Sourcefire VRT Rules Update
Date: 2010-06-17
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16668 <-> SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 2 (specific-threats.rules, High) 16669 <-> SPYWARE-PUT Spyeye bot contact to C&C server attempt (spyware-put.rules, High) 16670 <-> SPYWARE-PUT Koobface worm executable download attempt (spyware-put.rules, High) 16671 <-> SPECIFIC-THREATS IBM Lotus Domino Web Access ActiveX exploit attempt (specific-threats.rules, High) 16672 <-> SPECIFIC-THREATS Symantec Backup Exec ActiveX control buffer overflow attempt (specific-threats.rules, High) 16673 <-> WEB-CLIENT Adobe Shockwave DIR file PAMI chunk code execution attempt (web-client.rules, High) 16674 <-> WEB-MISC HP OpenView CGI parameter buffer overflow attempt (web-misc.rules, High) 16675 <-> SPECIFIC-THREATS CA BrightStor ListCtrl ActiveX exploit attempt (specific-threats.rules, High) 16676 <-> SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration (specific-threats.rules, High) 16677 <-> WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration (web-client.rules, High) 16678 <-> WEB-PHP Tandberg VCS local file disclosure attempt (web-php.rules, High) 16679 <-> WEB-MISC Microsoft Windows GDIplus integer overflow attempt (web-misc.rules, Low) 16680 <-> POLICY Tandberg VCS SSH default key (policy.rules, Low) 16681 <-> WEB-MISC Basic Authorization string overflow attempt (web-misc.rules, Medium) 16682 <-> WEB-MISC Sun ONE Web Server JSP source code disclosure attempt (web-misc.rules, Medium) 16683 <-> WEB-MISC Nullsoft Winamp CAF file processing integer overflow attempt (web-misc.rules, High) 16684 <-> DOS Samba smbd Session Setup AndX security blob length dos attempt (dos.rules, Medium) 16685 <-> EXPLOIT IBM Tivoli Storage Manager Client dsmagent.exe NodeName length buffer overflow attempt (exploit.rules, High) 16686 <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules, Medium) 16687 <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules, High) 16688 <-> EXPLOIT iscsi target format string code execution attempt (exploit.rules, High) 16689 <-> WEB-CLIENT Palo Alto Networks Firewall editUser.esp XSS attempt (web-client.rules, High) 16690 <-> SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt (specific-threats.rules, High) 16691 <-> WEB-CLIENT PLF playlist file download request (web-client.rules, Low) 16692 <-> WEB-CLIENT BlazeVideo BlazeDVD PLF playlist file name buffer overflow attempt (web-client.rules, High) 16693 <-> SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt (spyware-put.rules, High) 16694 <-> DOS RealNetworks Helix Server RTSP SETUP request denial of service attempt (dos.rules, Medium) 16695 <-> SPYWARE-PUT Rogue AV download/update atttempt (spyware-put.rules, High) 16696 <-> WEB-CLIENT Astonsoft Deepburner dbr file name buffer overflow attempt (web-client.rules, High) 16697 <-> FTP httpdx USER null byte denial of service (ftp.rules, Medium) 16698 <-> FTP httpdx PASS null byte denial of service (ftp.rules, Medium) 16699 <-> RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt (rpc.rules, Medium) 16700 <-> RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt (rpc.rules, Medium) 16701 <-> RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt (rpc.rules, Medium) 16702 <-> RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt (rpc.rules, Medium) 16703 <-> WEB-MISC Oracle MySQL Database COM_FIELD_LIST Buffer Overflow attempt (web-misc.rules, High) 16704 <-> SPECIFIC-THREATS CA eTrust PestPatrol 'ppctl.dll' ActiveX Initialize method overflow attempt (specific-threats.rules, High) 16705 <-> RPC Sun Solaris sadmind UDP array size buffer overflow attempt (rpc.rules, High) 16706 <-> RPC Sun Solaris sadmind TCP array size buffer overflow attempt (rpc.rules, High) 16707 <-> MYSQL Sun MySQL mysql_log COM_CREATE_DB format string vulnerability exploit attempt (mysql.rules, High) 16708 <-> MYSQL Sun MySQL mysql_log COM_DROP_DB format string vulnerability exploit attempt (mysql.rules, High) 16709 <-> DOS RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt (dos.rules, Medium) 16710 <-> EXPLOIT Oracle BEA Weblogic server console-help.portal cross-site scripting attempt (exploit.rules, High) Updated rules: 1260 <-> DELETED WEB-MISC long basic authorization string (deleted.rules, Medium) 2180 <-> P2P BitTorrent announce request (p2p.rules, High) 2278 <-> WEB-MISC client negative Content-Length attempt (web-misc.rules, Medium) 3466 <-> DELETED WEB-MISC Authorization Basic overflow attempt (deleted.rules, High) 11966 <-> WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt (web-client.rules, High) 13419 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid access (web-activex.rules, High) 13420 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid unicode access (web-activex.rules, High) 13421 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX function call access (web-activex.rules, High) 13422 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX function call unicode access (web-activex.rules, High) 13905 <-> WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX function call access (web-activex.rules, High) 13906 <-> WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX function call unicode access (web-activex.rules, High) 13909 <-> DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX function call access (deleted.rules, High) 13910 <-> DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX function call unicode access (deleted.rules, High) 13989 <-> SQL large number of calls to char function - possible sql injection obfuscation (sql.rules, High) 15584 <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules, High) 16051 <-> SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt (specific-threats.rules, High) 16144 <-> SPYWARE-PUT Bredolab bot contact to C&C server attempt (spyware-put.rules, High) 16453 <-> DELETED SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt - empty SMB 1 (deleted.rules, Medium) 16483 <-> SPYWARE-PUT Koobface worm submission of collected data to C&C server attempt (specific-threats.rules, High) 16484 <-> SPYWARE-PUT Koobface contact to C&C server attempt (specific-threats.rules, High) 16485 <-> SPYWARE-PUT Koobface request for captcha attempt (specific-threats.rules, High) 16493 <-> SPYWARE-PUT TT-bot botnet contact to C&C server attempt (spyware-put.rules, High) 16606 <-> ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt (oracle.rules, High) 16665 <-> WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt (web-client.rules, High) 16666 <-> SPECIFIC-THREATS Apple Safari window.parent.close unspecified remote code execution vulnerability (specific-threats.rules, High) 16667 <-> SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 1 (specific-threats.rules, High)
