Sourcefire VRT Rules Update

Date: 2009-01-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15255 <-> ORACLE Secure Backup msgid 0x901 username field overflow attempt (oracle.rules, High)
15256 <-> ORACLE BPEL process manager XSS injection attempt (oracle.rules, High)
15257 <-> ORACLE Secure Backup common.php variable based command injection attempt (oracle.rules, High)
15258 <-> ORACLE Secure Backup login.php variable based command injection attempt (oracle.rules, High)
15261 <-> ORACLE Secure Backup exec_qr command injection attempt (oracle.rules, High)
15263 <-> ORACLE BEA WebLogic Apache connector HTTP version denial of service attempt (oracle.rules, Medium)
15264 <-> WEB-CGI Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt (web-cgi.rules, High)

Updated rules:
 284 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High)
 285 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High)
 651 <-> DELETED SHELLCODE x86 stealth NOOP (deleted.rules, High)
 653 <-> DELETED SHELLCODE x86 0x90 unicode NOOP (deleted.rules, High)
1394 <-> SHELLCODE x86 inc ecx NOOP (shellcode.rules, High)
1424 <-> DELETED SHELLCODE x86 0xEB0C NOOP (deleted.rules, High)
1430 <-> DELETED TELNET Solaris memory mismanagement exploit attempt (deleted.rules, High)
1934 <-> POP2 FOLD overflow attempt (pop2.rules, High)
1935 <-> POP2 FOLD arbitrary file attempt (pop2.rules, Medium)
2312 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP (deleted.rules, High)
2313 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP unicode (deleted.rules, High)
14986 <-> SHELLCODE x86 fldz get eip shellcode (shellcode.rules, High)
15242 <-> DELETED WEB-CLIENT HP OpenView Network Node Manager Toolbar.exe HTTP request buffer overflow attempt (deleted.rules, High)