Sourcefire VRT Rules Update

Date: 2010-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16482 <-> WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt (web-client.rules, High)

Updated rules:
1201 <-> ATTACK-RESPONSES 403 Forbidden (attack-responses.rules, Medium)
1226 <-> X11 xopen (x11.rules, Low)
1437 <-> MULTIMEDIA Windows Media download (multimedia.rules, High)
1439 <-> MULTIMEDIA Shoutcast playlist redirection (multimedia.rules, High)
1440 <-> MULTIMEDIA Icecast playlist redirection (multimedia.rules, High)
2589 <-> WEB-CLIENT Content-Disposition CLSID command attempt (web-client.rules, High)
2671 <-> WEB-CLIENT bitmap BitmapOffset integer overflow attempt (web-client.rules, High)
2705 <-> WEB-CLIENT JPEG parser heap overflow attempt (web-client.rules, High)
3192 <-> WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web-client.rules, High)
3473 <-> WEB-CLIENT RealPlayer SMIL file overflow attempt (web-client.rules, High)
3534 <-> WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 (web-client.rules, High)
3535 <-> WEB-CLIENT GIF transfer (web-client.rules, Low)
3536 <-> WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 (web-client.rules, High)
3632 <-> WEB-CLIENT Bitmap width integer overflow attempt (web-client.rules, High)
3683 <-> WEB-CLIENT spoofed MIME-Type auto-execution attempt (web-client.rules, High)
3819 <-> WEB-CLIENT multipacket CHM file transfer start (web-client.rules, Low)
3820 <-> WEB-CLIENT multipacket CHM file transfer attempt (web-client.rules, High)
3821 <-> WEB-CLIENT CHM file transfer attempt (web-client.rules, High)
4135 <-> WEB-CLIENT IE JPEG heap overflow single packet attempt (web-client.rules, Medium)
4194 <-> WEB-CLIENT multipacket CBO CBL CBM file transfer start (web-client.rules, Low)
4196 <-> WEB-CLIENT CBO CBL CBM file transfer attempt (web-client.rules, High)
4678 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
4680 <-> WEB-CLIENT quicktime movie file component name integer overflow attempt (web-client.rules, High)
5910 <-> SPYWARE-PUT Trackware casalemedia runtime detection (spyware-put.rules, Medium)
6058 <-> BACKDOOR neurotickat1.3 runtime detection - icq notification (backdoor.rules, High)
6069 <-> BACKDOOR optixlite 1.0 runtime detection - icq notification (backdoor.rules, High)
6504 <-> WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt (web-client.rules, High)
7762 <-> BACKDOOR analftp 0.1 runtime detection - icq notification (backdoor.rules, High)
11192 <-> POLICY download of executable content (policy.rules, High)
14039 <-> EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt (exploit.rules, High)
15417 <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules, High)
15418 <-> CHAT AIM server certificate for encrypted login (chat.rules, High)
15568 <-> CHAT AIM encrypted login attempt (chat.rules, High)
15569 <-> CHAT Yahoo encrypted login attempt (chat.rules, High)
15910 <-> SPECIFIC-THREATS Microsoft IE objects handling memory corruption attempt (specific-threats.rules, High)
16032 <-> WEB-CLIENT Microsoft Internet Explorer HTML Decoding memory corruption attempt (web-client.rules, High)
16033 <-> SPECIFIC-THREATS Microsoft Internet Explorer compressed content attempt (specific-threats.rules, High)
16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16295 <-> WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields (web-client.rules, High)
16313 <-> POLICY download of executable content - x-header (policy.rules, High)
16554 <-> WEB-CLIENT Adobe Acrobat JavaScript getIcon method buffer overflow attempt (web-client.rules, High)