Sourcefire VRT Rules Update

Date: 2011-02-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18321 <-> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX clsid access (web-activex.rules, High)
18322 <-> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX function call access (web-activex.rules, High)
18323 <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX clsid access (web-activex.rules, High)
18324 <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX function call access (web-activex.rules, High)
18325 <-> WEB-ACTIVEX Image Viewer CP Gold 6 ActiveX clsid access (web-activex.rules, High)
18326 <-> FTP ProFTPD mod_site_misc module directory traversal attempt (ftp.rules, High)
18327 <-> SCADA Kingview HMI heap overflow attempt (scada.rules, High)
18328 <-> WEB-CLIENT Adobe Flash Player dwmapi.dll dll-load exploit attempt (web-client.rules, High)
18329 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)
18330 <-> NETBIOS Adobe Flash Player dwmapi.dll dll-load exploit attempt (netbios.rules, High)
18331 <-> WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt (web-client.rules, High)
18332 <-> WEB-CLIENT Mozilla Firefox JS Web Worker arbitrary code execution attempt (web-client.rules, High)
18333 <-> WEB-MISC phpBook date command execution attempt (web-misc.rules, High)
18334 <-> WEB-MISC phpBook mail command execution attempt (web-misc.rules, High)
18335 <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High)

Updated rules:
1324 <-> EXPLOIT ssh CRC32 overflow /bin/sh (exploit.rules, High)
1325 <-> EXPLOIT ssh CRC32 overflow filler (exploit.rules, High)
1326 <-> EXPLOIT ssh CRC32 overflow NOOP (exploit.rules, High)
1327 <-> EXPLOIT ssh CRC32 overflow (exploit.rules, High)
17416 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
17417 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
18241 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access (web-activex.rules, High)
18242 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)