Sourcefire VRT Rules Update

Date: 2010-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17346 <-> SPECIFIC-THREATS IBM Lotus Notes Cross Site Scripting attempt (specific-threats.rules, Low)
17347 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High)
17348 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High)
17349 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High)
17350 <-> ORACLE Application Server Forms Arbitrary System Command Execution Attempt (oracle.rules, High)
17351 <-> WEB-CLIENT Winamp ID3v2 Tag Handling Buffer Overflow attempt (web-client.rules, High)
17352 <-> EXPLOIT ClamAV CHM File Handling Integer Overflow attempt (exploit.rules, High)
17353 <-> EXPLOIT Sun Solaris printd Daemon Arbitrary File Deletion attempt (exploit.rules, Medium)
17354 <-> SPECIFIC-THREATS Apache Byte-Range Filter denial of service attempt (specific-threats.rules, Medium)
17355 <-> WEB-CLIENT Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt (web-client.rules, High)
17356 <-> EXPLOIT NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow attempt (exploit.rules, High)
17357 <-> CHAT Gaim AIM-ICQ Protocol Handling Buffer Overflow attempt (chat.rules, High)
17358 <-> EXPLOIT ClamAV UPX File Handling Buffer Overflow attempt (exploit.rules, High)
17359 <-> WEB-CLIENT xbm image file download request (web-client.rules, Low)
17360 <-> WEB-CLIENT Mozilla Firefox XBM image processing buffer overflow attempt (web-client.rules, High)
17361 <-> SPECIFIC-THREATS Adobe Acrobat Reader PDF Catalog Handling denial of service attempt (specific-threats.rules, High)
17362 <-> WEB-CLIENT Microsoft Excel IMDATA buffer overflow attempt (web-client.rules, High)
17363 <-> WEB-CLIENT Apple computer finder DMG volume name memory corruption (web-client.rules, High)
17364 <-> WEB-CLIENT Microsoft Help Workshop CNT Help contents (web-client.rules, Medium)
17365 <-> WEB-CLIENT Microsoft Help Workshop CNT Help contents buffer overflow attempt (web-client.rules, High)
17366 <-> WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt (web-client.rules, High)
17367 <-> FTP Microsoft Internet Explorer FTP Response Parsing Memory Corruption (ftp.rules, High)
17368 <-> WEB-CLIENT Microsoft Word document stream handling code execution attempt (web-client.rules, High)
17369 <-> IMAP MailEnable Service APPEND Command Handling Buffer Overflow (imap.rules, High)
17370 <-> WEB-MISC Squid authentication headers handling denial of service attempt (web-misc.rules, Low)
17371 <-> WEB-MISC Squid authentication headers handling denial of service attempt (web-misc.rules, Medium)
17372 <-> WEB-CLIENT Apple QuickTime udta atom parsing heap overflow vulnerability (web-client.rules, High)
17373 <-> SPECIFIC-THREATS QuickTime panorama atoms buffer overflow attempt (specific-threats.rules, High)
17374 <-> SPECIFIC-THREATS Microsoft Windows HLP File Handling heap overflow attempt (specific-threats.rules, High)
17375 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High)
17376 <-> WEB-MISC IBM Lotus Expeditor cai URI handler command execution attempt (web-misc.rules, High)
17377 <-> SPECIFIC-THREATS Microsoft excel Malformed Filter Records Handling Code Execution attempt (specific-threats.rules, High)
17378 <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules, High)
17379 <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules, High)
17380 <-> WEB-CLIENT PNG file download request (web-client.rules, Low)
17381 <-> SPECIFIC-THREATS Apple QuickTime PDAT Atom parsing buffer overflow attempt (specific-threats.rules, High)
17382 <-> SPECIFIC-THREATS Microsoft Project Invalid Memory Pointer Code Execution attempt (specific-threats.rules, High)
17383 <-> SPECIFIC-THREATS Microsoft Publisher Object Handler Validation Code Execution attempted (specific-threats.rules, High)
17384 <-> WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt (web-client.rules, High)
17385 <-> WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt (web-client.rules, High)
17386 <-> SPECIFIC-THREATS Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (specific-threats.rules, High)
17387 <-> WEB-MISC Apache Tomcat allowLinking URIencoding directory traversal attempt (web-misc.rules, Medium)
17388 <-> WEB-CLIENT OpenOffice EMF file EMR record parsing integer overflow attempt (web-client.rules, High)
17389 <-> SPECIFIC-THREATS mozilla firefox DOMNodeRemoved attack attempt (specific-threats.rules, High)
17390 <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules, Medium)
17391 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17392 <-> SHELLCODE JavaScript var shellcode (shellcode.rules, High)
17393 <-> SHELLCODE JavaScript var heapspray (shellcode.rules, High)
17394 <-> WEB-CLIENT GIF file download request (web-client.rules, Low)
17395 <-> SPECIFIC-THREATS Sun Java Web Start Splashscreen GIF decoding buffer overflow attempt (specific-threats.rules, High)
17396 <-> EXPLOIT VNC client authentication response (exploit.rules, Low)
17397 <-> EXPLOIT VNCViewer Authenticate buffer overflow attempt (exploit.rules, High)
17398 <-> WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt (web-client.rules, High)
17399 <-> WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt (web-client.rules, High)
17400 <-> WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation (web-client.rules, High)
17401 <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped (web-client.rules, High)
17402 <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt (specific-threats.rules, High)
17403 <-> WEB-CLIENT OpenOffice RTF File parsing heap buffer overflow attempt (web-client.rules, High)
17404 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High)
17405 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High)
17406 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High)
17407 <-> WEB-CLIENT Windows help file download request (web-client.rules, Low)
