Sourcefire VRT Rules Update
Date: 2010-09-07
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.
The format of the file is:
sid - Message (rule group, priority)
New rules: 17210 <-> POLICY Portable Executable binary file transfer over SMB (policy.rules, High) 17211 <-> WEB-CLIENT Quicktime marshaled punk remote code execution (web-client.rules, High) 17212 <-> WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt (web-client.rules, High) 17213 <-> WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt (web-client.rules, High) 17214 <-> SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt (specific-threats.rules, High) 17215 <-> SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt (specific-threats.rules, High) 17216 <-> WEB-CLIENT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt (web-client.rules, High) 17217 <-> WEB-CLIENT Apple Safari invalid FRAME tag remote code execution attempt (web-client.rules, High) 17218 <-> WEB-CLIENT Apple Safari LI tag with large VALUE attribute exploit attempt (web-client.rules, High) Updated rules: 3409 <-> NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (netbios.rules, High) 10214 <-> WEB-ACTIVEX Shockwave ActiveX Control ActiveX clsid access (web-activex.rules, High) 10215 <-> WEB-ACTIVEX Shockwave ActiveX Control ActiveX clsid unicode access (web-activex.rules, High) 10216 <-> WEB-ACTIVEX Shockwave ActiveX Control ActiveX function call access (web-activex.rules, High) 12069 <-> EXPLOIT Microsoft Windows Active Directory Crafted LDAP ModifyRequest (exploit.rules, High) 13216 <-> WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX function call access (web-activex.rules, High) 15867 <-> WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt (web-client.rules, High) 17209 <-> SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow (sql.rules, High)
