Sourcefire VRT Rules Update

Date: 2011-02-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18464 <-> WEB-CGI Adobe ColdFusion directory traversal attempt (web-cgi.rules, High)
18465 <-> WEB-PHP FreePBX recording interface file upload code execution attempt (web-php.rules, High)
18466 <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules, High)
18467 <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules, High)
18468 <-> WEB-CLIENT Microsoft IE malformed iframe unicode buffer overflow attempt (web-client.rules, High)
18469 <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules, Low)
18470 <-> WEB-MISC Java floating point number denial of service - via URI (web-misc.rules, Medium)
18471 <-> WEB-MISC Java floating point number denial of service - via POST (web-misc.rules, Medium)
18472 <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (netbios.rules, Low)

Updated rules:
2085 <-> WEB-CGI parse_xml.cgi access (web-cgi.rules, Medium)
2086 <-> WEB-CGI streaming server parse_xml.cgi access (web-cgi.rules, Medium)
2435 <-> WEB-CLIENT Microsoft emf metafile access (web-client.rules, High)
8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
15507 <-> DELETED SPECIFIC-THREATS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids translated_names overflow attempt (deleted.rules, Low)
17231 <-> WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian (web-client.rules, High)
17232 <-> WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian (web-client.rules, High)
17536 <-> WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt (web-misc.rules, High)
18312 <-> EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt (exploit.rules, High)
18328 <-> WEB-CLIENT Adobe multiple products dwmapi.dll dll-load exploit attempt (web-client.rules, High)
18330 <-> NETBIOS Adobe multiple products dwmapi.dll dll-load exploit attempt (netbios.rules, High)