Sourcefire VRT Rules Update

Date: 2009-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15942 <-> MISC CA Multiple Products Console Server login credentials handling overflow attempt (misc.rules, High)
15943 <-> MISC CA Multiple Products Console Server login credentials handling overflow attempt (misc.rules, High)
15944 <-> SPECIFIC-THREATS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (specific-threats.rules, Medium)
15945 <-> WEB-CLIENT RSS file download request (web-client.rules, Low)
15946 <-> WEB-CLIENT Microsoft Windows Vista Feed Headlines Gagdet code execution attempt (web-client.rules, High)
15947 <-> SPECIFIC-THREATS Microsoft Outlook Web Access Cross-Site Scripting attempt (specific-threats.rules, High)
15948 <-> SPECIFIC-THREATS CA License Software Invalid Command overflow attempt (specific-threats.rules, High)
15949 <-> SPECIFIC-THREATS McAfee LHA file handling overflow attempt (specific-threats.rules, High)
15950 <-> SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt (specific-threats.rules, High)
15951 <-> SPECIFIC-THREATS MySQL MaxDB Webtool GET command overflow attempt (specific-threats.rules, High)
15952 <-> SQL MySQL CREAT FUNCTION libc arbitrary code execution attempt (sql.rules, High)
15953 <-> WEB-MISC Ipswitch IMail Calendaring arbitrary file read attempt (web-misc.rules, Medium)
15954 <-> SPECIFIC-THREATS SpamAssassin malformed email header DoS attempt (specific-threats.rules, Medium)
15955 <-> ORACLE Application Server 9i Webcache file corruption attempt (oracle.rules, High)
15956 <-> ORACLE http Server mod_access restriction bypass attempt (oracle.rules, High)
15957 <-> WEB-CLIENT Sophos Anti-Virus zip file handling DoS attempt (web-client.rules, Medium)
15958 <-> WEB-MISC Novell ZENworks Remote Management overflow attempt (web-misc.rules, High)
15959 <-> SPECIFIC-THREATS Microsoft ASP.NET viewstate DoS attempt (specific-threats.rules, Medium)
15960 <-> SPECIFIC-THREATS Novell eDirectory MS-DOS device name DoS attempt (specific-threats.rules, Medium)
15961 <-> SPECIFIC-THREATS 3Com Network Supervisor directory traversal attempt (specific-threats.rules, Medium)
15962 <-> SPECIFIC-THREATS Sybase EAServer WebConsole overflow attempt (specific-threats.rules, High)
15963 <-> SPECIFIC-THREATS Red Hat Enterprise Linux DNS resolver buffer overflow attempt (specific-threats.rules, High)
15964 <-> SPECIFIC-THREATS Microsoft Exchange OWA XSS and spoofing attempt (specific-threats.rules, Medium)
15965 <-> SPECIFIC-THREATS Microsoft Explorer long share name buffer overflow attempt (specific-threats.rules, High)
15966 <-> SPECIFIC-THREATS F-Secure Anti-Virus LHA processing buffer overflow attempt (specific-threats.rules, High)
15967 <-> SPECIFIC-THREATS ICQ SRV_MULTI/SRV_META_USER overflow attempt (specific-threats.rules, Medium)
15969 <-> SPECIFIC-THREATS Symantec Multiple Products ISAKMPd denial of service attempt (specific-threats.rules, Medium)
15970 <-> SPECIFIC-THREATS Subversion svn pProtocol string parsing heap overflow attempt (specific-threats.rules, High)
15971 <-> EXPLOIT CVS Argumentx command double free attempt (exploit.rules, High)
15972 <-> SPECIFIC-THREATS single byte encoded name response (specific-threats.rules, Medium)
15977 <-> SPECIFIC-THREATS PHP strip_tags bypass vulnerability exploit attempt (specific-threats.rules, High)
15978 <-> WEB-MISC Macromedia JRun 4 mod_jrun buffer overflow attempt (web-misc.rules, High)
15979 <-> EXPLOIT Check Point VPN-1 ASN.1 Decoding heap overflow attempt (exploit.rules, Medium)
15980 <-> WEB-MISC Apache mod_ssl hook functions format string attempt (web-misc.rules, High)
15981 <-> SPECIFIC-THREATS zlib Denial of Service (specific-threats.rules, High)
15982 <-> WEB-MISC Ipswitch WhatsUp Gold DOS Device HTTP request denial of service attempt (web-misc.rules, Medium)
15983 <-> SPECIFIC-THREATS Samba arbitrary file access exploit attempt (specific-threats.rules, Medium)
15984 <-> SPECIFIC-THREATS Samba Printer Change Notification Request DoS attempt (specific-threats.rules, Medium)
15985 <-> SPECIFIC-THREATS Microsoft ASP.NET canonicalization exploit attempt (specific-threats.rules, High)
15986 <-> SPECIFIC-THREATS Samba unicode filename buffer overflow attempt (specific-threats.rules, Medium)
15987 <-> WEB-MISC Microsoft Visio DXF file download request (web-misc.rules, Low)
15988 <-> SPECIFIC-THREATS Microsoft ISA Server DNS spoofing attempt (specific-threats.rules, Medium)
15989 <-> EXPLOIT Squid ASN.1 header parsing denial of service attempt (exploit.rules, Medium)
15990 <-> WEB-MISC Macromedia JRun 4.x server file disclosure attempt (web-misc.rules, High)
15991 <-> SPECIFIC-THREATS Multiple vendor DNS message decompression denial of service attempt (specific-threats.rules, Medium)
15992 <-> SPECIFIC-THREATS Trend Micro Products Antivirus Library overflow attempt (specific-threats.rules, High)
15993 <-> SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt (specific-threats.rules, High)
15994 <-> SPECIFIC-THREATS Squid strListGetItem denial of service attempt (specific-threats.rules, Medium)
15996 <-> SPECIFIC-THREATS Microsoft Negotiate SSP buffer overflow attempt (specific-threats.rules, High)
15997 <-> SPECIFIC-THREATS Mozilla Firefox JIT escape function memory corruption attempt (specific-threats.rules, High)

Updated rules:
2580 <-> WEB-MISC server negative Content-Length attempt (web-misc.rules, High)
4637 <-> EXPLOIT MailEnable HTTPMail buffer overflow attempt (exploit.rules, High)
12286 <-> WEB-CLIENT PCRE character class double free overflow attempt (web-client.rules, High)
12612 <-> WEB-ACTIVEX Microsoft Windows MFC Library ActiveX clsid access (web-activex.rules, High)
12613 <-> WEB-ACTIVEX Microsoft Windows MFC Library ActiveX clsid unicode access (web-activex.rules, High)
12614 <-> WEB-ACTIVEX Microsoft Windows MFC Library ActiveX function call access (web-activex.rules, High)
12615 <-> WEB-ACTIVEX Microsoft Windows MFC Library ActiveX function call unicode access (web-activex.rules, High)
14265 <-> SCADA CitectSCADA ODBC buffer overflow attempt (scada.rules, High)
15384 <-> WEB-CLIENT Apple QuickTime pict image poly structure memory corruption attempt (web-client.rules, High)
15922 <-> WEB-CLIENT mp3 file download request (web-client.rules, Low)
15930 <-> NETBIOS Microsoft Windows SMB malformed process ID high field remote code execution attempt (netbios.rules, Medium)