Sourcefire VRT Rules Update
Date: 2009-01-27
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group, priority)
New rules: 15228 <-> WEB-ACTIVEX Ciansoft PDFBuilderX ActiveX clsid access (web-activex.rules, High) 15229 <-> WEB-ACTIVEX Ciansoft PDFBuilderX ActiveX clsid unicode access (web-activex.rules, High) 15230 <-> WEB-ACTIVEX Office Viewer 2 ActiveX clsid access (web-activex.rules, High) 15231 <-> WEB-ACTIVEX Office Viewer 2 ActiveX clsid unicode access (web-activex.rules, High) 15232 <-> WEB-ACTIVEX Easy Grid ActiveX clsid access (web-activex.rules, High) 15233 <-> WEB-ACTIVEX Easy Grid ActiveX clsid unicode access (web-activex.rules, High) 15234 <-> WEB-ACTIVEX Easy Grid ActiveX function call access (web-activex.rules, High) 15235 <-> WEB-ACTIVEX Easy Grid ActiveX function call unicode access (web-activex.rules, High) 15243 <-> WEB-ACTIVEX AXIS Camera ActiveX clsid access (web-activex.rules, High) 15244 <-> WEB-ACTIVEX AXIS Camera ActiveX clsid unicode access (web-activex.rules, High) 15245 <-> WEB-ACTIVEX AXIS Camera ActiveX function call access (web-activex.rules, High) 15246 <-> WEB-ACTIVEX AXIS Camera ActiveX function call unicode access (web-activex.rules, High) 15247 <-> WEB-ACTIVEX JamDTA ActiveX clsid access (web-activex.rules, High) 15248 <-> WEB-ACTIVEX JamDTA ActiveX clsid unicode access (web-activex.rules, High) 15249 <-> WEB-ACTIVEX SmartVMD ActiveX clsid access (web-activex.rules, High) 15250 <-> WEB-ACTIVEX SmartVMD ActiveX clsid unicode access (web-activex.rules, High) 15251 <-> WEB-ACTIVEX MetaProducts MetaTreeX ActiveX clsid access (web-activex.rules, High) 15252 <-> WEB-ACTIVEX MetaProducts MetaTreeX ActiveX clsid unicode access (web-activex.rules, High) 15253 <-> WEB-ACTIVEX MetaProducts MetaTreeX ActiveX function call access (web-activex.rules, High) 15254 <-> WEB-ACTIVEX MetaProducts MetaTreeX ActiveX function call unicode access (web-activex.rules, High) 15255 <-> ORACLE Secure Backup msgid 0x901 username field overflow attempt (oracle.rules, High) 15256 <-> ORACLE BPEL process manager XSS injection attempt (oracle.rules, High) 15257 <-> ORACLE Secure Backup common.php variable based command injection attempt (oracle.rules, High) 15258 <-> ORACLE Secure Backup login.php variable based command injection attempt (oracle.rules, High) 15259 <-> DOS DNS root query traffic amplification attempt (dos.rules, Low) 15260 <-> DOS DNS root query response traffic amplification attempt (dos.rules, Low) 15261 <-> ORACLE Secure Backup exec_qr command injection attempt (oracle.rules, High) 15262 <-> ORACLE Secure Backup POST exec_qr command injection attempt (oracle.rules, High) 15263 <-> ORACLE BEA WebLogic Apache connector HTTP version denial of service attempt (oracle.rules, Medium) 15264 <-> WEB-CGI Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt (web-cgi.rules, High) Updated rules: 284 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High) 285 <-> DELETED POP2 x86 Linux overflow (deleted.rules, High) 651 <-> DELETED SHELLCODE x86 stealth NOOP (deleted.rules, High) 653 <-> DELETED SHELLCODE x86 0x90 unicode NOOP (deleted.rules, High) 1394 <-> SHELLCODE x86 inc ecx NOOP (shellcode.rules, High) 1424 <-> DELETED SHELLCODE x86 0xEB0C NOOP (deleted.rules, High) 1430 <-> DELETED TELNET Solaris memory mismanagement exploit attempt (deleted.rules, High) 1934 <-> POP2 FOLD overflow attempt (pop2.rules, High) 1935 <-> POP2 FOLD arbitrary file attempt (pop2.rules, Medium) 2312 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP (deleted.rules, High) 2313 <-> DELETED SHELLCODE x86 0x71FB7BAB NOOP unicode (deleted.rules, High) 14986 <-> SHELLCODE x86 fldz get eip shellcode (shellcode.rules, High) 15242 <-> DELETED WEB-CLIENT HP OpenView Network Node Manager Toolbar.exe HTTP request buffer overflow attempt (deleted.rules, High)
