Sourcefire VRT Rules Update
Date: 2010-02-17
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16424 <-> WEB-ACTIVEX Windows Script Host Shell Object ActiveX clsid access (web-activex.rules, High) 16425 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low) 16426 <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (web-misc.rules, High) 16427 <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method (web-misc.rules, High) 16428 <-> EXPLOIT Microsoft Outlook Express and Windows Mail NNTP handling buffer overflow attempt (exploit.rules, High) 16429 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - GET request (web-misc.rules, High) 16430 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - POST request (web-misc.rules, High) 16431 <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules, High) 16432 <-> WEB-ACTIVEX Trend Micro Web Deployment ActiveX clsid access (web-activex.rules, High) 16433 <-> EXPLOIT Microsoft Active Directory LDAP query handling denial of service (exploit.rules, Medium) 16434 <-> POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download attempt (policy.rules, Low) 16435 <-> POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download attempt (policy.rules, Low) 16436 <-> POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download attempt (policy.rules, Low) 16437 <-> EXPLOIT CVS Entry line flag remote heap overflow attempt (exploit.rules, High) Updated rules: 1725 <-> WEB-IIS +.htr code fragment attempt (web-iis.rules, High) 1838 <-> EXPLOIT SSH server banner overflow (exploit.rules, Medium) 3638 <-> WEB-CGI SoftCart.exe CGI buffer overflow attempt (web-cgi.rules, High) 6144 <-> BACKDOOR mantis runtime detection - sent notify option client-to-server 1 (backdoor.rules, High) 6145 <-> BACKDOOR mantis runtime detection - sent notify option server-to-client (backdoor.rules, High) 6173 <-> BACKDOOR cookie monster 0.24 runtime detection (backdoor.rules, High) 6323 <-> BACKDOOR 3xBackdoor runtime detection - set flowbit (backdoor.rules, High) 6335 <-> BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit (backdoor.rules, High) 7641 <-> BACKDOOR am remote client runtime detection - client-to-server (backdoor.rules, High) 7648 <-> BACKDOOR minicom lite runtime detection - client-to-server (backdoor.rules, High) 7654 <-> BACKDOOR small uploader 1.01 runtime detection - remote shell - flowbit set (backdoor.rules, High) 7668 <-> BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set (backdoor.rules, High) 7690 <-> BACKDOOR evade runtime detection - file manager - flowbit set (backdoor.rules, High) 7705 <-> BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set (backdoor.rules, High) 7726 <-> BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set (backdoor.rules, High) 7731 <-> BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client (backdoor.rules, High) 9654 <-> BACKDOOR apofis 1.0 runtime detection - remote controlling (backdoor.rules, High) 9662 <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules, High) 10450 <-> BACKDOOR only 1 rat runtime detection - control command (backdoor.rules, High) 12077 <-> BACKDOOR c99shell.php command request (backdoor.rules, High) 12165 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules, High) 12166 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules, High) 12293 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info (spyware-put.rules, Low) 12480 <-> SPYWARE-PUT Keylogger inside website logger 2.4 runtime detection (spyware-put.rules, Medium) 15415 <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules, High) 15874 <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules, Medium) 15875 <-> SQL generic sql insert injection atttempt - POST parameter (sql.rules, High) 15876 <-> SQL generic sql update injection attempt - POST parameter (sql.rules, High) 15877 <-> SQL generic sql exec injection attempt - POST parameter (sql.rules, High)
