Sourcefire VRT Update

Date: 2007-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.

The format of the file is:

sid - Message (rule group)

New rules:
10419 <-> WEB-CLIENT HP Mercury Quality Center SPIDERLib ActiveX clsid access (web-client.rules)
10420 <-> WEB-CLIENT HP Mercury Quality Center SPIDERLib ActiveX clsid unicode access (web-client.rules)
10421 <-> WEB-CLIENT HP Mercury Quality Center SPIDERLib ActiveX function call access (web-client.rules)
10422 <-> WEB-CLIENT HP Mercury Quality Center SPIDERLib ActiveX function call unicode access (web-client.rules)
10423 <-> WEB-CLIENT Yahoo Audio Conferencing ActiveX clsid access (web-client.rules)
10424 <-> WEB-CLIENT Yahoo Audio Conferencing ActiveX clsid unicode access (web-client.rules)
10425 <-> WEB-CLIENT Yahoo Audio Conferencing ActiveX function call access (web-client.rules)
10426 <-> WEB-CLIENT Yahoo Audio Conferencing ActiveX function call unicode access (web-client.rules)
10427 <-> WEB-CLIENT Kaspersky AntiVirus SysInfo ActiveX clsid access (web-client.rules)
10428 <-> WEB-CLIENT Kaspersky AntiVirus SysInfo ActiveX clsid unicode access (web-client.rules)
10429 <-> WEB-CLIENT Kaspersky AntiVirus SysInfo ActiveX function call access (web-client.rules)
10430 <-> WEB-CLIENT Kaspersky AntiVirus SysInfo ActiveX function call unicode access (web-client.rules)
10431 <-> WEB-CLIENT Kaspersky AntiVirus KAV60Info ActiveX clsid access (web-client.rules)
10432 <-> WEB-CLIENT Kaspersky AntiVirus KAV60Info ActiveX clsid unicode access (web-client.rules)
10433 <-> WEB-CLIENT Kaspersky AntiVirus KAV60Info ActiveX function call access (web-client.rules)
10434 <-> WEB-CLIENT Kaspersky AntiVirus KAV60Info ActiveX function call unicode access (web-client.rules)
10435 <-> SPYWARE-PUT Trackware admedia runtime detection (spyware-put.rules)
10436 <-> SPYWARE-PUT Keylogger keyspy runtime detection (spyware-put.rules)
10437 <-> SPYWARE-PUT Hijacker bazookabar runtime detection (spyware-put.rules)
10438 <-> SPYWARE-PUT Hijacker bazookabar runtime detection (spyware-put.rules)
10439 <-> SPYWARE-PUT Adware mokead runtime detection (spyware-put.rules)
10440 <-> SPYWARE-PUT Keylogger pc black box runtime detection (spyware-put.rules)
10441 <-> SPYWARE-PUT Hacker-Tool statwin runtime detection (spyware-put.rules)
10442 <-> BACKDOOR nirvana 2.0 runtime detection - explore c drive (backdoor.rules)
10443 <-> BACKDOOR acidbattery 1.0 runtime detection - sniff info (backdoor.rules)
10444 <-> BACKDOOR acidbattery 1.0 runtime detection - open ftp serice (backdoor.rules)
10445 <-> BACKDOOR acidbattery 1.0 runtime detection - get password (backdoor.rules)
10446 <-> BACKDOOR acidbattery 1.0 runtime detection - get server info (backdoor.rules)
10447 <-> BACKDOOR 51d 1b runtime detection - icq notification (backdoor.rules)
10448 <-> BACKDOOR acessor 2.0 runtime detection - init connection (backdoor.rules)
10449 <-> BACKDOOR acid shivers runtime detection - init telnet connection (backdoor.rules)
10450 <-> BACKDOOR only 1 rat runtime detection - control command (backdoor.rules)
10451 <-> BACKDOOR only 1 rat runtime detection - control command (backdoor.rules)
10452 <-> BACKDOOR only 1 rat runtime detection - icmp request (backdoor.rules)
10453 <-> BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification (backdoor.rules)
10454 <-> BACKDOOR [x]-ztoo 1.0 runtime detection - init connection (backdoor.rules)
10455 <-> BACKDOOR [x]-ztoo 1.0 runtime detection - get system info (backdoor.rules)
10456 <-> BACKDOOR [x]-ztoo 1.0 runtime detection - get system info (backdoor.rules)
10457 <-> BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger (backdoor.rules)
10458 <-> BACKDOOR [x]-ztoo 1.0 or illusion runtime detection - open file manager (backdoor.rules)
10459 <-> BACKDOOR wineggdrop shell pro runtime detection - init connection (backdoor.rules)
10460 <-> BACKDOOR winicabras 1.1 runtime detection - get system info (backdoor.rules)
10461 <-> BACKDOOR winicabras 1.1 runtime detection - get system info (backdoor.rules)
10462 <-> BACKDOOR winicabras 1.1 runtime detection - explorer (backdoor.rules)
10463 <-> BACKDOOR winicabras 1.1 runtime detection - explorer (backdoor.rules)
10464 <-> TELNET kerberos login environment variable authentication bypass attempt (telnet.rules)
10465 <-> WEB-CLIENT Microsoft Agent v1.5 ActiveX function call unicode access (web-client.rules)
10466 <-> WEB-CLIENT iPIX Image Well ActiveX clsid access (web-client.rules)
10467 <-> WEB-CLIENT iPIX Image Well ActiveX clsid unicode access (web-client.rules)
10468 <-> WEB-CLIENT iPIX Image Well ActiveX function call access (web-client.rules)
10469 <-> WEB-CLIENT iPIX Image Well ActiveX function call unicode access (web-client.rules)
10470 <-> WEB-CLIENT iPIX Media Send Class ActiveX clsid access (web-client.rules)
10471 <-> WEB-CLIENT iPIX Media Send Class ActiveX clsid unicode access (web-client.rules)
10472 <-> WEB-CLIENT iPIX Media Send Class ActiveX function call access (web-client.rules)
10473 <-> WEB-CLIENT iPIX Media Send Class ActiveX function call unicode access (web-client.rules)
10474 <-> WEB-CLIENT Microsoft Agent v2.0 ActiveX function call unicode access (web-client.rules)
10475 <-> MISC UPNP notification type overflow attempt (misc.rules)

