Sourcefire VRT Rules Update
Date: 2009-12-15
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16333 <-> WEB-CLIENT Adobe Reader util.printd memory corruption attempt (web-client.rules, High) 16334 <-> SPECIFIC-THREATS Adobe Reader compressed util.printd memory corruption attempt (specific-threats.rules, High) Updated rules: 1266 <-> DELETED RPC portmap mountd request TCP (deleted.rules, Medium) 5709 <-> WEB-PHP file upload directory traversal (web-php.rules, Medium) 6045 <-> BACKDOOR fear 0.2 runtime detection - initial connection (backdoor.rules, High) 6056 <-> BACKDOOR bifrose 1.1 runtime detection (backdoor.rules, High) 7062 <-> DELETED BACKDOOR charon runtime detection - download log flowbit 2 (deleted.rules, High) 7066 <-> BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1 (backdoor.rules, High) 7612 <-> DELETED BACKDOOR flux 1.0 runtime detection - initial connection - flowbit 3 (deleted.rules, High) 7618 <-> BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 2 (backdoor.rules, High) 13797 <-> WEB-CLIENT pe compact binary download (web-client.rules, Low) 15434 <-> WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt (web-misc.rules, High) 15874 <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules, Medium)
