VRT Advisories

VRT Rules 2006-12-07

Sourcefire VRT Update

Date: 2006-12-07


The VRT has continued research into vulnerabilities affecting the Microsoft Operating System and has introduced new rules and modified existing rules to provide coverage for exploitation attempts targeting these vulnerabilities.


Microsoft Security Bulletin MS06-068:
A vulnerability in the way that the Microsoft Agent handles .acf files may allow a remote attacker to execute code on an affected system. The code will be executed with the permissions of the current user who may have administrative privileges.

Rules to detect attacks targeting this vulnerability are included in this release and are identified as SIDs 9432 and 9433.

3Com TFTP Service CVE-2006-6183:
The 3Com TFTP Service suffers from multiple buffer overflow vulnerabilities. A remote attacker may be able to cause a Denial of Service (DoS) or execute code of their choosing on an affected system by supplying excess data in a GET or PUT command to the service.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 9621.

Microsoft Security Bulletin MS03-026:
After continuing research into a vulnerability affecting Microsoft RPC, the VRT has modified a number of existing rules and introduced new rules to reduce false positive events and to provide greater coverage for possible additional attack vectors.

Rules to detect attacks targeting this vulnerability are included in this release and are identified as SIDs 9447 through 9618.

Rule Pack Summary:

For a complete list of new and modified rules, click here.


Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.