Sourcefire VRT Rules Update

Date: 2010-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.

The format of the file is:

sid - Message (rule group, priority)

New Rules:
16635 <-> WEB-ACTIVEX Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (web-activex.rules, High)
16636 <-> MISC .NET framework XMLDsig data tampering attempt (misc.rules, Medium)
16637 <-> EXPLOIT Microsoft Internet Explorer security zone restriction bypass attempt (exploit.rules, High)
16638 <-> WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt (web-client.rules, High)
16639 <-> WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro (web-client.rules, High)
16640 <-> WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with linkFmla (web-client.rules, High)
16641 <-> WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro and linkFmla (web-client.rules, High)
16642 <-> POLICY File URI scheme (policy.rules, High)
16643 <-> WEB-CLIENT Microsoft Excel Chart Sheet Substream memory corruption attempt (web-client.rules, High)
16644 <-> EXPLOIT Microsoft Excel WOpt record memory corruption attempt (exploit.rules, High)
16645 <-> EXPLOIT Microsoft Excel SxView record memory pointer corruption attempt (exploit.rules, High)
16646 <-> EXPLOIT Microsoft Excel RealTimeData record stack buffer overflow attempt (exploit.rules, High)
16647 <-> WEB-CLIENT Microsoft Excel RealTimeData record heap memory corruption attempt - 2 (web-client.rules, High)
16648 <-> EXPLOIT Microsoft Excel RealTimeData record heap memory corruption attempt - 1 (exploit.rules, High)
16649 <-> WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt (web-client.rules, High)
16650 <-> WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 1 (web-client.rules, High)
16651 <-> WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 2 (web-client.rules, High)
16652 <-> WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 3 (web-client.rules, High)
16653 <-> WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 4 (web-client.rules, High)
16654 <-> WEB-CLIENT Microsoft Excel undocumented Publisher record heap buffer overflow attempt (web-client.rules, High)
16655 <-> WEB-CLIENT Microsoft Excel Lbl record stack overflow attempt (web-client.rules, High)
16656 <-> WEB-CLIENT Microsoft Excel BIFF5 ExternSheet record stack overflow attempt (web-client.rules, High)
16657 <-> WEB-CLIENT Microsoft Excel DBQueryExt record memory corruption attempt (web-client.rules, High)
16658 <-> WEB-CLIENT Microsoft Internet Explorer 8 cross-site scripting attempt (web-client.rules, High)
16659 <-> EXPLOIT Microsoft Internet Explorer style sheet array memory corruption attempt (exploit.rules, High)
16660 <-> DOS SharePoint Server 2007 help.aspx denial of service attempt (dos.rules, Medium)
16661 <-> EXPLOIT quartz.dll MJPEG content processing memory corruption attempt (exploit.rules, High)
16662 <-> WEB-CLIENT Microsoft Excel SxView heap overflow attempt (web-client.rules, High)
16663 <-> WEB-CLIENT Windows Media Player JPG header record mismatch memory corruption attempt (web-client.rules, High)

Updated Rules:
6403 <-> WEB-PHP horde help module arbitrary command execution attempt (web-php.rules, High)
16440 <-> SPECIFIC-THREATS Possible Zeus User-Agent - ie (specific-threats.rules, High)
16517 <-> WEB-CLIENT Free Download Manager .torrent parsing comment overflow attempt (web-client.rules, High)
16518 <-> WEB-CLIENT Free Download Manager .torrent parsing announce overflow attempt (web-client.rules, High)
16519 <-> WEB-CLIENT Free Download Manager .torrent parsing name overflow attempt (web-client.rules, High)
16520 <-> WEB-CLIENT Free Download Manager .torrent parsing path overflow attempt (web-client.rules, High)
16560 <-> WEB-MISC Microsoft Sharepoint XSS attempt (web-misc.rules, High)