Sourcefire VRT Rules Update

Date: 2010-02-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16424 <-> WEB-ACTIVEX Windows Script Host Shell Object ActiveX clsid access (web-activex.rules, High)
16425 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
16426 <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (web-misc.rules, High)
16427 <-> WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method (web-misc.rules, High)
16428 <-> EXPLOIT Microsoft Outlook Express and Windows Mail NNTP handling buffer overflow attempt (exploit.rules, High)
16429 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - GET request (web-misc.rules, High)
16430 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - POST request (web-misc.rules, High)
16431 <-> SQL generic sql with comments injection attempt - GET parameter (sql.rules, High)
16432 <-> WEB-ACTIVEX Trend Micro Web Deployment ActiveX clsid access (web-activex.rules, High)
16433 <-> EXPLOIT Microsoft Active Directory LDAP query handling denial of service (exploit.rules, Medium)
16434 <-> POLICY Ultimate Packer for Executables/UPX v0.51-v0.61 packed file download attempt (policy.rules, Low)
16435 <-> POLICY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file download attempt (policy.rules, Low)
16436 <-> POLICY Ultimate Packer for Executables/UPX v2.90,v2.93-3.00 packed file download attempt (policy.rules, Low)
16437 <-> EXPLOIT CVS Entry line flag remote heap overflow attempt (exploit.rules, High)

Updated rules:
1725 <-> WEB-IIS +.htr code fragment attempt (web-iis.rules, High)
1838 <-> EXPLOIT SSH server banner overflow (exploit.rules, Medium)
3638 <-> WEB-CGI SoftCart.exe CGI buffer overflow attempt (web-cgi.rules, High)
6144 <-> BACKDOOR mantis runtime detection - sent notify option client-to-server 1 (backdoor.rules, High)
6145 <-> BACKDOOR mantis runtime detection - sent notify option server-to-client (backdoor.rules, High)
6173 <-> BACKDOOR cookie monster 0.24 runtime detection (backdoor.rules, High)
6323 <-> BACKDOOR 3xBackdoor runtime detection - set flowbit (backdoor.rules, High)
6335 <-> BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit (backdoor.rules, High)
7641 <-> BACKDOOR am remote client runtime detection - client-to-server (backdoor.rules, High)
7648 <-> BACKDOOR minicom lite runtime detection - client-to-server (backdoor.rules, High)
7654 <-> BACKDOOR small uploader 1.01 runtime detection - remote shell - flowbit set (backdoor.rules, High)
7668 <-> BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set (backdoor.rules, High)
7690 <-> BACKDOOR evade runtime detection - file manager - flowbit set (backdoor.rules, High)
7705 <-> BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set (backdoor.rules, High)
7726 <-> BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set (backdoor.rules, High)
7731 <-> BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client (backdoor.rules, High)
9654 <-> BACKDOOR apofis 1.0 runtime detection - remote controlling (backdoor.rules, High)
9662 <-> BACKDOOR bersek 1.0 runtime detection (backdoor.rules, High)
10450 <-> BACKDOOR only 1 rat runtime detection - control command (backdoor.rules, High)
12077 <-> BACKDOOR c99shell.php command request (backdoor.rules, High)
12165 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules, High)
12166 <-> BACKDOOR lithium 1.02 runtime detection (backdoor.rules, High)
12293 <-> SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info (spyware-put.rules, Low)
12480 <-> SPYWARE-PUT Keylogger inside website logger 2.4 runtime detection (spyware-put.rules, Medium)
15415 <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules, High)
15874 <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules, Medium)
15875 <-> SQL generic sql insert injection atttempt - POST parameter (sql.rules, High)
15876 <-> SQL generic sql update injection attempt - POST parameter (sql.rules, High)
15877 <-> SQL generic sql exec injection attempt - POST parameter (sql.rules, High)