Sourcefire VRT Rules Update
Date: 2009-01-27
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.7.
The format of the file is:
sid - Message (rule group, priority)
New rules: 15255 <-> ORACLE Secure Backup msgid 0x901 username field overflow attempt (oracle.rules, High) 15256 <-> ORACLE BPEL process manager XSS injection attempt (oracle.rules, High) 15257 <-> ORACLE Secure Backup common.php variable based command injection attempt (oracle.rules, High) 15258 <-> ORACLE Secure Backup login.php variable based command injection attempt (oracle.rules, High) 15261 <-> ORACLE Secure Backup exec_qr command injection attempt (oracle.rules, High) 15263 <-> ORACLE BEA WebLogic Apache connector HTTP version denial of service attempt (oracle.rules, Medium) 15264 <-> WEB-CGI Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt (web-cgi.rules, High) Updated rules: 284 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High) 285 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High) 651 <-> DELETED SHELLCODE x86 stealth NOOP (deleted.rules, High) 653 <-> DELETED SHELLCODE x86 0x90 unicode NOOP (deleted.rules, High) 1394 <-> SHELLCODE x86 inc ecx NOOP (shellcode.rules, High) 1424 <-> DELETED SHELLCODE x86 0xEB0C NOOP (deleted.rules, High) 1430 <-> DELETED TELNET Solaris memory mismanagement exploit attempt (deleted.rules, High) 1934 <-> POP2 FOLD overflow attempt (pop2.rules, High) 1935 <-> POP2 FOLD arbitrary file attempt (pop2.rules, Medium) 2312 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP (deleted.rules, High) 2313 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP unicode (deleted.rules, High) 14986 <-> SHELLCODE x86 fldz get eip shellcode (shellcode.rules, High) 15242 <-> DELETED WEB-CLIENT HP OpenView Network Node Manager Toolbar.exe HTTP request buffer overflow attempt (deleted.rules, High)
