Sourcefire VRT Rules Update
Date: 2010-10-05
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.
The format of the file is:
sid - Message (rule group, priority)
New rules: 17662 <-> SPECIFIC-THREAT Sun Solaris DHCP Client Arbitrary Code Execution attempt (specific-threats.rules, High) 17664 <-> WEB-CLIENT GIF image descriptor memory corruption attempt (web-client.rules, High) 17666 <-> WEB-CLIENT RealNetworks RealPlayer invalid chunk size heap overflow attempt (web-client.rules, High) 17668 <-> POLICY attempted download of a PDF with embedded JavaScript (policy.rules, High) 17669 <-> SPECIFIC-THREAT Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (oracle.rules, High) 17670 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX clsid access (web-activex.rules, High) 17671 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX clsid unicode access (web-activex.rules, High) 17672 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX function call access (web-activex.rules, High) 17673 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX function call unicode access (web-activex.rules, High) 17674 <-> WEB-ACTIVEX Skype Extras Manager ActiveX clsid access (web-activex.rules, High) 17675 <-> WEB-ACTIVEX Skype Extras Manager ActiveX clsid unicode access (web-activex.rules, High) 17676 <-> WEB-ACTIVEX Skype Extras Manager ActiveX function call access (web-activex.rules, High) 17677 <-> WEB-ACTIVEX Skype Extras Manager ActiveX function call unicode access (web-activex.rules, High) 17678 <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules, High) 17679 <-> WEB-MISC Apple disk image download request (web-client.rules, Low) 17680 <-> SPECIFIC-THREATS ISC BIND DNSSEC Validation Multiple RRsets DoS (specific-threats.rules, Medium) 17698 <-> SPECIFIC-THREATS RealNetworks RealPlayer wav chunk string overflow attempt in email (specific-threats.rules, High) 17701 <-> SPECIFIC-THREATS Office Viewer ActiveX arbitrary command execution attempt (specific-threats.rules, High) 17702 <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (netbios.rules, Medium) 17703 <-> SPECIFIC-THREATS Internet Explorer popup title bar spoofing attempt (specific-threats.rules, Low) 17704 <-> SPECIFIC-THREATS McAfee LHA file parsing buffer overflow attempt (specific-threats.rules, High) 17705 <-> WEB-IIS web agent chunked encoding overflow attempt (web-iis.rules, High) 17706 <-> MISC Veritas NetBackup java user interface service format string attack attempt (misc.rules, High) 17707 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules, Low) 17708 <-> EXPLOIT VNC password request URL buffer overflow attempt (exploit.rules, High) Updated rules: 2278 <-> WEB-MISC client negative Content-Length attempt (web-misc.rules, Medium) 3665 <-> MYSQL server greeting (mysql.rules, High) 3666 <-> MYSQL server greeting finished (mysql.rules, High) 8414 <-> WEB-CLIENT GIF image descriptor memory corruption attempt (web-client.rules, High) 13865 <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules, High) 15364 <-> EXPLOIT Ganglia Meta Daemon process_path stack buffer overflow attempt (exploit.rules, High) 15554 <-> ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (oracle.rules, High) 16354 <-> POLICY Adobe PDF start-of-file alternate header obfuscation attempt (policy.rules, Low) 16425 <-> WEB-CLIENT request for Portable Executable binary file (web-client.rules, Low) 17276 <-> MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High) 17277 <-> WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High) 17278 <-> WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High) 17297 <-> SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt (specific-threats.rules, Medium) 17298 <-> MISC IBM Tivoli Monitoring Express Universal Agent Buffer Overflow (misc.rules, High) 17363 <-> WEB-CLIENT Apple computer finder DMG volume name memory corruption (web-client.rules, High) 17451 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17452 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17453 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17454 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17455 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17456 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17568 <-> WEB-MISC Microsoft Office XP URL Handling Buffer Overflow attempt (web-misc.rules, High) 17652 <-> WEB-MISC Microsoft IIS source code disclosure attempt (web-misc.rules, Medium) 3534 <-> WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 (web-client.rules, High) 3536 <-> WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 (web-client.rules, High) 5316 <-> EXPLOIT CA CAM log_security overflow attempt (exploit.rules, Medium) 6502 <-> WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0 (web-client.rules, High) 6503 <-> WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0 (web-client.rules, High) 8358 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - addressbar keyword search hijack (spyware-put.rules, Low) 8359 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - target website display (spyware-put.rules, Low) 8360 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - search info collect (spyware-put.rules, Low) 11176 <-> WEB-ACTIVEX PowerPoint Viewer ActiveX clsid access (web-activex.rules, High) 11181 <-> WEB-ACTIVEX Excel Viewer ActiveX clsid access (web-activex.rules, High) 11182 <-> WEB-ACTIVEX Excel Viewer ActiveX clsid unicode access (web-activex.rules, High) 11183 <-> WEB-ACTIVEX Excel Viewer ActiveX function call access (web-activex.rules, High) 11184 <-> WEB-ACTIVEX Excel Viewer ActiveX function call unicode access (web-activex.rules, High) 11187 <-> WEB-ACTIVEX Word Viewer ActiveX clsid access (web-activex.rules, High) 11199 <-> WEB-ACTIVEX Office Viewer ActiveX clsid access (web-activex.rules, High) 12659 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - automatic updates (spyware-put.rules, Low) 12660 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - download redirect domains (spyware-put.rules, Low) 12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules, Low) 12983 <-> EXPLOIT DirectX SAMI file CRawParser attempted buffer overflow attempt (exploit.rules, High) 13523 <-> WEB-ACTIVEX Novell iPrint ActiveX clsid access (web-activex.rules, High) 13524 <-> WEB-ACTIVEX Novell iPrint ActiveX clsid unicode access (web-activex.rules, High) 13525 <-> WEB-ACTIVEX Novell iPrint ActiveX function call access (web-activex.rules, High) 13526 <-> WEB-ACTIVEX Novell iPrint ActiveX function call unicode access (web-activex.rules, High) 13553 <-> EXPLOIT Sybase SQL Anywhere Mobilink username string buffer overflow (exploit.rules, High) 13554 <-> EXPLOIT Sybase SQL Anywhere Mobilink version string buffer overflow (exploit.rules, High) 13555 <-> EXPLOIT Sybase SQL Anywhere Mobilink remoteID string buffer overflow (exploit.rules, High) 13774 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #1 (spyware-put.rules, Low) 13775 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #2 (spyware-put.rules, Low) 14756 <-> WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX clsid access (web-activex.rules, High) 15230 <-> WEB-ACTIVEX Office Viewer 2 ActiveX clsid access (web-activex.rules, High) 15672 <-> WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access (web-activex.rules, High) 15673 <-> DELETED WEB-ACTIVEX Microsoft Video 7 ActiveX clsid unicode access (deleted.rules, High) 15910 <-> EXPLOIT Microsoft Internet Explorer getElementById object corruption (specific-threats.rules, High)
