Sourcefire VRT Rules Update
Date: 2010-02-23
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16438 <-> ORACLE WebLogic Server Node Manager arbitrary command execution attempt (oracle.rules, High) 16439 <-> SPECIFIC-THREATS Possible Zeus User-Agent - _TEST_ (specific-threats.rules, High) 16440 <-> SPECIFIC-THREATS Possible Zeus User-Agent - ie (specific-threats.rules, High) 16441 <-> SPECIFIC-THREATS Possible Zeus User-Agent - Download (specific-threats.rules, High) 16442 <-> SPECIFIC-THREATS Possible Zeus User-Agent - Mozilla (specific-threats.rules, High) 16443 <-> CHAT deny Gmail chat DNS request (chat.rules, High) 16444 <-> SPECIFIC-THREAT HP StorageWorks storage mirroring double take service code execution attempt (specific-threats.rules, High) 16445 <-> SPECIFIC-THREATS Digium Asterisk IAX2 ack response denial of service attempt (specific-threats.rules, Medium) 16446 <-> RPC portmap Solaris sadmin tcp request (rpc.rules, Medium) 16447 <-> RPC portmap Solaris sadmin udp request (rpc.rules, Medium) 16448 <-> RPC portmap Solaris sadmin tcp adm_build_path overflow attempt (rpc.rules, Medium) 16449 <-> RPC portmap Solaris sadmin udp adm_build_path overflow attempt (rpc.rules, Medium) 16450 <-> SQL Jive Software Openfire Jabber Server SQL injection attempt (sql.rules, High) 16451 <-> WEB-CLIENT Palm WebOS 1.2.0 floating point exception denial of service attempt (web-client.rules, Medium) Updated rules: 1091 <-> WEB-MISC ICQ Webfront HTTP DOS (web-misc.rules, High) 2273 <-> IMAP login brute force attempt (imap.rules, Medium) 2274 <-> POP3 login brute force attempt (pop3.rules, Medium) 2275 <-> SMTP AUTH LOGON brute force attempt (smtp.rules, Medium) 2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules, High) 2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules, High) 2528 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High) 2923 <-> NETBIOS SMB repeated logon failure (netbios.rules, High) 2924 <-> NETBIOS SMB-DS repeated logon failure (netbios.rules, High) 3152 <-> SQL sa brute force failed login attempt (sql.rules, High) 3192 <-> WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web-client.rules, High) 3273 <-> SQL sa brute force failed login unicode attempt (sql.rules, High) 3511 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High) 3542 <-> SQL SA brute force login attempt (sql.rules, Medium) 3543 <-> SQL SA brute force login attempt TDS v7/8 (sql.rules, Medium) 4984 <-> SQL sa brute force failed login unicode attempt (sql.rules, High) 6031 <-> BACKDOOR fkwp 2.0 runtime detection - connection attempt server-to-client (backdoor.rules, High) 8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High) 8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High) 8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High) 8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High) 8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High) 8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High) 8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High) 13948 <-> DNS large number of NXDOMAIN replies - possible DNS cache poisoning (dns.rules, Medium) 13949 <-> DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (dns.rules, Medium) 15259 <-> DOS DNS root query traffic amplification attempt (dos.rules, Low) 15260 <-> DOS DNS root query response traffic amplification attempt (dos.rules, Low) 15263 <-> ORACLE BEA WebLogic Apache connector HTTP version denial of service attempt (oracle.rules, Medium) 15414 <-> SCADA OMRON-FINS program area protect clear brute force attempt (scada.rules, Low) 15481 <-> SPECIFIC-THREATS Zeus/Zbot malware config file download request (specific-threats.rules, High) 15936 <-> SPECIFIC-THREATS Sendmail identd command parsing vulnerability (specific-threats.rules, High) 16350 <-> MISC ntp mode 7 denial of service attempt (misc.rules, Medium) 16429 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - GET request (web-misc.rules, High) 16430 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - POST request (web-misc.rules, High) 16433 <-> DELETED EXPLOIT Microsoft Active Directory LDAP query handling denial of service (deleted.rules, Medium)
