Sourcefire VRT Rules Update

Date: 2010-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version

The format of the file is:

sid - Message (rule group, priority)

New rules:
13472 <-> EXPLOIT Microsoft Works invalid chunk size (exploit.rules, High)
17231 <-> WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian (web-client.rules, High)
17232 <-> WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian (web-client.rules, High)
17257 <-> SPECIFIC-THREATS Adobe Flash Player and Reader remote code execution attempt (specific-threats.rules, High)
17710 <-> EXPLOIT Veritas NetBackup vmd shared library buffer overflow attempt (exploit.rules, High)
17711 <-> WEB-CLIENT Microsoft Windows ASF parsing memory corruption attempt (web-client.rules, High)
17712 <-> SPECIFIC-THREATS TFTP PUT Microsoft RIS filename overwrite attempt (specific-threats.rules, High)
17713 <-> EXPLOIT Novell NetMail NMAP STOR buffer overflow attempt (exploit.rules, High)
17714 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules, Low)
17715 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules, Low)
17716 <-> SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow (specific-threats.rules, High)
17717 <-> SMTP IBM Lotus Notes HTML input tag buffer overflow attempt (smtp.rules, High)
17718 <-> SPECIFIC-THREATS Oracle MDSYS drop table trigger injection attempt (specific-threats.rules, High)
17719 <-> SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt (specific-threats.rules, High)
17722 <-> ORACLE Oracle XDB.XDB_PITRIG_PKG buffer overflow attempt (oracle.rules, High)
17726 <-> SPECIFIC-THREATS Internet Explorer address bar spoofing attempt (specific-threats.rules, Low)
17727 <-> SPECIFIC-THREATS Sun JDK image parsing library ICC buffer overflow attempt (specific-threats.rules, High)
17729 <-> SPECIFIC-THREATS Microsoft Internet Explorer EMBED element memory corruption attempt (specific-threats.rules, High)
17730 <-> WEB-CLIENT Microsoft XML Core Services MIME Viewer memory corruption attempt (web-client.rules, High)
17732 <-> WEB-CLIENT TIFF file request (web-client.rules, Low)
17733 <-> WEB-MISC XML file download request (web-misc.rules, Low)
17734 <-> WEB-MISC Excel REPT integer underflow attempt (web-misc.rules, High)
17735 <-> SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt (specific-threats.rules, High)
17736 <-> SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt (specific-threats.rules, High)
17737 <-> SPECIFIC-THREATS Microsoft collaboration data objects buffer overflow attempt (specific-threats.rules, High)
17738 <-> SPECIFIC-THREATS Linux Kernel SNMP Netfilter Memory Corruption attempt (specific-threats.rules, Medium)
17739 <-> POLICY FlashPix file download request (policy.rules, High)
17740 <-> SPECIFIC-THREATS Apple Quicktime FlashPix processing overflow attempt (specific-threats.rules, High)
17745 <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules, Low)
17746 <-> NETBIOS SMB client TRANS response Find_First2 filesize overflow attempt (netbios.rules, High)
17748 <-> WEB-MISC TLSv1 Client_Certificate handshake (web-misc.rules, Low)
17749 <-> RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt (rpc.rules, Medium)
17751 <-> WEB-CLIENT OpenType Font file download request (web-client.rules, Low)

Updated rules:
1122 <-> WEB-MISC /etc/passwd (web-misc.rules, Medium)
2472 <-> NETBIOS SMB-DS C$ unicode share access (netbios.rules, Low)
3694 <-> WEB-MISC Squid content length cache poisoning attempt (web-misc.rules, Medium)
4676 <-> ORACLE Enterprise Manager Application Server Control POST Parameter Overflow Attempt (oracle.rules, High)
4677 <-> ORACLE Enterprise Manager Application Server Control GET Parameter Overflow Attempt (oracle.rules, High)
9027 <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt (netbios.rules, High)
9431 <-> EXPLOIT Microsoft NNTP response overflow attempt (exploit.rules, High)
11947 <-> WEB-CLIENT Windows schannel security package (web-client.rules, High)
12940 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt (netbios.rules, High)
15445 <-> ORACLE Oracle Application Server BPEL module cross site scripting attempt (oracle.rules, High)
15477 <-> EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt (exploit.rules, Medium)
15910 <-> EXPLOIT Microsoft Internet Explorer getElementById object corruption (exploit.rules, High)
15950 <-> SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt (specific-threats.rules, High)
16006 <-> SPECIFIC-THREATS Quicktime color table id memory corruption attempt (specific-threats.rules, High)
16016 <-> SPECIFIC-THREATS Microsoft client for netware overflow attempt (specific-threats.rules, High)
16142 <-> SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt (specific-threats.rules, High)
16189 <-> ORACLE Oracle Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt (oracle.rules, High)
16444 <-> SPECIFIC-THREATS HP StorageWorks storage mirroring double take service code execution attempt (specific-threats.rules, High)
16521 <-> WEB-CLIENT Squid Proxy http version number overflow attempt (web-client.rules, High)
17237 <-> DELETED WEB-CLIENT XBM file download (deleted.rules, Low)
17468 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High)