Sourcefire VRT Rules Update

Date: 2010-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18186 <-> SPECIFIC-THREATS Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt (specific-threats.rules, High)
18187 <-> SPECIFIC-THREATS Mozilla Firefox InstallTrigger.install memory corruption attempt (specific-threats.rules, High)
18188 <-> SPECIFIC-THREATS Multiple browser marquee tag denial of service attempt (specific-threats.rules, Medium)
18189 <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules, Low)
18190 <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt (netbios.rules, Low)
18191 <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt (netbios.rules, Low)
18192 <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt (netbios.rules, Low)
18193 <-> SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt (specific-threats.rules, High)
18194 <-> SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt (specific-threats.rules, High)
18195 <-> SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt (specific-threats.rules, Medium)
18196 <-> WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt (web-client.rules, High)

Updated rules:
14900 <-> NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt (netbios.rules, High)
14988 <-> NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt (netbios.rules, High)
15167 <-> POLICY Suspicious .cn dns query (policy.rules, High)
15168 <-> POLICY Suspicious .ru dns query (policy.rules, High)
15887 <-> EXPLOIT SAPLPD 0x05 command buffer overflow attempt (exploit.rules, High)
15888 <-> EXPLOIT SAPLPD 0x31 command buffer overflow attempt (exploit.rules, High)
15889 <-> EXPLOIT SAPLPD 0x32 command buffer overflow attempt (exploit.rules, High)
15890 <-> EXPLOIT SAPLPD 0x33 command buffer overflow attempt (exploit.rules, High)
15891 <-> EXPLOIT SAPLPD 0x34 command buffer overflow attempt (exploit.rules, High)