Sourcefire VRT Rules Update

Date: 2010-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17432 <-> WEB-MISC Squid Gopher protocol handling buffer overflow attempt (web-misc.rules, Medium)
17433 <-> EXPLOIT Sun Solaris DHCP Client Arbitrary Code Execution attempt (exploit.rules, High)
17434 <-> WEB-CLIENT Mozilla Firefox Unicode sequence handling stack corruption attempt (web-client.rules, High)
17435 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (netbios.rules, Low)
17436 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (netbios.rules, Low)
17437 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (netbios.rules, Low)
17438 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (netbios.rules, Low)
17439 <-> EXPLOIT Microsoft Distributed Transaction Controller TIP DoS attempt (exploit.rules, Medium)
17440 <-> WEB-MISC RSA authentication agent for web redirect buffer overflow attempt (web-misc.rules, High)
17441 <-> WEB-MISC .lnk file download attempt (web-misc.rules, Low)
17442 <-> POLICY download of Windows .lnk file that executes cmd.exe detected (policy.rules, High)
17443 <-> WEB-CLIENT Microsoft DirectShow AVI decoder buffer overflow attempt (web-client.rules, High)
17444 <-> SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt (specific-threats.rules, High)
17445 <-> SPECIFIC-THREATS Symantec Backup Exec System Recovery Manager unauthorized file upload attempt (specific-threats.rules, Low)
17446 <-> SPECIFIC-THREATS Microsoft Internet Explorer FTP client directory traversal attempt (specific-threats.rules, Low)
17447 <-> WEB-MISC 407 Proxy Authentication Required (web-misc.rules, Low)
17448 <-> SPECIFIC-THREATS Microsoft Internet Explorer HTTPS proxy information disclosure vulnerability (specific-threats.rules, Medium)
17449 <-> WEB-MISC Novell ZENworks patch management SQL injection attempt (web-misc.rules, High)
17450 <-> WEB-MISC CommuniGate Systems CommuniGate Pro LDAP Server buffer overflow attempt (web-misc.rules, High)
17451 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17452 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17453 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17454 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17455 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17456 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17457 <-> WEB-CLIENT Macromedia Flash ActionDefineFunction memory access vulnerability exploit attempt (web-client.rules, High)
17458 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High)
17459 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High)
17460 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High)
17461 <-> SPECIFIC-THREATS RealNetworks RealPlayer zipped skin file buffer overflow attempt (specific-threats.rules, High)
17462 <-> WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt (web-client.rules, High)
17463 <-> SPECIFIC-THREATS Internet Explorer File Download Dialog Box Manipulation (specific-threats.rules, High)
17464 <-> WEB-ACTIVEX AOL Radio AmpX ActiveX clsid access (web-activex.rules, High)
17465 <-> WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access (web-activex.rules, High)
17466 <-> SPECIFIC-THREATS IBM Lotus Domino Web Access 7 ActiveX exploit attempt (specific-threats.rules, High)
17467 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High)
17468 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High)
17469 <-> SPECIFIC-THREAT Mplayer Real Demuxer stream_read heap overflow attempt (specific-threats.rules, High)
17470 <-> SPECIFIC-THREATS Apple QuickTime STSD JPEG atom heap corruption attempt (specific-threats.rules, High)
17471 <-> SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt (specific-threats.rules, High)
17472 <-> SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt (specific-threats.rules, High)
17473 <-> ORACLE DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW arbitrary command execution attempt (oracle.rules, Medium)
17474 <-> ORACLE DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium)
17475 <-> ORACLE DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium)
17476 <-> ORACLE DBMS_CDC_SUBSCRIBE.PURGE_WINDOW arbitrary command execution attempt (oracle.rules, Medium)
17477 <-> ORACLE DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium)
17478 <-> ORACLE DBMS_CDC_SUBSCRIBE.SUBSCRIBE arbitrary command execution attempt (oracle.rules, Medium)
17479 <-> ORACLE DBMS_CDC_ISUBSCRIBE.SUBSCRIBE arbitrary command execution attempt (oracle.rules, Medium)
17480 <-> ORACLE DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium)
17481 <-> SPECIFIC-THREATS Microsoft Exchange and Outlook TNEF Decoding Integer Overflow attempt (specific-threats.rules, High)
17482 <-> WEB-CLIENT Mozilla NNTP URL Handling Buffer Overflow attempt (web-client.rules, High)
17483 <-> DNS squid proxy dns A record response denial of service attempt (dns.rules, Medium)
17484 <-> DNS squid proxy dns PTR record response denial of service attempt (dns.rules, Medium)