17408 <-> WEB-CLIENT Microsoft DirectX Targa image file heap overflow attempt (web-client.rules, High)
17409 <-> WEB-CLIENT Mozilla Products IDN Spoofing Vulnerability Attempt (web-client.rules, High)
17410 <-> WEB-MISC Generic HyperLink Buffer Overflow attempt (web-misc.rules, High)
17411 <-> SPECIFIC-THREATS Microsoft Internet Explorer CDF cross-domain scripting attempt (specific-threats.rules, High)
17412 <-> MYSQL CREATE FUNCTION mysql.func Arbitrary Library Injection attempt (mysql.rules, High)
17413 <-> SPECIFIC-THREATS Microsoft Jet DB Engine Buffer Overflow attempt (specific-threats.rules, High)
17414 <-> SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt (specific-threats.rules, High)
17415 <-> SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt (specific-threats.rules, High)
17416 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
17417 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
17418 <-> ORACLE Oracle connection established (oracle.rules, High)
17419 <-> ORACLE Oracle database SQL compiler read-only join auth bypass attempt (oracle.rules, High)
17420 <-> WEB-MISC Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt (web-misc.rules, High)
17421 <-> WEB-CLIENT Microsoft OLE automation string manipulation overflow attempt (web-client.rules, High)
17422 <-> SPECIFIC-THREATS Firefox defineSetter function pointer memory corruption attempt (specific-threats.rules, High)
17423 <-> WEB-MISC Citrix Program Neighborhood Agent Buffer Overflow attempt (web-misc.rules, High)
17424 <-> SPECIFIC-THREATS Mozilla Firefox IconURL Arbitrary Javascript Execution attempt (specific-threats.rules, High)
17425 <-> SPECIFIC-THREATS RealPlayer ActiveX Import playlist name buffer overflow attempt (specific-threats.rules, High)
17426 <-> WEB-CLIENT RAT file download request (web-client.rules, Low)
17427 <-> SPECIFIC-THREATS Oracle database DBMS_Scheduler privilege escalation attempt (specific-threats.rules, High)
17430 <-> SPECIFIC-THREATS BitDefender Antivirus PDF processing memory corruption attempt (specific-threats.rules, High)
17431 <-> EXPLOIT Microsoft IIS SChannel improper certificate verification (exploit.rules, Low)

Updated rules:
 477 <-> ICMP Source Quench (icmp.rules, Medium)
1842 <-> IMAP login buffer overflow attempt (imap.rules, High)
1993 <-> IMAP login literal buffer overflow attempt (imap.rules, Medium)
2338 <-> FTP LIST buffer overflow attempt (ftp.rules, Medium)
2349 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt (netbios.rules, Low)
2435 <-> WEB-CLIENT Microsoft emf metafile download request (web-client.rules, High)
2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules, High)
2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules, High)
2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules, High)
3074 <-> IMAP SUBSCRIBE overflow attempt (imap.rules, High)
3517 <-> EXPLOIT Computer Associates license PUTOLF overflow attempt (exploit.rules, High)
3686 <-> WEB-CLIENT Microsoft Internet Explorer Content Advisor memory corruption attempt (web-client.rules, High)
3694 <-> WEB-MISC Squid content length cache poisoning attempt (web-misc.rules, Medium)
3818 <-> TFTP PUT transfer mode overflow attempt (tftp.rules, High)
4126 <-> EXPLOIT Veritas Backup Exec root connection attempt using default password hash (exploit.rules, Medium)
5997 <-> WEB-MISC WinProxy overly long host header buffer overflow attempt (web-misc.rules, High)
7435 <-> WEB-ACTIVEX Dynamic Casts ActiveX clsid access (web-activex.rules, High)
7436 <-> WEB-ACTIVEX Dynamic Casts ActiveX function call (web-activex.rules, High)
8723 <-> WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX clsid access (web-activex.rules, High)
9633 <-> EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt TCP (exploit.rules, High)
9820 <-> WEB-ACTIVEX OWC11.DataSourceControl.11 ActiveX function call access (web-activex.rules, High)
10063 <-> WEB-CLIENT Firefox query interface suspicious function call access attempt (web-client.rules, High)
10192 <-> WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX clsid access (web-activex.rules, High)
11004 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules, High)
11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules, Medium)
12219 <-> WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow (web-client.rules, High)
12286 <-> WEB-CLIENT PCRE character class double free overflow attempt (web-client.rules, High)
12472 <-> WEB-ACTIVEX Sun Java Web Start ActiveX clsid access (web-activex.rules, High)
12473 <-> WEB-ACTIVEX Sun Java Web Start ActiveX clsid unicode access (web-activex.rules, High)
12474 <-> WEB-ACTIVEX Sun Java Web Start ActiveX function call access (web-activex.rules, High)
12475 <-> WEB-ACTIVEX Sun Java Web Start ActiveX function call unicode access (web-activex.rules, High)
13162 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt (netbios.rules, High)
15126 <-> WEB-CLIENT Internet Explorer nested tag memory corruption attempt (web-client.rules, High)
15157 <-> WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST (web-client.rules, High)
15166 <-> WEB-CLIENT VideoLAN VLC Media Player RealText buffer overflow attempt (web-client.rules, High)
15428 <-> WEB-CLIENT Mozilla Firefox SVG data processing memory corruption attempt (web-client.rules, High)
15434 <-> WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt (web-misc.rules, High)
15478 <-> SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt (specific-threats.rules, High)
15484 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules, High)
16036 <-> WEB-CLIENT Mozilla Products QueryInterface method memory corruption attempt (web-client.rules, High)
17246 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High)
17247 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High)
17248 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High)