Updated rules:
4143 <-> EXPLOIT lpd receive printer job cascade adaptor protocol request (exploit.rules)
4172 <-> WEB-CLIENT Microsoft Agent v1.5 ActiveX clsid access (web-client.rules)
8846 <-> WEB-CLIENT Microsoft Agent Character Custom Proxy Class ActiveX clsid access (web-client.rules)
8847 <-> WEB-CLIENT Microsoft Agent Character Custom Proxy Class ActiveX clsid unicode access (web-client.rules)
8848 <-> WEB-CLIENT Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid access (web-client.rules)
8849 <-> WEB-CLIENT Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid unicode access (web-client.rules)
8850 <-> WEB-CLIENT Microsoft Agent Custom Proxy Class ActiveX clsid access (web-client.rules)
8851 <-> WEB-CLIENT Microsoft Agent Custom Proxy Class ActiveX clsid unicode access (web-client.rules)
8852 <-> WEB-CLIENT Microsoft Agent v2.0 ActiveX clsid access (web-client.rules)
8853 <-> WEB-CLIENT Microsoft Agent v2.0 ActiveX clsid unicode access (web-client.rules)
8854 <-> WEB-CLIENT Microsoft Agent v2.0 ActiveX function call access (web-client.rules)
8855 <-> WEB-CLIENT Microsoft Agent v1.5 ActiveX clsid unicode access (web-client.rules)
8856 <-> WEB-CLIENT Microsoft Agent v1.5 ActiveX function call access (web-client.rules)
10412 <-> WEB-CLIENT IBM Lotus SameTime STJNILoader Alt CLSID ActiveX clsid access (web-client.rules)