Sourcefire VRT Rules Update
Date: 2010-06-29
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8_6_0.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16739 <-> WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt (web-client.rules, High) 16740 <-> SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt (specific-threats.rules, High) 16741 <-> SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt (specific-threats.rules, High) 16742 <-> WEB-MISC remote desktop configuration file download request (web-misc.rules, Low) 16743 <-> WEB-CLIENT Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt (web-client.rules, High) 16744 <-> WEB-CLIENT DX Studio Player plug-in command injection attempt (web-client.rules, High) 16745 <-> SPECIFIC-THREATS DjVu ActiveX control ImageURL property overflow attempt (specific-threats.rules, High) 16746 <-> WEB-ACTIVEX IBM Access Support ActiveX clsid access (web-activex.rules, High) 16747 <-> WEB-ACTIVEX IBM Access Support ActiveX clsid unicode access (web-activex.rules, High) 16748 <-> WEB-ACTIVEX IBM Access Support ActiveX function call access (web-activex.rules, High) 16749 <-> WEB-ACTIVEX IBM Access Support ActiveX function call unicode access (web-activex.rules, High) 16750 <-> DELETED WEB-CLIENT IBM Access Support ActiveX GetXMLValue method buffer overflow attempt (deleted.rules, High) 16751 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High) 16752 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High) 16753 <-> WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt (web-client.rules, High) 16754 <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low) 16755 <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules, Low) 16756 <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low) 16757 <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low) 16758 <-> NETBIOS-DG SMB /PlughNTCommand andx create tree attempt (netbios.rules, Low) 16759 <-> NETBIOS-DG SMB /PlughNTCommand create tree attempt (netbios.rules, Low) 16760 <-> NETBIOS-DG SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules, Low) 16761 <-> NETBIOS-DG SMB /PlughNTCommand unicode create tree attempt (netbios.rules, Low) 16762 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt (netbios.rules, High) 16763 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt (netbios.rules, High) 16764 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt (netbios.rules, High) 16765 <-> NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt (netbios.rules, High) 16766 <-> NETBIOS SMB Timbuktu Pro overflow andx attempt (netbios.rules, High) 16767 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid access (web-activex.rules, High) 16768 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid unicode access (web-activex.rules, High) 16769 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call access (web-activex.rules, High) 16770 <-> WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call unicode access (web-activex.rules, High) 16771 <-> SPECIFIC-THREATS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt (specific-threats.rules, High) 16772 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid access (web-activex.rules, High) 16773 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid unicode access (web-activex.rules, High) 16774 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call access (web-activex.rules, High) 16775 <-> WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call unicode access (web-activex.rules, High) 16776 <-> SPECIFIC-THREATS KeyWorks KeyHelp 'keyhelp.ocx' ActiveX control multiple method overflow attempt (specific-threats.rules, High) 16777 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium) 16778 <-> ORACLE Secure Backup NDMP packet handling DoS attempt (oracle.rules, Medium) 16779 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid access (web-activex.rules, High) 16780 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid unicode access (web-activex.rules, High) 16781 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX function call access (web-activex.rules, High) 16782 <-> WEB-ACTIVEX EasyMail IMAP4 ActiveX function call unicode access (web-activex.rules, High) 16783 <-> WEB-ACTIVEX Autodesk iDrop ActiveX clsid access (web-activex.rules, High) 16784 <-> WEB-ACTIVEX Autodesk iDrop ActiveX function call access (web-activex.rules, High) 16785 <-> SPECIFIC-THREATS AwingSoft Winds3D Player SceneURL method command execution attempt (specific-threats.rules, High) 16786 <-> SPECIFIC-THREATS Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt (specific-threats.rules, High) 16787 <-> SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt (specific-threats.rules, High) 16788 <-> EXPLOIT RealVNC VNC Server ClientCutText message memory corruption attempt (exploit.rules, High) 16789 <-> SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 1 (specific-threats.rules, High) 16790 <-> SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 2 (specific-threats.rules, High) 16791 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid access (web-activex.rules, High) 16792 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access (web-activex.rules, High) 16793 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call access (web-activex.rules, High) 16794 <-> WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access (web-activex.rules, High) 16795 <-> DOS Google Chrome FTP handling out-of-bounds array index denial of service attempt (dos.rules, Medium) 16796 <-> RPC Sun Solaris sadmind UDP data length integer overflow attempt (rpc.rules, High) 16797 <-> RPC Sun Solaris sadmind TCP data length integer overflow attempt (rpc.rules, High) 16798 <-> SPECIFIC-THREATS Orbit Downloader long URL buffer overflow attempt (specific-threats.rules, High) 16799 <-> POP3 Eureka Mail 2.2q server error response overflow attempt (pop3.rules, Medium) Updated rules: 5318 <-> WEB-CLIENT wmf file arbitrary code execution attempt (web-client.rules, High) 6469 <-> EXPLOIT RealVNC connection attempt (exploit.rules, Low) 6470 <-> EXPLOIT RealVNC authentication types without None type sent attempt (exploit.rules, Low) 6471 <-> EXPLOIT RealVNC password authentication bypass attempt (exploit.rules, High) 8472 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture 2 (backdoor.rules, High) 8473 <-> BACKDOOR superspy 2.0 beta runtime detection - screen capture (backdoor.rules, High) 13161 <-> EXPLOIT HP OpenView CGI parameter buffer overflow attempt (exploit.rules, High) 13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low) 13611 <-> DELETED EXPLOIT RealVNC client response (deleted.rules, Low) 13612 <-> DELETED EXPLOIT RealVNC server authentication bypass attempt (deleted.rules, Low) 13678 <-> MISC Microsoft EMF metafile access detected (misc.rules, High) 13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low) 13880 <-> DELETED EXPLOIT RealVNC server authentication version array check (deleted.rules, Low) 13881 <-> DELETED POLICY RealVNC Server configured to allow NULL authentication (deleted.rules, Low) 13882 <-> DELETED POLICY RealVNC Server configured not to require authentication (deleted.rules, Low) 13911 <-> WEB-CLIENT Microsoft search file download attempt (web-client.rules, Low) 13915 <-> WEB-MISC backup file download attempt (web-misc.rules, Low) 13983 <-> WEB-CLIENT Microsoft Office eps file download (web-client.rules, Low) 14264 <-> MULTIMEDIA Windows Media Player playlist download (multimedia.rules, Low) 15123 <-> WEB-CLIENT Rich Text Format file request (web-client.rules, Low) 15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low) 15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low) 15463 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low) 15464 <-> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low) 15515 <-> ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt (oracle.rules, High) 15518 <-> WEB-MISC Embedded Open Type Font download request (web-misc.rules, Low) 16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low) 16309 <-> ORACLE auth_sesskey buffer overflow attempt (oracle.rules, High) 16333 <-> WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt (web-client.rules, High) 16381 <-> NETBIOS SMB session negotiation request (netbios.rules, Low) 16538 <-> NETBIOS NT QUERY SECURITY DESC flowbit (netbios.rules, Low) 16635 <-> WEB-ACTIVEX Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (web-activex.rules, High) 16686 <-> WEB-CLIENT IBM WebSphere application server cross site scripting attempt (web-client.rules, Medium) 16687 <-> WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt (web-activex.rules, High)
