Sourcefire VRT Rules Update

Date: 2009-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15865 <-> WEB-CLIENT MP4 file request (web-client.rules, Low)
15866 <-> WEB-CLIENT libxml2 XML file processing long entity name buffer overflow attempt (web-client.rules, High)
15867 <-> WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt (web-client.rules, High)
15868 <-> SQL Borland InterBase username buffer overflow (sql.rules, High)
15869 <-> WEB-CLIENT Adobe Flash Player ASnative command execution attempet (web-client.rules, High)
15870 <-> WEB-MISC 4xm file request (web-misc.rules, Low)
15871 <-> WEB-CLIENT FFmpeg 4xm processing memory corruption attempt (web-client.rules, High)
15872 <-> WEB-CLIENT Firefox defineSetter function pointer memory corruption attempt (web-client.rules, High)
15873 <-> WEB-CLIENT Firefox location spoofing via invalid window.open characters (web-client.rules, Medium)
15874 <-> SQL union select - possible sql injection attempt - POST parameter (sql.rules, Medium)
15875 <-> SQL generic sql insert injection atttempt - POST parameter (sql.rules, High)
15876 <-> SQL generic sql update injection attempt - POST parameter (sql.rules, High)
15877 <-> SQL generic sql exec injection attempt - POST parameter (sql.rules, High)

Updated rules:
2348 <-> DELETED NETBIOS SMB-DS DCERPC print spool bind attempt (deleted.rules, Low)
3550 <-> WEB-CLIENT HTML http/https scheme hostname overflow attempt (web-client.rules, High)
9827 <-> SPYWARE-PUT Keylogger paq keylog runtime detection - smtp (spyware-put.rules, Medium)
11836 <-> MISC Visio version number anomaly (misc.rules, Low)
13316 <-> WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt (web-client.rules, High)
13317 <-> WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt (web-client.rules, High)
13318 <-> WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (web-client.rules, High)
13319 <-> WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt (web-client.rules, High)
13320 <-> WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt (web-client.rules, High)
13512 <-> SQL generic sql exec injection attempt - GET parameter (sql.rules, High)
13513 <-> SQL generic sql insert injection atttempt - GET parameter (sql.rules, High)
13514 <-> SQL generic sql update injection attempt - GET parameter (sql.rules, High)
13990 <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules, Medium)
15168 <-> POLICY Suspicious .ru dns query (policy.rules, High)
15479 <-> EXPLOIT RealNetworks Helix Server RTSP Request Proxy-Require header heap buffer overflow attempt (exploit.rules, High)
15486 <-> DELETED BACKDOOR Kraken command and control server search attempt (deleted.rules, High)
15491 <-> EXPLOIT Subversion 1.0.2 dated-rev-report buffer overflow attempt (exploit.rules, High)