploader ActiveX clsid access (web-client.rules)
12781 <-> WEB-CLIENT Aurigma Image Uploader ActiveX clsid unicode access (web-client.rules)
12782 <-> WEB-CLIENT Aurigma Image Uploader ActiveX function call access (web-client.rules)
12783 <-> WEB-CLIENT Aurigma Image Uploader ActiveX function call unicode access (web-client.rules)
12784 <-> EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupLog second argument overflow (exploit.rules)
12785 <-> EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupComplete overflow attemp (exploit.rules)
12786 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDataGrowthScheduleAndFilter overflow attempt (exploit.rules)
12787 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDefaultConfigName overflow attempt (exploit.rules)
12788 <-> EXPLOIT CA ARCserve Backup for Laptops rsxSetDefaultConfigName overflow attempt (exploit.rules)

Updated rules:
5804 <-> DELETED SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - ads (deleted.rules)
5931 <-> DELETED SPYWARE-PUT Adware cashbar runtime detection - stats track 1 (deleted.rules)
8711 <-> WEB-MISC Novell eDirectory HTTP redirection buffer overflow attempt (web-misc.rules)
10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules)
10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules)
10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules)
12388 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid access (web-client.rules)
12389 <-> WEB-CLIENT PPStream PowerPlayer ActiveX clsid unicode access (web-client.rules)
12434 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid access (web-client.rules)
12435 <-> WEB-CLIENT BaoFeng Storm MPS.dll ActiveX clsid unicode access (web-client.rules)
12663 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode access (web-client.rules)
12668 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access (deleted.rules)
12669 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access (deleted.rules)
12670 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access (deleted.rules)
12671 <-> DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access (deleted.rules)
12689 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid access (web-client.rules)
12690 <-> WEB-CLIENT GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access (web-client.rules)
12723 <-> SPYWARE-PUT Trackware winzix 2.2.0 runtime detection (spyware-put.rules)
12737 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX clsid access (web-client.rules)
12738 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX clsid unicode access (web-client.rules)
12739 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX function call access (web-client.rules)
12740 <-> WEB-CLIENT Xunlei Thunder PPLAYER.DLL ActiveX function call unicode access (web-client.rules)
12741 <-> EXPLOIT Apple Quicktime TCP RTSP sdp type buffer overflow attempt (exploit.rules)
12742 <-> EXPLOIT Apple Quicktime UDP RTSP sdp type buffer overflow attempt (exploit.rules)