Sourcefire VRT Update
Date: 2007-03-08
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.
The format of the file is:
sid - Message (rule group)
New rules: 10162 <-> WEB-CLIENT BrowseDialog ActiveX clsid access (web-client.rules) 10163 <-> WEB-CLIENT BrowseDialog ActiveX clsid unicode access (web-client.rules) 10164 <-> SPYWARE-PUT Adware adclicker-ej runtime detection (spyware-put.rules) 10165 <-> SPYWARE-PUT Keylogger mybr Keylogger runtime detection (spyware-put.rules) 10166 <-> SPYWARE-PUT Trackware baigoo runtime detection (spyware-put.rules) 10167 <-> SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log (spyware-put.rules) 10168 <-> BACKDOOR one runtime detection (backdoor.rules) 10169 <-> BACKDOOR matrix 1.03 by mtronic runtime detection - init connection (backdoor.rules) 10170 <-> WEB-CLIENT Verisign ConfigCHK ActiveX clsid access (web-client.rules) 10171 <-> WEB-CLIENT Verisign ConfigCHK ActiveX clsid unicode access (web-client.rules) 10172 <-> WEB-MISC uTorrent announce buffer overflow attempt (web-misc.rules) 10173 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX clsid access (web-client.rules) 10174 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX clsid unicode access (web-client.rules) 10175 <-> WEB-CLIENT Trend Micro OfficeScan Client ActiveX function call access (web-client.rules) 10176 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX clsid access (web-client.rules) 10177 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX clsid unicode access (web-client.rules) 10178 <-> WEB-CLIENT Windows Shell User Enumeration Object ActiveX function call access (web-client.rules) 10179 <-> SPYWARE-PUT Trackware bysoo runtime detection (spyware-put.rules) 10180 <-> SPYWARE-PUT Adware eqiso runtime detection (spyware-put.rules) 10181 <-> SPYWARE-PUT Keylogger systemsleuth runtime detection (spyware-put.rules) 10182 <-> SPYWARE-PUT Adware newweb runtime detection (spyware-put.rules) 10183 <-> SPYWARE-PUT Keylogger activity Keylogger runtime detection (spyware-put.rules) 10184 <-> BACKDOOR wow 23 runtime detection (backdoor.rules) 10185 <-> BACKDOOR x-door runtime detection (backdoor.rules) 10186 <-> SMTP ClamAV mime parsing directory traversal (smtp.rules) 10187 <-> EXPLOIT HP Mercury Loadrunner command line buffer overflow (exploit.rules) 10188 <-> FTP Wsftp XMD5 overflow attempt (ftp.rules) 10189 <-> WEB-CLIENT DivXBrowserPlugin ActiveX clsid access (web-client.rules) 10190 <-> WEB-CLIENT DivXBrowserPlugin ActiveX clsid unicode access (web-client.rules) 10191 <-> WEB-CLIENT DivXBrowserPlugin ActiveX function call access (web-client.rules) 10192 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid access (web-client.rules) 10193 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode access (web-client.rules) 10194 <-> WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call access (web-client.rules) 10195 <-> WEB-MISC Possible Content-Length buffer overflow attempt (web-misc.rules) 10196 <-> BACKDOOR Wordpress backdoor feed.php code execution attempt (backdoor.rules) 10197 <-> BACKDOOR Wordpress backdoor theme.php code execution attempt (backdoor.rules) 10198 <-> NETBIOS DCERPC DIRECT trend-serverprotect little endian alter context attempt (netbios.rules) 10199 <-> NETBIOS DCERPC DIRECT trend-serverprotect alter context attempt (netbios.rules) 10200 <-> NETBIOS DCERPC DIRECT trend-serverprotect little endian bind attempt (netbios.rules) 10201 <-> NETBIOS DCERPC DIRECT trend-serverprotect bind attempt (netbios.rules) 10202 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules) 10203 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules) 10204 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt (netbios.rules) 10205 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt (netbios.rules) 10206 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo object call attempt (netbios.rules) 10207 <-> NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian object call attempt (netbios.rules) 10208 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect COMN_NetTestConnection attempt (netbios.rules) 10209 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection attempt (netbios.rules) 10210 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian attempt (netbios.rules) 10211 <-> NETBIOS DCERPC DIRECT v4 trend-serverprotect COMN_NetTestConnection little endian attempt (netbios.rules) 10212 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection object call attempt (netbios.rules) 10213 <-> NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian object call attempt (netbios.rules) 10214 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX clsid access (web-client.rules) 10215 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX clsid unicode access (web-client.rules) 10216 <-> WEB-CLIENT Shockwave ActiveX Control ActiveX function call access (web-client.rules) Updated rules: 1842 <-> IMAP login buffer overflow attempt (imap.rules) 3066 <-> IMAP append overflow attempt (imap.rules) 3684 <-> DELETED WEB-CLIENT Bitmap Transfer (deleted.rules) 3685 <-> WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt (web-client.rules) 5997 <-> WEB-MISC WinProxy overly long host header buffer overflow attempt (web-misc.rules) 9431 <-> EXPLOIT Microsoft NNTP response overflow attempt (exploit.rules) 10125 <-> MISC bomberclone buffer overflow attempt (misc.rules) 10136 <-> TELNET Solaris login environment variable authentication bypass attempt (telnet.rules) 10158 <-> NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules) 10159 <-> NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules) 10160 <-> NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt (netbios.rules)
