Sourcefire VRT Rules Update

Date: 2010-03-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16501 <-> WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType (web-client.rules, High)
16502 <-> WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based (web-client.rules, High)

Updated rules:
 289 <-> POP3 EXPLOIT x86 SCO overflow (pop3.rules, High)
 314 <-> DNS EXPLOIT named tsig overflow attempt (dns.rules, High)
 586 <-> RPC portmap selection_svc request UDP (rpc.rules, Medium)
 672 <-> SMTP vrfy decode (smtp.rules, Medium)
 704 <-> SQL xp_sprintf possible buffer overflow (sql.rules, High)
 707 <-> DELETED SQL xp_proxiedmetadata possible buffer overflow (deleted.rules, High)
 833 <-> WEB-CGI rguest.exe access (web-cgi.rules, Medium)
1810 <-> SPECIFIC-THREATS successful gobbles ssh exploit GOBBLE (specific-threats.rules, High)
1811 <-> SPECIFIC-THREATS successful gobbles ssh exploit uname (specific-threats.rules, Medium)
1900 <-> SPECIFIC-THREATS successful kadmind buffer overflow attempt (specific-threats.rules, High)
1901 <-> SPECIFIC-THREATS successful kadmind buffer overflow attempt (specific-threats.rules, High)
2515 <-> WEB-MISC PCT Client_Hello overflow attempt (web-misc.rules, High)
2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules, High)
2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules, High)
2528 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High)
3511 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High)
4148 <-> WEB-ACTIVEX DHTML Editing ActiveX clsid access (web-activex.rules, High)
6217 <-> DELETED SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads 1 (deleted.rules, Low)
6218 <-> SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads (spyware-put.rules, Low)
7435 <-> WEB-ACTIVEX Dynamic Casts ActiveX CLSID access (web-activex.rules, High)
7436 <-> WEB-ACTIVEX Dynamic Casts ActiveX CLSID unicode access (web-activex.rules, High)
7785 <-> BACKDOOR forced control uploader runtime detection - connection with password (backdoor.rules, High)
7788 <-> BACKDOOR forced control uploader runtime detection directory listing - client to server (backdoor.rules, High)
7789 <-> BACKDOOR forced control uploader runtime detection directory listing - server to client (backdoor.rules, High)
8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High)
8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8436 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High)
8440 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
10089 <-> SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp (spyware-put.rules, Medium)
10208 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules, Low)
11000 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High)
11001 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High)
11002 <-> ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt (oracle.rules, High)
11003 <-> ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt (oracle.rules, High)
11175 <-> ORACLE dbms_cdc_ipublish.chgtab_cache buffer overflow attempt (oracle.rules, High)
11180 <-> WEB-CLIENT quicktime movie ftyp buffer underflow (web-client.rules, High)
11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules, Medium)
15415 <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules, High)
15417 <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules, High)
15418 <-> CHAT AIM server certificate for encrypted login (chat.rules, High)
15568 <-> CHAT AIM encrypted login attempt (chat.rules, High)
15569 <-> CHAT Yahoo encrypted login attempt (chat.rules, High)
15923 <-> WEB-ACTIVEX DHTML Editing ActiveX clsid unicode access (web-activex.rules, High)
15924 <-> WEB-ACTIVEX DHTML Editing ActiveX function call access (web-activex.rules, High)
15925 <-> WEB-ACTIVEX DHTML Editing ActiveX function call unicode access (web-activex.rules, High)