Sourcefire VRT Rules Update
Date: 2011-02-23
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.
The format of the file is:
sid - Message (rule group, priority)
New rules: 18464 <-> WEB-CGI Adobe ColdFusion directory traversal attempt (web-cgi.rules, High) 18465 <-> WEB-PHP FreePBX recording interface file upload code execution attempt (web-php.rules, High) 18466 <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules, High) 18467 <-> WEB-MISC raSMP User-Agent XSS injection attempt (web-misc.rules, High) 18468 <-> WEB-CLIENT Microsoft IE malformed iframe unicode buffer overflow attempt (web-client.rules, High) 18469 <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules, Low) 18470 <-> WEB-MISC Java floating point number denial of service - via URI (web-misc.rules, Medium) 18471 <-> WEB-MISC Java floating point number denial of service - via POST (web-misc.rules, Medium) 18472 <-> NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (netbios.rules, Low) Updated rules: 2085 <-> WEB-CGI parse_xml.cgi access (web-cgi.rules, Medium) 2086 <-> WEB-CGI streaming server parse_xml.cgi access (web-cgi.rules, Medium) 2435 <-> WEB-CLIENT Microsoft emf metafile access (web-client.rules, High) 8428 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High) 15507 <-> DELETED SPECIFIC-THREATS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids translated_names overflow attempt (deleted.rules, Low) 17231 <-> WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian (web-client.rules, High) 17232 <-> WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian (web-client.rules, High) 17536 <-> WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt (web-misc.rules, High) 18312 <-> EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt (exploit.rules, High) 18328 <-> WEB-CLIENT Adobe multiple products dwmapi.dll dll-load exploit attempt (web-client.rules, High) 18330 <-> NETBIOS Adobe multiple products dwmapi.dll dll-load exploit attempt (netbios.rules, High)
