Sourcefire VRT Rules Update

Date: 2009-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15509 <-> DOS IBM DB2 database server CONNECT denial of service attempt (dos.rules, Medium)
15510 <-> WEB-CLIENT Trend Micro OfficeScan Server cgiRecvFile overflow attempt (web-client.rules, High)
15511 <-> SPECIFIC-THREATS Oracle WebLogic Apache Connector buffer overflow attempt (specific-threats.rules, High)
15512 <-> NETBIOS DCERPC NCACN-IP-TCP rpcss2 _RemoteGetClassObject attempt (netbios.rules, Low)
15513 <-> NETBIOS DCERPC NCADG-IP-UDP rpcss2 _RemoteGetClassObject attempt (netbios.rules, Low)
15514 <-> EXPLOIT Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (exploit.rules, High)
15515 <-> ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt (oracle.rules, High)

Updated rules:
2437 <-> DELETED WEB-CLIENT RealPlayer arbitrary javascript command attempt (deleted.rules, High)
3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules, High)
4643 <-> WEB-CLIENT malformed windows shortcut file buffer overflow attempt (web-client.rules, High)
4644 <-> WEB-CLIENT malformed windows shortcut file with comment buffer overflow attempt (web-client.rules, High)
7118 <-> BACKDOOR y3k 1.2 runtime detection - user-agent string detected (backdoor.rules, High)
7197 <-> WEB-CLIENT excel MSO.DLL malformed string parsing single byte buffer over attempt (web-client.rules, High)
7198 <-> WEB-CLIENT excel MSO.DLL malformed string parsing multi byte buffer over attempt (web-client.rules, High)
9633 <-> EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt TCP (exploit.rules, High)
9634 <-> EXPLOIT Computer Associates Product Discovery Service type 9C remote buffer overflow attempt TCP (exploit.rules, High)
9635 <-> EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt UDP (exploit.rules, High)
9636 <-> EXPLOIT Computer Associates Product Discovery Service type 9C remote buffer overflow attempt UDP (exploit.rules, High)
11980 <-> VOIP-SIP SDP attribute buffer overflow attempt (voip.rules, High)
12685 <-> EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow (exploit.rules, High)
15447 <-> DELETED WEB-CLIENT Firefox XML parser memory corruption attempt (deleted.rules, Medium)