17485 <-> DNS Symantec Gateway products DNS cache poisoning attempt (dns.rules, Medium)
17486 <-> WEB-MISC Trend Micro Control Manager Chunked overflow attempt (web-misc.rules, High)
17487 <-> WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt (web-client.rules, Medium)
17488 <-> SPECIFIC-THREATS Excel Malformed Range Code Execution attempt (specific-threats.rules, High)
17489 <-> SPECIFIC-THREATS Microsoft Windows Help File Heap Buffer Overflow attempt (specific-threats.rules, High)
17490 <-> SPECIFIC-THREATS Microsoft Windows itss.dll CHM File Handling Heap Corruption attempt (specific-threats.rules, High)
17491 <-> SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine Memory Corruption (specific-threats.rules, High)
17492 <-> SPECIFIC-THREATS Microsoft Excel Malformed SELECTION Record Code Execution attempt (specific-threats.rules, High)
17493 <-> SPECIFIC-THREATS ClamAV UPX FielHandling Heap overflow attempt (specific-threats.rules, High)
17494 <-> WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt (web-client.rules, High)
17495 <-> SPECIFIC-THREATS Squid proxy DNS response spoofing attempt (specific-threats.rules, Medium)
17496 <-> WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt (web-client.rules, High)
17497 <-> WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt (web-client.rules, High)
17498 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17499 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17500 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17501 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17502 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
17503 <-> IMAP MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN (imap.rules, High)
17504 <-> EXPLOIT Novell ZENworks Asset Management buffer overflow attempt (exploit.rules, High)
17505 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High)
17506 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High)
17507 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High)
17508 <-> WEB-MISC Microsoft .NET Application download attempt (web-misc.rules, Medium)
17509 <-> WEB-MISC Microsoft .NET Manifest download attempt (web-misc.rules, Medium)
17510 <-> WEB-MISC Microsoft .NET Deploy download attempt (web-misc.rules, Medium)
17511 <-> WEB-CLIENT Excel malformed Graphic Code Execution (web-client.rules, High)
17512 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High)
17513 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High)
17514 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High)
17515 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High)
17516 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High)
17517 <-> WEB-CLIENT excel Malformed Record Code Execution attempt (web-client.rules, High)
17518 <-> FTP FlashGet PWD command stack buffer overflow attempt (ftp.rules, High)
17519 <-> SPECIFIC-THREATS Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow (specific-threats.rules, High)
17520 <-> EXPLOIT CA ARCserve Backup DB Engine Denial of Service (exploit.rules, Low)
17521 <-> SPECIFIC-THREATS GoodTech SSH Server SFTP Processing Buffer Overflow (specific-threats.rules, High)
17522 <-> SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow (specific-threats.rules, High)
17523 <-> SPECIFIC-THREATS Apple QuickTime H.264 Movie File Buffer Overflow (specific-threats.rules, High)
17524 <-> SPECIFIC-THREATS Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow (specific-threats.rules, High)
17525 <-> SPECIFIC-THREATS Microsoft IIS 5.0 WebDav Request Directory Security Bypass (specific-threats.rules, High)
17526 <-> SPECIFIC-THREATS Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow (specific-threats.rules, High)
17527 <-> SPECIFIC-THREATS VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow (specific-threats.rules, High)
17528 <-> SPECIFIC-THREATS ngnix URI parsing buffer overflow attempt (specific-threats.rules, High)
17529 <-> SPECIFIC-THREATS Adobe RoboHelp Server Arbitrary File Upload and Execute (specific-threats.rules, High)
17530 <-> SPECIFIC-THREATS HP OpenView Storage Data Protector Stack Buffer Overflow (specific-threats.rules, High)
17531 <-> SPECIFIC-THREATS Apple Quicktime MOV File JVTCompEncodeFrame Heap Overflow (specific-threats.rules, High)
17532 <-> SPECIFIC-THREATS Microsoft Excel TXO and OBJ Records Parsing Stack Memory Corruption (specific-threats.rules, High)
17533 <-> WEB-MISC Apache Struts Information Disclosure Attempt (web-misc.rules, Medium)
17534 <-> MISC IPP Application Content (misc.rules, Low)
17535 <-> MISC Apple CUPS Text to PostScript Filter Integer Overflow attempt (misc.rules, High)
17536 <-> WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt (web-misc.rules, High)
17537 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Null Page Name Memory Corruption Attempt (specific-threats.rules, High)
17538 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Page Name Memory Corruption Attempt (specific-threats.rules, High)
