Sourcefire VRT Rules Update

Date: 2009-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15931 <-> MISC Veritas NetBackup java user interface service format string attack attempt (misc.rules, High)
15932 <-> FTP LIST globbing denial of service attack (ftp.rules, Medium)
15933 <-> WEB-CLIENT Internet Explorer URL canonicalization address bar spoofing attempt (web-client.rules, Low)
15934 <-> DNS dns response for rfc1918 172.16/12 address detected (dns.rules, High)
15935 <-> DNS dns response for rfc1918 192.168/16 address detected (dns.rules, High)
15936 <-> SPECIFIC-THREATS Sendmail identd command parsing vulnerability (specific-threats.rules, High)
15937 <-> SPECIFIC-THREATS protos h323 buffer overflow (specific-threats.rules, High)
15938 <-> SPECIFIC-THREATS Backdoor SubSeven client connection to server (specific-threats.rules, High)
15939 <-> SPECIFIC-THREATS MSN Messenger IRC bot calling home attempt (specific-threats.rules, High)
15940 <-> SPECIFIC-THREATS RealNetworks RealPlayer Multiple Products RA file processing overflow attempt (specific-threats.rules, High)
15941 <-> DOS Squid Proxy TRACE request remote DoS attempt (dos.rules, High)

Updated rules:
1893 <-> SNMP missing community string attempt (snmp.rules, Medium)
3192 <-> WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web-client.rules, High)
13249 <-> DNS dns response for rfc1918 10/8 address detected (dns.rules, High)
13553 <-> EXPLOIT Sybase SQL Anywhere Mobilink username string buffer overflow (exploit.rules, High)
13554 <-> EXPLOIT Sybase SQL Anywhere Mobilink version string buffer overflow (exploit.rules, High)
13555 <-> EXPLOIT Sybase SQL Anywhere Mobilink remoteID string buffer overflow (exploit.rules, High)
15930 <-> NETBIOS Microsoft Windows SMB malformed process ID high field denial-of-service attempt (netbios.rules, Medium)