Sourcefire VRT Rules Update

Date: 2010-10-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17801 <-> WEB-CLIENT Director Movie File Embeded (web-client.rules, Low)
17802 <-> WEB-CLIENT Director Movie File Download (web-client.rules, Low)
17803 <-> WEB-CLIENT Adobe Shockwave Director rcsL chunk memory corruption attempt (web-client.rules, High)
17804 <-> WEB-CLIENT Mozilla Firefox html tag attributes memory corruption (web-client.rules, High)
17805 <-> SPYWARE-PUT Worm.Win32.Neeris.BF contact to server attempt (spyware-put.rules, High)

Updated rules:
12972 <-> WEB-CLIENT Microsoft Media Player .asf markers detected (web-client.rules, High)
13268 <-> RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt (rpc.rules, High)
13419 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid access (web-activex.rules, High)
13420 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid unicode access (web-activex.rules, High)
13421 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX function call access (web-activex.rules, High)
13422 <-> WEB-ACTIVEX Facebook Photo Uploader ActiveX function call unicode access (web-activex.rules, High)
13517 <-> EXPLOIT Apple QTIF malformed idsc atom (exploit.rules, High)
13520 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13521 <-> EXPLOIT Winamp Ultravox streaming malicious metadata (exploit.rules, High)
13583 <-> WEB-CLIENT Microsoft SYmbolic LinK file download request (web-client.rules, Low)
13585 <-> WEB-CLIENT Microsoft SYmbolic LinK file download (web-client.rules, Low)
15126 <-> WEB-CLIENT Internet Explorer nested tag memory corruption attempt (web-client.rules, High)
15241 <-> MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt (multimedia.rules, High)
15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
15363 <-> WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt (web-client.rules, Low)
15572 <-> DOS Curse of Silence Nokia SMS DoS attempt (dos.rules, Medium)
15727 <-> POLICY Attempted download of a PDF with embedded Flash (policy.rules, High)
15728 <-> EXPLOIT Possible Adobe PDF ActionScript byte_array heap spray attempt (exploit.rules, High)
15729 <-> EXPLOIT Possible Adobe Flash ActionScript byte_array heap spray attempt (exploit.rules, High)
15993 <-> SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt (specific-threats.rules, High)
16547 <-> WEB-ACTIVEX Java Web Start ActiveX launch command by CLSID (web-activex.rules, High)
16548 <-> WEB-ACTIVEX Java Web Start ActiveX launch command by JavaScript CLSID (web-activex.rules, High)
17644 <-> SPECIFIC-THREATS Internet Explorer object clone deletion memory corruption attempt (specific-threats.rules, High)
17654 <-> SPECIFIC-THREATS Facebook Photo Uploader ActiveX exploit attempt (specific-threats.rules, High)