Sourcefire VRT Rules Update
Date: 2010-03-30
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16501 <-> WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType (web-client.rules, High) 16502 <-> WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based (web-client.rules, High) Updated rules: 289 <-> POP3 EXPLOIT x86 SCO overflow (pop3.rules, High) 314 <-> DNS EXPLOIT named tsig overflow attempt (dns.rules, High) 586 <-> RPC portmap selection_svc request UDP (rpc.rules, Medium) 672 <-> SMTP vrfy decode (smtp.rules, Medium) 704 <-> SQL xp_sprintf possible buffer overflow (sql.rules, High) 707 <-> DELETED SQL xp_proxiedmetadata possible buffer overflow (deleted.rules, High) 833 <-> WEB-CGI rguest.exe access (web-cgi.rules, Medium) 1810 <-> SPECIFIC-THREATS successful gobbles ssh exploit GOBBLE (specific-threats.rules, High) 1811 <-> SPECIFIC-THREATS successful gobbles ssh exploit uname (specific-threats.rules, Medium) 1900 <-> SPECIFIC-THREATS successful kadmind buffer overflow attempt (specific-threats.rules, High) 1901 <-> SPECIFIC-THREATS successful kadmind buffer overflow attempt (specific-threats.rules, High) 2515 <-> WEB-MISC PCT Client_Hello overflow attempt (web-misc.rules, High) 2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules, High) 2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules, High) 2528 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High) 3511 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High) 4148 <-> WEB-ACTIVEX DHTML Editing ActiveX clsid access (web-activex.rules, High) 6217 <-> DELETED SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads 1 (deleted.rules, Low) 6218 <-> SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads (spyware-put.rules, Low) 7435 <-> WEB-ACTIVEX Dynamic Casts ActiveX CLSID access (web-activex.rules, High) 7436 <-> WEB-ACTIVEX Dynamic Casts ActiveX CLSID unicode access (web-activex.rules, High) 7785 <-> BACKDOOR forced control uploader runtime detection - connection with password (backdoor.rules, High) 7788 <-> BACKDOOR forced control uploader runtime detection directory listing - client to server (backdoor.rules, High) 7789 <-> BACKDOOR forced control uploader runtime detection directory listing - server to client (backdoor.rules, High) 8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High) 8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8436 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High) 8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High) 8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High) 10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules, Medium) 10208 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules, Low) 11000 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High) 11001 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High) 11002 <-> ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt (oracle.rules, High) 11003 <-> ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt (oracle.rules, High) 11175 <-> ORACLE dbms_cdc_ipublish.chgtab_cache buffer overflow attempt (oracle.rules, High) 11180 <-> WEB-CLIENT quicktime movie ftyp buffer underflow (web-client.rules, High) 11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules, Medium) 15415 <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules, High) 15417 <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules, High) 15418 <-> CHAT AIM server certificate for encrypted login (chat.rules, High) 15568 <-> CHAT AIM encrypted login attempt (chat.rules, High) 15569 <-> CHAT Yahoo encrypted login attempt (chat.rules, High) 15923 <-> WEB-ACTIVEX DHTML Editing ActiveX clsid unicode access (web-activex.rules, High) 15924 <-> WEB-ACTIVEX DHTML Editing ActiveX function call access (web-activex.rules, High) 15925 <-> WEB-ACTIVEX DHTML Editing ActiveX function call unicode access (web-activex.rules, High)
