Sourcefire VRT Rules Update

Date: 2010-08-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_5_3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17045 <-> EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (exploit.rules, High)
17046 <-> EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (exploit.rules, High)
17047 <-> NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt (netbios.rules, High)
17049 <-> WEB-MISC Oracle Secure Backup Administration Server authentication bypass attempt via POST (web-misc.rules, High)
17050 <-> WEB-MISC Oracle Secure Backup Administration Server authentication bypass attempt (web-misc.rules, High)
17051 <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid access (web-activex.rules, High)
17052 <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid unicode access (web-activex.rules, High)
17053 <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call access (web-activex.rules, High)
17054 <-> WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call unicode access (web-activex.rules, High)
17055 <-> SPECIFIC-THREATS Oracle Database DBMS TNS Listener denial of service attempt (specific-threats.rules, Medium)
17056 <-> SPECIFIC-THREATS Novell NetIdentity Agent XTIERRPCPIPE remote code execution attempt (specific-threats.rules, High)
17057 <-> SPECIFIC-THREATS Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt (specific-threats.rules, High)
17058 <-> SPECIFIC-THREATS Trojan-Downloader.JS.Agent.ewh Javascript download attempt (specific-threats.rules, High)
17059 <-> FTP Vermillion 1.31 vftpd port command memory corruption (ftp.rules, Medium)
17061 <-> WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid access (web-activex.rules, High)
17062 <-> WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid unicode access (web-activex.rules, High)
17063 <-> WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid access (web-activex.rules, High)
17064 <-> WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid unicode access (web-activex.rules, High)
17065 <-> WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid access (web-activex.rules, High)
17066 <-> WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid unicode access (web-activex.rules, High)
17067 <-> WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid access (web-activex.rules, High)
17068 <-> WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid unicode access (web-activex.rules, High)
17069 <-> WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid access (web-activex.rules, High)
17070 <-> WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid unicode access (web-activex.rules, High)
17071 <-> WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid access (web-activex.rules, High)
17072 <-> WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid unicode access (web-activex.rules, High)
17073 <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid access (web-activex.rules, High)
17074 <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid unicode access (web-activex.rules, High)
17075 <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call access (web-activex.rules, High)
17076 <-> WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call unicode access (web-activex.rules, High)
17077 <-> SPECIFIC-THREATS Ask Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX control buffer overflow attempt (specific-threats.rules, High)
17078 <-> WEB-ACTIVEX GOM Player GomWeb ActiveX clsid access (web-activex.rules, High)
17079 <-> WEB-ACTIVEX GOM Player GomWeb ActiveX clsid unicode access (web-activex.rules, High)
17080 <-> WEB-ACTIVEX GOM Player GomWeb ActiveX function call access (web-activex.rules, High)
17081 <-> WEB-ACTIVEX GOM Player GomWeb ActiveX function call unicode access (web-activex.rules, High)
17082 <-> WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid access (web-activex.rules, High)
17083 <-> WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid unicode access (web-activex.rules, High)
17084 <-> WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid access (web-activex.rules, High)
17085 <-> WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid unicode access (web-activex.rules, High)
17087 <-> WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid access (web-activex.rules, High)
17088 <-> WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid unicode access (web-activex.rules, High)
17089 <-> WEB-ACTIVEX VeryDOC PDF Viewer ActiveX function call access (web-activex.rules, High)
17090 <-> WEB-ACTIVEX VeryDOC PDF Viewer ActiveX function call unicode access (web-activex.rules, High)
17092 <-> WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access (web-activex.rules, High)
17093 <-> WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid unicode access (web-activex.rules, High)
17094 <-> WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access (web-activex.rules, High)
17095 <-> WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call unicode access (web-activex.rules, High)
17099 <-> WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid access (web-activex.rules, High)
17100 <-> WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid unicode access (web-activex.rules, High)
17101 <-> WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call access (web-activex.rules, High)
17102 <-> WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call unicode access (web-activex.rules, High)
17103 <-> WEB-IIS IIS 5.1 alternate data stream authentication bypass attempt (web-iis.rules, High)

Updated rules:
2281 <-> WEB-PHP Setup.php access (web-php.rules, Medium)
7036 <-> NETBIOS SMB Trans unicode mailslot heap overflow attempt (netbios.rules, Low)
7038 <-> NETBIOS-DG SMB Trans unicode mailslot heap overflow attempt (netbios.rules, Low)
7040 <-> NETBIOS SMB Trans unicode andx mailslot heap overflow attempt (netbios.rules, Low)
7042 <-> NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt (netbios.rules, Low)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
10420 <-> WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX clsid unicode access (web-activex.rules, High)
13711 <-> MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt (mysql.rules, High)
13712 <-> MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt (mysql.rules, High)
13713 <-> MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt (mysql.rules, High)
13714 <-> MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt (mysql.rules, High)
15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
16285 <-> RPC AIX ttdbserv function 15 buffer overflow attempt (rpc.rules, High)
17044 <-> SQL WinCC DB default password security bypass attempt (sql.rules, High)