17539 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Grafic Pointer Memory Corruption Attempt (specific-threats.rules, High)
17540 <-> WEB-CLIENT LZH file download (web-client.rules, Low)
17541 <-> SPECIFIC-THREATS Avast! Antivirus Engine Remote LHA buffer overflow attempt (specific-threats.rules, High)
17542 <-> SPECIFIC-THREATS Excel MalformedPalete Record Memory Corruption attempt (specific-threats.rules, High)
17543 <-> WEB-CLIENT Excel Column Record Handling Memory Corruption attempt (web-client.rules, High)
17544 <-> SPECIFIC-THREATS Wireshark LWRES Dissector getaddrsbyname buffer overflow attempt (specific-threats.rules, Medium)
17545 <-> WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt (web-activex.rules, High)
17546 <-> POLICY Microsoft Media Player compressed skin download - .wmd (policy.rules, High)
17547 <-> WEB-CLIENT Apple Quicktime SMIL transfer (web-client.rules, Low)
17548 <-> WEB-CLIENT Apple Quicktime SMIL File Handling Integer Overflow attempt (web-client.rules, High)
17549 <-> SPECIFIC-THREATS Internet Explorer Error Handling Code Execution (specific-threats.rules, High)
17550 <-> SPECIFIC-THREATS Microsoft Word Font Parsing Buffer Overflow attempt (specific-threats.rules, High)
17551 <-> CHAT MSN Messenger and Windows Live Messenger Code Execution attempt (chat.rules, High)
17552 <-> WEB-CLIENT Adobe Pagemaker file request (web-client.rules, Low)
17553 <-> SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt (specific-threats.rules, High)

Updated rules:
1277 <-> RPC portmap ypupdated request UDP (rpc.rules, Medium)
1634 <-> POP3 PASS overflow attempt (pop3.rules, High)
1734 <-> FTP USER overflow attempt (ftp.rules, High)
1941 <-> TFTP GET filename overflow attempt (tftp.rules, High)
1972 <-> FTP PASS overflow attempt (ftp.rules, High)
1973 <-> FTP MKD overflow attempt (ftp.rules, High)
1975 <-> FTP DELE overflow attempt (ftp.rules, High)
1976 <-> FTP RMD overflow attempt (ftp.rules, High)
2088 <-> RPC ypupdated arbitrary command attempt UDP (rpc.rules, Medium)
2389 <-> FTP RNTO overflow attempt (ftp.rules, High)
2392 <-> FTP RETR overflow attempt (ftp.rules, High)
2435 <-> WEB-CLIENT Microsoft emf metafile access (web-client.rules, High)
2570 <-> WEB-MISC Invalid HTTP Version String (web-misc.rules, Medium)
2611 <-> ORACLE LINK metadata buffer overflow attempt (oracle.rules, High)
3084 <-> EXPLOIT Veritas backup overflow attempt (exploit.rules, High)
3679 <-> WEB-CLIENT Web-client IFRAME src javascript code execution (web-client.rules, High)
4131 <-> EXPLOIT SHOUTcast URI format string attempt (exploit.rules, High)
4142 <-> ORACLE reports servlet command execution attempt (oracle.rules, High)
4676 <-> ORACLE enterprise manager application server control POST parameter overflow attempt (oracle.rules, High)
7020 <-> WEB-CLIENT isComponentInstalled function buffer overflow (web-client.rules, High)
8059 <-> ORACLE SYS.KUPW-WORKER sql injection attempt (oracle.rules, High)
8091 <-> WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt (web-client.rules, High)
9629 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX clsid access (web-activex.rules, High)
9630 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX clsid unicode access (web-activex.rules, High)
9631 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX function call access (web-activex.rules, High)
9840 <-> WEB-CLIENT QuickTime HREF Track Detected (web-client.rules, Low)
10030 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt (netbios.rules, High)
10486 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 15,16,17 attempt (netbios.rules, Low)
12278 <-> POLICY Microsoft Media Player compressed skin download - .wmz (policy.rules, High)
15153 <-> CHAT Jive Software Openfire Jabber Server setup Authentication bypass attempt (chat.rules, High)
15167 <-> POLICY Suspicious .cn dns query (policy.rules, High)
15168 <-> POLICY Suspicious .ru dns query (policy.rules, High)
15190 <-> WEB-MISC Youngzsoft CCProxy CONNECT Request buffer overflow attempt (web-misc.rules, High)
15431 <-> SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt (specific-threats.rules, High)
15473 <-> WEB-CLIENT Multiple media players M3U playlist file handling buffer overflow attempt (web-client.rules, High)
15493 <-> SPECIFIC-THREATS Adobe PDF getAnnots exploit attempt (specific-threats.rules, High)
15990 <-> WEB-MISC Multiple Vendor server file disclosure attempt (web-misc.rules, High)
15997 <-> SPECIFIC-THREATS Mozilla Firefox JIT escape function memory corruption attempt (specific-threats.rules, High)
16068 <-> SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit (specific-threats.rules, High)
16513 <-> SQL Jive Software Openfire Jabber Server SQL injection attempt (sql.rules, High)
17066 <-> WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid unicode access (web-activex.rules, High)
17287 <-> IMAP Cisco IOS HTTP service HTML injection attempt (imap.rules, Medium)
17391 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)