Sourcefire VRT Rules Update

Date: 2010-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16739 <-> WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt (web-client.rules, High)
16740 <-> SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt (specific-threats.rules, High)
16741 <-> SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt (specific-threats.rules, High)
16742 <-> WEB-MISC remote desktop configuration file download request (web-misc.rules, Low)
16743 <-> WEB-CLIENT Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (web-client.rules, High)
16744 <-> WEB-CLIENT DX Studio Player plug-in command injection attempt (web-client.rules, High)
16745 <-> SPECIFIC-THREATS DjVu ActiveX control ImageURL property overflow attempt (specific-threats.rules, High)
16746 <-> WEB-ACTIVEX IBM Access Support ActiveX clsid access (web-activex.rules, High)
16747 <-> WEB-ACTIVEX IBM Access Support ActiveX clsid unicode access (web-activex.rules, High)
16748 <-> WEB-ACTIVEX IBM Access Support ActiveX function call access (web-activex.rules, High)
16749 <-> WEB-ACTIVEX IBM Access Support ActiveX function call unicode access (web-activex.rules, High)
16750 <-> DELETED WEB-CLIENT IBM Access Support ActiveX GetXMLValue method buffer overflow attempt (deleted.rules, High)
16751 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16752 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16753 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High)
16754 <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low)
16755 <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules, Low)
16756 <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low)
16757 <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low)
16758 <-> NETBIOS-DG SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low)
16759 <-> NETBIOS-DG SMB /PlughNTCommand create tree attempt (netbios.rules, Low)
16760 <-> NETBIOS-DG SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low)
16761 <-> NETBIOS-DG SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low)
16762 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt (netbios.rules, High)
16763 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt (netbios.rules, High)
16764 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt (netbios.rules, High)
16765 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt (netbios.rules, High)
16766 <-> NETBIOS SMB Timbuktu Pro overflow andx attempt (netbios.rules, High)
16767 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid access (web-activex.rules, High)
16768 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid unicode access (web-activex.rules, High)
16769 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call access (web-activex.rules, High)
16770 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call unicode access (web-activex.rules, High)
16771 <-> SPECIFIC-THREATS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt (specific-threats.rules, High)
16772 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid access (web-activex.rules, High)
16773 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid unicode access (web-activex.rules, High)
16774 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call access (web-activex.rules, High)
16775 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call unicode access (web-activex.rules, High)
16776 <-> SPECIFIC-THREATS KeyWorks KeyHelp 'keyhelp.ocx' ActiveX control multiple method overflow attempt (specific-threats.rules, High)
16777 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium)
16778 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium)
16779 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid access (web-activex.rules, High)
16780 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid unicode access (web-activex.rules, High)
16781 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX function call access (web-activex.rules, High)
16782 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX function call unicode access (web-activex.rules, High)
16783 <-> WEB-ACTIVEX Autodesk iDrop ActiveX clsid access (web-activex.rules, High)
16784 <-> WEB-ACTIVEX Autodesk iDrop ActiveX function call access (web-activex.rules, High)
16785 <-> SPECIFIC-THREATS AwingSoft Winds3D Player SceneURL method command execution attempt (specific-threats.rules, High)
16786 <-> SPECIFIC-THREATS Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt (specific-threats.rules, High)
16787 <-> SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (specific-threats.rules, High)
16788 <-> EXPLOIT RealVNC VNC Server ClientCutText message memory corruption attempt (exploit.rules, High)
16789 <-> SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 1 (specific-threats.rules, High)
16790 <-> SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 2 (specific-threats.rules, High)
16791 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid access (web-activex.rules, High)
16792 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access (web-activex.rules, High)
16793 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call access (web-activex.rules, High)
16794 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access (web-activex.rules, High)
16795 <-> DOS Google Chrome FTP handling out-of-bounds array index denial of service attempt (dos.rules, Medium)
16796 <-> RPC Sun Solaris sadmind UDP data length integer overflow attempt (rpc.rules, High)
16797 <-> RPC Sun Solaris sadmind TCP data length integer overflow attempt (rpc.rules, High)
16798 <-> SPECIFIC-THREATS Orbit Downloader long URL buffer overflow attempt (specific-threats.rules, High)
16799 <-> POP3 Eureka Mail 2.2q server error response overflow attempt (pop3.rules, Medium)

Updated rules:
5318 <-> WEB-CLIENT wmf file arbitrary code execution attempt (web-client.rules, High)
6469 <-> EXPLOIT RealVNC connection attempt (exploit.rules, Low)
6470 <-> EXPLOIT RealVNC authentication types without None type sent attempt (exploit.rules, Low)
6471 <-> EXPLOIT RealVNC password authentication bypass attempt (exploit.rules, High)
8472 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture 2 (backdoor.rules, High)
8473 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules, High)
13161 <-> EXPLOIT HP OpenView CGI parameter buffer overflow attempt (exploit.rules, High)
13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low)
13611 <-> DELETED EXPLOIT RealVNC client response (deleted.rules, Low)
13612 <-> DELETED EXPLOIT RealVNC server authentication bypass attempt (deleted.rules, Low)
13678 <-> MISC Microsoft EMF metafile access detected (misc.rules, High)
13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low)
13880 <-> DELETED EXPLOIT RealVNC server authentication version array check (deleted.rules, Low)
13881 <-> DELETED POLICY RealVNC Server configured to allow NULL authentication (deleted.rules, Low)
13882 <-> DELETED POLICY RealVNC Server configured not to require authentication (deleted.rules, Low)
13911 <-> WEB-CLIENT Microsoft search file download attempt (web-client.rules, Low)
13915 <-> WEB-MISC backup file download attempt (web-misc.rules, Low)
13983 <-> WEB-CLIENT Microsoft Office eps file download (web-client.rules, Low)
14264 <-> MULTIMEDIA Windows Media Player playlist download (multimedia.rules, Low)
15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low)
15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low)
15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15515 <-> ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt (oracle.rules, High)
15518 <-> WEB-MISC Embedded Open Type Font download request (web-misc.rules, Low)
16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16309 <-> ORACLE auth_sesskey buffer overflow attempt (oracle.rules, High)
16333 <-> WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt (web-client.rules, High)
16381 <-> NETBIOS SMB session negotiation request (netbios.rules, Low)
16538 <-> NETBIOS NT QUERY SECURITY DESC flowbit (netbios.rules, Low)
16635 <-> WEB-ACTIVEX Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (web-activex.rules, High)
16686 <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules, Medium)
16687 <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules, High)