Sourcefire VRT Rules Update

Date: 2010-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_5_3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16742 <-> WEB-MISC remote desktop configuration file download request (web-misc.rules, Low)
16750 <-> DELETED WEB-CLIENT IBM Access Support ActiveX GetXMLValue method buffer overflow attempt (deleted.rules, High)
16751 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16752 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16753 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16754 <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low)
16755 <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules, Low)
16756 <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low)
16757 <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low)
16758 <-> NETBIOS-DG SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low)
16759 <-> NETBIOS-DG SMB /PlughNTCommand create tree attempt (netbios.rules, Low)
16760 <-> NETBIOS-DG SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low)
16761 <-> NETBIOS-DG SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low)
16762 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt (netbios.rules, High)
16763 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt (netbios.rules, High)
16764 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt (netbios.rules, High)
16765 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt (netbios.rules, High)
16766 <-> NETBIOS SMB Timbuktu Pro overflow andx attempt (netbios.rules, High)
16767 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid access (web-activex.rules, High)
16768 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid unicode access (web-activex.rules, High)
16769 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call access (web-activex.rules, High)
16770 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call unicode access (web-activex.rules, High)
16772 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid access (web-activex.rules, High)
16773 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid unicode access (web-activex.rules, High)
16774 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call access (web-activex.rules, High)
16775 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call unicode access (web-activex.rules, High)
16777 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium)
16778 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium)
16788 <-> EXPLOIT RealVNC VNC Server ClientCutText message memory corruption attempt (exploit.rules, High)
16791 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid access (web-activex.rules, High)
16792 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access (web-activex.rules, High)
16793 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call access (web-activex.rules, High)
16794 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access (web-activex.rules, High)
16795 <-> DOS Google Chrome FTP handling out-of-bounds array index denial of service attempt (dos.rules, Medium)
16796 <-> RPC Sun Solaris sadmind UDP data length integer overflow attempt (rpc.rules, High)
16797 <-> RPC Sun Solaris sadmind TCP data length integer overflow attempt (rpc.rules, High)
16798 <-> SPECIFIC-THREATS Orbit Downloader long URL buffer overflow attempt (specific-threats.rules, High)
16799 <-> POP3 Eureka Mail 2.2q server error response overflow attempt (pop3.rules, Medium)

Updated rules:
5318 <-> WEB-CLIENT wmf file arbitrary code execution attempt (web-client.rules, High)
6469 <-> EXPLOIT RealVNC connection attempt (exploit.rules, Low)
6470 <-> EXPLOIT RealVNC authentication types without None type sent attempt (exploit.rules, Low)
6471 <-> EXPLOIT RealVNC password authentication bypass attempt (exploit.rules, High)
8472 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture 2 (backdoor.rules, High)
8473 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules, High)
13161 <-> EXPLOIT HP OpenView CGI parameter buffer overflow attempt (exploit.rules, High)
13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low)
13611 <-> DELETED EXPLOIT RealVNC client response (deleted.rules, Low)
13612 <-> DELETED EXPLOIT RealVNC server authentication bypass attempt (deleted.rules, Low)
13678 <-> MISC Microsoft EMF metafile access detected (misc.rules, High)
13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low)
13880 <-> DELETED EXPLOIT RealVNC server authentication version array check (deleted.rules, Low)
13881 <-> DELETED POLICY RealVNC Server configured to allow NULL authentication (deleted.rules, Low)
13882 <-> DELETED POLICY RealVNC Server configured not to require authentication (deleted.rules, Low)
13911 <-> WEB-CLIENT Microsoft search file download attempt (web-client.rules, Low)
13915 <-> WEB-MISC backup file download attempt (web-misc.rules, Low)
13983 <-> WEB-CLIENT Microsoft Office eps file download (web-client.rules, Low)
15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low)
15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low)
15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15515 <-> ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt (oracle.rules, High)
15518 <-> WEB-MISC Embedded Open Type Font download request (web-misc.rules, Low)
16309 <-> ORACLE auth_sesskey buffer overflow attempt (oracle.rules, High)
16333 <-> WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt (web-client.rules, High)
16381 <-> NETBIOS SMB session negotiation request (netbios.rules, Low)
16538 <-> NETBIOS NT QUERY SECURITY DESC flowbit (netbios.rules, Low)
16635 <-> WEB-ACTIVEX Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (web-activex.rules, High)
16686 <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules, Medium)
16687 <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules, High)