Sourcefire VRT Rules Update

Date: 2010-06-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_5_3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16669 <-> SPYWARE-PUT Spyeye bot contact to C&C server attempt (spyware-put.rules, High)
16670 <-> SPYWARE-PUT Koobface worm executable download attempt (spyware-put.rules, High)
16673 <-> WEB-CLIENT Adobe Shockwave DIR file PAMI chunk code execution attempt (web-client.rules, High)
16674 <-> WEB-MISC HP OpenView CGI parameter buffer overflow attempt (web-misc.rules, High)
16675 <-> SPECIFIC-THREATS CA BrightStor ListCtrl ActiveX exploit attempt (specific-threats.rules, High)
16676 <-> SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration (specific-threats.rules, High)
16677 <-> WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration (web-client.rules, High)
16678 <-> WEB-PHP Tandberg VCS local file disclosure attempt (web-php.rules, High)
16679 <-> WEB-MISC Microsoft Windows GDIplus integer overflow attempt (web-misc.rules, Low)
16680 <-> POLICY Tandberg VCS SSH default key (policy.rules, Low)
16681 <-> WEB-MISC Basic Authorization string overflow attempt (web-misc.rules, Medium)
16682 <-> WEB-MISC Sun ONE Web Server JSP source code disclosure attempt (web-misc.rules, Medium)
16683 <-> WEB-MISC Nullsoft Winamp CAF file processing integer overflow attempt (web-misc.rules, High)
16684 <-> DOS Samba smbd Session Setup AndX security blob length dos attempt  (dos.rules, Medium)
16685 <-> EXPLOIT IBM Tivoli Storage Manager Client dsmagent.exe NodeName length buffer overflow attempt (exploit.rules, High)
16686 <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules, Medium)
16687 <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules, High)
16688 <-> EXPLOIT iscsi target format string code execution attempt (exploit.rules, High)
16689 <-> WEB-CLIENT Palo Alto Networks Firewall editUser.esp XSS attempt (web-client.rules, High)
16690 <-> SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt (specific-threats.rules, High)
16691 <-> WEB-CLIENT PLF playlist file download request (web-client.rules, Low)
16693 <-> SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt (spyware-put.rules, High)
16694 <-> DOS RealNetworks Helix Server RTSP SETUP request denial of service attempt (dos.rules, Medium)
16695 <-> SPYWARE-PUT Rogue AV download/update atttempt (spyware-put.rules, High)
16697 <-> FTP httpdx USER null byte denial of service (ftp.rules, Medium)
16698 <-> FTP httpdx PASS null byte denial of service (ftp.rules, Medium)
16699 <-> RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt (rpc.rules, Medium)
16700 <-> RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt (rpc.rules, Medium)
16701 <-> RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt (rpc.rules, Medium)
16702 <-> RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt (rpc.rules, Medium)
16703 <-> WEB-MISC Oracle MySQL Database COM_FIELD_LIST Buffer Overflow attempt (web-misc.rules, High)
16705 <-> RPC Sun Solaris sadmind UDP array size buffer overflow attempt (rpc.rules, High)
16706 <-> RPC Sun Solaris sadmind TCP array size buffer overflow attempt (rpc.rules, High)
16707 <-> MYSQL Sun MySQL mysql_log COM_CREATE_DB format string vulnerability exploit attempt (mysql.rules, High)
16708 <-> MYSQL Sun MySQL mysql_log COM_DROP_DB format string vulnerability exploit attempt (mysql.rules, High)
16709 <-> DOS RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt (dos.rules, Medium)
16710 <-> EXPLOIT Oracle BEA Weblogic server console-help.portal cross-site scripting attempt (exploit.rules, High)

Updated rules:
1260 <-> DELETED WEB-MISC long basic authorization string (deleted.rules, Medium)
2180 <-> P2P BitTorrent announce request (p2p.rules, High)
2278 <-> WEB-MISC client negative Content-Length attempt (web-misc.rules, Medium)
3466 <-> DELETED WEB-MISC Authorization Basic overflow attempt (deleted.rules, High)
11966 <-> WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt (web-client.rules, High)
13989 <-> SQL large number of calls to char function - possible sql injection obfuscation (sql.rules, High)
15584 <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules, High)
16051 <-> SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt (specific-threats.rules, High)
16144 <-> SPYWARE-PUT Bredolab bot contact to C&C server attempt (spyware-put.rules, High)
16453 <-> DELETED SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt - empty SMB 1 (deleted.rules, Medium)
16483 <-> SPYWARE-PUT Koobface worm submission of collected data to C&C server attempt (specific-threats.rules, High)
16484 <-> SPYWARE-PUT Koobface contact to C&C server attempt (specific-threats.rules, High)
16485 <-> SPYWARE-PUT Koobface request for captcha attempt (specific-threats.rules, High)
16493 <-> SPYWARE-PUT TT-bot botnet contact to C&C server attempt (spyware-put.rules, High)
16606 <-> ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt (oracle.rules, High)
16666 <-> SPECIFIC-THREATS Apple Safari window.parent.close unspecified remote code execution vulnerability (specific-threats.rules, High)