Sourcefire VRT Update

Date: 2007-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.

The format of the file is:

sid - Message (rule group)

New rules:
10162 <-> WEB-CLIENT BrowseDialog ActiveX clsid access (web-client.rules)
10163 <-> WEB-CLIENT BrowseDialog ActiveX clsid unicode access (web-client.rules)
10164 <-> SPYWARE-PUT Adware adclicker-ej runtime detection (spyware-put.rules)
10165 <-> SPYWARE-PUT Keylogger mybr Keylogger runtime detection (spyware-put.rules)
10166 <-> SPYWARE-PUT Trackware baigoo runtime detection (spyware-put.rules)
10167 <-> SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log (spyware-put.rules)
10168 <-> BACKDOOR one runtime detection (backdoor.rules)
10169 <-> BACKDOOR matrix 1.03 by mtronic runtime detection - init connection (backdoor.rules)
10170 <-> WEB-CLIENT Verisign ConfigCHK ActiveX clsid access (web-client.rules)
10171 <-> WEB-CLIENT Verisign ConfigCHK ActiveX clsid unicode access (web-client.rules)
10172 <-> WEB-MISC uTorrent announce buffer overflow attempt (web-misc.rules)
10173 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX clsid access (web-client.rules)
10174 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX clsid unicode access (web-client.rules)
10175 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX function call access (web-client.rules)
10176 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX clsid access (web-client.rules)
10177 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX clsid unicode access (web-client.rules)
10178 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX function call access (web-client.rules)
10179 <-> SPYWARE-PUT Trackware bysoo runtime detection (spyware-put.rules)
10180 <-> SPYWARE-PUT Adware eqiso runtime detection (spyware-put.rules)
10181 <-> SPYWARE-PUT Keylogger systemsleuth runtime detection (spyware-put.rules)
10182 <-> SPYWARE-PUT Adware newweb runtime detection (spyware-put.rules)
10183 <-> SPYWARE-PUT Keylogger activity Keylogger runtime detection (spyware-put.rules)
10184 <-> BACKDOOR wow 23 runtime detection (backdoor.rules)
10185 <-> BACKDOOR x-door runtime detection (backdoor.rules)
10186 <-> SMTP ClamAV mime parsing directory traversal (smtp.rules)
10187 <-> EXPLOIT HP Mercury Loadrunner command line buffer overflow (exploit.rules)
10188 <-> FTP Wsftp XMD5 overflow attempt (ftp.rules)
10189 <-> WEB-CLIENT DivXBrowserPlugin ActiveX clsid access (web-client.rules)
10190 <-> WEB-CLIENT DivXBrowserPlugin ActiveX clsid unicode access (web-client.rules)
10191 <-> WEB-CLIENT DivXBrowserPlugin ActiveX function call access (web-client.rules)
10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules)
10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules)
10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules)
10195 <-> WEB-MISC Possible Content-Length buffer overflow attempt (web-misc.rules)
10196 <-> BACKDOOR Wordpress backdoor feed.php code execution attempt (backdoor.rules)
10197 <-> BACKDOOR Wordpress backdoor theme.php code execution attempt (backdoor.rules)
10198 <-> NETBIOS DCERPC DIRECT trend-serverprotect little endian alter context attempt (netbios.rules)
10199 <-> NETBIOS DCERPC DIRECT trend-serverprotect alter context attempt (netbios.rules)
10200 <-> NETBIOS DCERPC DIRECT trend-serverprotect little endian bind attempt (netbios.rules)
10201 <-> NETBIOS DCERPC DIRECT trend-serverprotect bind attempt (netbios.rules)
10202 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
10203 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
10204 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt (netbios.rules)
10205 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt (netbios.rules)
10206 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo object call attempt (netbios.rules)
10207 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian object call attempt (netbios.rules)
10208 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
10209 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
10210 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian attempt (netbios.rules)
10211 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect COMN_NetTestConnection little endian attempt (netbios.rules)
10212 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection object call attempt (netbios.rules)
10213 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian object call attempt (netbios.rules)
10214 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX clsid access (web-client.rules)
10215 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX clsid unicode access (web-client.rules)
10216 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX function call access (web-client.rules)

Updated rules:
1842 <-> IMAP login buffer overflow attempt (imap.rules)
3066 <-> IMAP append overflow attempt (imap.rules)
3684 <-> DELETED WEB-CLIENT Bitmap Transfer (deleted.rules)
3685 <-> WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt (web-client.rules)
5997 <-> WEB-MISC WinProxy overly long host header buffer overflow attempt (web-misc.rules)
9431 <-> EXPLOIT Microsoft NNTP response overflow attempt (exploit.rules)
10125 <-> MISC bomberclone buffer overflow attempt (misc.rules)
10136 <-> TELNET Solaris login environment variable authentication bypass attempt (telnet.rules)
10158 <-> NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
10159 <-> NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
10160 <-> NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)