Sourcefire VRT Rules Update

Date: 2010-05-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_5_3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16573 <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape (web-activex.rules, High)
16574 <-> WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode (web-activex.rules, High)
16575 <-> SPECIFIC-THREATS RKD Software BarCode ActiveX buffer overflow attempt (specific-threats.rules, High)
16576 <-> EXPLOIT RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (exploit.rules, High)
16578 <-> EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt (exploit.rules, High)
16579 <-> CHAT mIRC IRC URL buffer overflow attempt (chat.rules, High)
16582 <-> WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt (web-client.rules, High)
16583 <-> WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt (web-client.rules, High)
16588 <-> SPECIFIC-THREATS iseemedia LPViewer ActiveX exploit attempt (specific-threats.rules, High)
16589 <-> SPECIFIC-THREATS iseemedia LPViewer ActiveX buffer overflows attempt (specific-threats.rules, High)
16590 <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 1 (specific-threats.rules, High)
16591 <-> SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 2 (specific-threats.rules, High)

Updated rules:
2923 <-> NETBIOS SMB repeated logon failure (netbios.rules, High)
3085 <-> EXPLOIT AIM goaway message buffer overflow attempt (exploit.rules, Medium)
3143 <-> NETBIOS SMB Trans2 FIND_FIRST2 command response overflow attempt (netbios.rules, Low)
3218 <-> NETBIOS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt (netbios.rules, High)
3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules, High)
5797 <-> POLICY kontiki runtime detection (policy.rules, High)
6407 <-> POLICY Gizmo register VOIP state (policy.rules, High)
12010 <-> WEB-ACTIVEX RKD Software BarCode ActiveX clsid access (web-activex.rules, High)
12011 <-> WEB-ACTIVEX RKD Software BarCode ActiveX clsid unicode access (web-activex.rules, High)
12012 <-> WEB-ACTIVEX RKD Software BarCode ActiveX function call access (web-activex.rules, High)
12013 <-> WEB-ACTIVEX RKD Software BarCode ActiveX function call unicode access (web-activex.rules, High)
12095 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access (deleted.rules, High)
12096 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access (deleted.rules, High)
12097 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access (deleted.rules, High)
12098 <-> DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access (deleted.rules, High)
13520 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13521 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13663 <-> IMAP Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt (imap.rules, High)
13948 <-> DNS large number of NXDOMAIN replies - possible DNS cache poisoning (dns.rules, Medium)
14232 <-> WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX clsid unicode access (web-activex.rules, High)
15436 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt (exploit.rules, High)
15437 <-> EXPLOIT IBM Tivoli Storage Manager Express Backup message length heap corruption attempt (exploit.rules, High)
15473 <-> WEB-CLIENT Multiple media players M3U playlist file handling buffer overflow attempt (web-client.rules, High)
16549 <-> WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin (web-client.rules, High)
16550 <-> WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit (web-client.rules, High)