Sourcefire VRT Rules Update
Date: 2009-09-01
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 15902 <-> SHELLCODE x86 win2k-2k3 decoder base shellcode (shellcode.rules, High) 15903 <-> SHELLCODE x86 PoC CVE-2003-0605 (shellcode.rules, High) 15904 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX function call access (web-activex.rules, High) 15905 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access (web-activex.rules, High) 15906 <-> BAD-TRAFFIC Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (bad-traffic.rules, Medium) 15907 <-> BAD-TRAFFIC Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt (bad-traffic.rules, Medium) 15908 <-> WEB-MISC Trend Micro OfficeScan multiple CGI modules HTTP form processing buffer overflow attempt (web-misc.rules, High) 15909 <-> WEB-CLIENT Apple QuickTime VR Track Header Atom heap corruption attempt (web-client.rules, High) 15910 <-> SPECIFIC-THREATS Microsoft IE objects handling memory corruption attempt (specific-threats.rules, High) 15911 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt (netbios.rules, Low) Updated rules: 524 <-> BAD-TRAFFIC tcp port 0 traffic (bad-traffic.rules, Low) 525 <-> BAD-TRAFFIC udp port 0 traffic (bad-traffic.rules, Low) 1429 <-> DELETED POLICY poll.gotomypc.com access (deleted.rules, Low) 1973 <-> FTP MKD overflow attempt (ftp.rules, High) 2186 <-> BAD-TRAFFIC IP Proto 53 SWIPE (bad-traffic.rules, Medium) 2187 <-> BAD-TRAFFIC IP Proto 55 IP Mobility (bad-traffic.rules, Medium) 2188 <-> BAD-TRAFFIC IP Proto 77 Sun ND (bad-traffic.rules, Medium) 2189 <-> BAD-TRAFFIC IP Proto 103 PIM (bad-traffic.rules, Medium) 2374 <-> FTP NLST overflow attempt (ftp.rules, High) 2927 <-> NNTP XPAT pattern overflow attempt (nntp.rules, High) 3078 <-> NNTP SEARCH pattern overflow attempt (nntp.rules, High) 5831 <-> SPYWARE-PUT Hijacker comet systems runtime detection - update requests (spyware-put.rules, Low) 5847 <-> SPYWARE-PUT Adware warez_p2p runtime detection - p2p client home (spyware-put.rules, Low) 5848 <-> SPYWARE-PUT Adware warez_p2p runtime detection - ip.php request (spyware-put.rules, Low) 5849 <-> SPYWARE-PUT Adware warez_p2p runtime detection - update request (spyware-put.rules, Low) 5850 <-> SPYWARE-PUT Adware warez_p2p runtime detection - check update (spyware-put.rules, Low) 5851 <-> SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and .lst requests (spyware-put.rules, Low) 5852 <-> SPYWARE-PUT Adware warez_p2p runtime detection - cache.dat request (spyware-put.rules, Low) 5853 <-> SPYWARE-PUT Adware warez_p2p runtime detection - download ads (spyware-put.rules, Low) 5854 <-> SPYWARE-PUT Adware warez_p2p runtime detection - pass user information (spyware-put.rules, Low) 6226 <-> SPYWARE-PUT Adware exact.bargainbuddy runtime detection - ads - request (spyware-put.rules, Low) 6271 <-> SPYWARE-PUT Trickler bundleware runtime detection (spyware-put.rules, Low) 6368 <-> SPYWARE-PUT Adware flashtrack media/spoton runtime detection - update request (spyware-put.rules, Low) 7103 <-> BACKDOOR gwboy 0.92 runtime detection - init connection (backdoor.rules, High) 7190 <-> SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - host retrieval (spyware-put.rules, Low) 12672 <-> SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads (spyware-put.rules, Medium) 12746 <-> EXPLOIT Apple QuickTime STSD atom overflow attempt (exploit.rules, High) 15670 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access (web-activex.rules, High) 15671 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid unicode access (web-activex.rules, High) 15894 <-> SPECIFIC-THREATS Microsoft Color Management Module remote code execution attempt (specific-threats.rules, High)
