Sourcefire VRT Rules Update
Date: 2010-09-23
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.0.
The format of the file is:
sid - Message (rule group, priority)
New rules: 17346 <-> SPECIFIC-THREATS IBM Lotus Notes Cross Site Scripting attempt (specific-threats.rules, Low) 17347 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High) 17348 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High) 17349 <-> WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt (web-client.rules, High) 17350 <-> ORACLE Application Server Forms Arbitrary System Command Execution Attempt (oracle.rules, High) 17351 <-> WEB-CLIENT Winamp ID3v2 Tag Handling Buffer Overflow attempt (web-client.rules, High) 17352 <-> EXPLOIT ClamAV CHM File Handling Integer Overflow attempt (exploit.rules, High) 17353 <-> EXPLOIT Sun Solaris printd Daemon Arbitrary File Deletion attempt (exploit.rules, Medium) 17354 <-> SPECIFIC-THREATS Apache Byte-Range Filter denial of service attempt (specific-threats.rules, Medium) 17355 <-> WEB-CLIENT Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt (web-client.rules, High) 17356 <-> EXPLOIT NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow attempt (exploit.rules, High) 17357 <-> CHAT Gaim AIM-ICQ Protocol Handling Buffer Overflow attempt (chat.rules, High) 17358 <-> EXPLOIT ClamAV UPX File Handling Buffer Overflow attempt (exploit.rules, High) 17359 <-> WEB-CLIENT xbm image file download request (web-client.rules, Low) 17360 <-> WEB-CLIENT Mozilla Firefox XBM image processing buffer overflow attempt (web-client.rules, High) 17361 <-> SPECIFIC-THREATS Adobe Acrobat Reader PDF Catalog Handling denial of service attempt (specific-threats.rules, High) 17362 <-> WEB-CLIENT Microsoft Excel IMDATA buffer overflow attempt (web-client.rules, High) 17363 <-> WEB-CLIENT Apple computer finder DMG volume name memory corruption (web-client.rules, High) 17364 <-> WEB-CLIENT Microsoft Help Workshop CNT Help contents (web-client.rules, Medium) 17365 <-> WEB-CLIENT Microsoft Help Workshop CNT Help contents buffer overflow attempt (web-client.rules, High) 17366 <-> WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt (web-client.rules, High) 17367 <-> FTP Microsoft Internet Explorer FTP Response Parsing Memory Corruption (ftp.rules, High) 17368 <-> WEB-CLIENT Microsoft Word document stream handling code execution attempt (web-client.rules, High) 17369 <-> IMAP MailEnable Service APPEND Command Handling Buffer Overflow (imap.rules, High) 17370 <-> WEB-MISC Squid authentication headers handling denial of service attempt (web-misc.rules, Low) 17371 <-> WEB-MISC Squid authentication headers handling denial of service attempt (web-misc.rules, Medium) 17372 <-> WEB-CLIENT Apple QuickTime udta atom parsing heap overflow vulnerability (web-client.rules, High) 17373 <-> SPECIFIC-THREATS QuickTime panorama atoms buffer overflow attempt (specific-threats.rules, High) 17374 <-> SPECIFIC-THREATS Microsoft Windows HLP File Handling heap overflow attempt (specific-threats.rules, High) 17375 <-> ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt (oracle.rules, High) 17376 <-> WEB-MISC IBM Lotus Expeditor cai URI handler command execution attempt (web-misc.rules, High) 17377 <-> SPECIFIC-THREATS Microsoft excel Malformed Filter Records Handling Code Execution attempt (specific-threats.rules, High) 17378 <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules, High) 17379 <-> WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow (web-client.rules, High) 17380 <-> WEB-CLIENT PNG file download request (web-client.rules, Low) 17381 <-> SPECIFIC-THREATS Apple QuickTime PDAT Atom parsing buffer overflow attempt (specific-threats.rules, High) 17382 <-> SPECIFIC-THREATS Microsoft Project Invalid Memory Pointer Code Execution attempt (specific-threats.rules, High) 17383 <-> SPECIFIC-THREATS Microsoft Publisher Object Handler Validation Code Execution attempted (specific-threats.rules, High) 17384 <-> WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt (web-client.rules, High) 17385 <-> WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt (web-client.rules, High) 17386 <-> SPECIFIC-THREATS Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt (specific-threats.rules, High) 17387 <-> WEB-MISC Apache Tomcat allowLinking URIencoding directory traversal attempt (web-misc.rules, Medium) 17388 <-> WEB-CLIENT OpenOffice EMF file EMR record parsing integer overflow attempt (web-client.rules, High) 17389 <-> SPECIFIC-THREATS mozilla firefox DOMNodeRemoved attack attempt (specific-threats.rules, High) 17390 <-> DOS ClamAV Antivirus Function Denial of Service attempt (dos.rules, Medium) 17391 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17392 <-> SHELLCODE JavaScript var shellcode (shellcode.rules, High) 17393 <-> SHELLCODE JavaScript var heapspray (shellcode.rules, High) 17394 <-> WEB-CLIENT GIF file download request (web-client.rules, Low) 17395 <-> SPECIFIC-THREATS Sun Java Web Start Splashscreen GIF decoding buffer overflow attempt (specific-threats.rules, High) 17396 <-> EXPLOIT VNC client authentication response (exploit.rules, Low) 17397 <-> EXPLOIT VNCViewer Authenticate buffer overflow attempt (exploit.rules, High) 17398 <-> WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt (web-client.rules, High) 17399 <-> WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt (web-client.rules, High) 17400 <-> WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation (web-client.rules, High) 17401 <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped (web-client.rules, High) 17402 <-> SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt (specific-threats.rules, High) 17403 <-> WEB-CLIENT OpenOffice RTF File parsing heap buffer overflow attempt (web-client.rules, High) 17404 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High) 17405 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High) 17406 <-> EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt (exploit.rules, High) 17407 <-> WEB-CLIENT Windows help file download request (web-client.rules, Low) 17408 <-> WEB-CLIENT Microsoft DirectX Targa image file heap overflow attempt (web-client.rules, High) 17409 <-> WEB-CLIENT Mozilla Products IDN Spoofing Vulnerability Attempt (web-client.rules, High) 17410 <-> WEB-MISC Generic HyperLink Buffer Overflow attempt (web-misc.rules, High) 17411 <-> SPECIFIC-THREATS Microsoft Internet Explorer CDF cross-domain scripting attempt (specific-threats.rules, High) 17412 <-> MYSQL CREATE FUNCTION mysql.func Arbitrary Library Injection attempt (mysql.rules, High) 17413 <-> SPECIFIC-THREATS Microsoft Jet DB Engine Buffer Overflow attempt (specific-threats.rules, High) 17414 <-> SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt (specific-threats.rules, High) 17415 <-> SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt (specific-threats.rules, High) 17416 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium) 17417 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium) 17418 <-> ORACLE Oracle connection established (oracle.rules, High) 17419 <-> ORACLE Oracle database SQL compiler read-only join auth bypass attempt (oracle.rules, High) 17420 <-> WEB-MISC Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt (web-misc.rules, High) 17421 <-> WEB-CLIENT Microsoft OLE automation string manipulation overflow attempt (web-client.rules, High) 17422 <-> SPECIFIC-THREATS Firefox defineSetter function pointer memory corruption attempt (specific-threats.rules, High) 17423 <-> WEB-MISC Citrix Program Neighborhood Agent Buffer Overflow attempt (web-misc.rules, High) 17424 <-> SPECIFIC-THREATS Mozilla Firefox IconURL Arbitrary Javascript Execution attempt (specific-threats.rules, High) 17425 <-> SPECIFIC-THREATS RealPlayer ActiveX Import playlist name buffer overflow attempt (specific-threats.rules, High) 17426 <-> WEB-CLIENT RAT file download request (web-client.rules, Low) 17427 <-> SPECIFIC-THREATS Oracle database DBMS_Scheduler privilege escalation attempt (specific-threats.rules, High) 17430 <-> SPECIFIC-THREATS BitDefender Antivirus PDF processing memory corruption attempt (specific-threats.rules, High) 17431 <-> EXPLOIT Microsoft IIS SChannel improper certificate verification (exploit.rules, Low) Updated rules: 477 <-> ICMP Source Quench (icmp.rules, Medium) 1842 <-> IMAP login buffer overflow attempt (imap.rules, High) 1993 <-> IMAP login literal buffer overflow attempt (imap.rules, Medium) 2338 <-> FTP LIST buffer overflow attempt (ftp.rules, Medium) 2349 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt (netbios.rules, Low) 2435 <-> WEB-CLIENT Microsoft emf metafile download request (web-client.rules, High) 2438 <-> WEB-CLIENT RealPlayer playlist file URL overflow attempt (web-client.rules, High) 2439 <-> WEB-CLIENT RealPlayer playlist http URL overflow attempt (web-client.rules, High) 2440 <-> WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt (web-client.rules, High) 3074 <-> IMAP SUBSCRIBE overflow attempt (imap.rules, High) 3517 <-> EXPLOIT Computer Associates license PUTOLF overflow attempt (exploit.rules, High) 3686 <-> WEB-CLIENT Microsoft Internet Explorer Content Advisor memory corruption attempt (web-client.rules, High) 3694 <-> WEB-MISC Squid content length cache poisoning attempt (web-misc.rules, Medium) 3818 <-> TFTP PUT transfer mode overflow attempt (tftp.rules, High) 4126 <-> EXPLOIT Veritas Backup Exec root connection attempt using default password hash (exploit.rules, Medium) 5997 <-> WEB-MISC WinProxy overly long host header buffer overflow attempt (web-misc.rules, High) 7435 <-> WEB-ACTIVEX Dynamic Casts ActiveX clsid access (web-activex.rules, High) 7436 <-> WEB-ACTIVEX Dynamic Casts ActiveX function call (web-activex.rules, High) 8723 <-> WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX clsid access (web-activex.rules, High) 9633 <-> EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt TCP (exploit.rules, High) 9820 <-> WEB-ACTIVEX OWC11.DataSourceControl.11 ActiveX function call access (web-activex.rules, High) 10063 <-> WEB-CLIENT Firefox query interface suspicious function call access attempt (web-client.rules, High) 10192 <-> WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX clsid access (web-activex.rules, High) 11004 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules, High) 11834 <-> WEB-MISC Internet Explorer navcancl.htm url spoofing attempt (web-misc.rules, Medium) 12219 <-> WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow (web-client.rules, High) 12286 <-> WEB-CLIENT PCRE character class double free overflow attempt (web-client.rules, High) 12472 <-> WEB-ACTIVEX Sun Java Web Start ActiveX clsid access (web-activex.rules, High) 12473 <-> WEB-ACTIVEX Sun Java Web Start ActiveX clsid unicode access (web-activex.rules, High) 12474 <-> WEB-ACTIVEX Sun Java Web Start ActiveX function call access (web-activex.rules, High) 12475 <-> WEB-ACTIVEX Sun Java Web Start ActiveX function call unicode access (web-activex.rules, High) 13162 <-> NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt (netbios.rules, High) 15126 <-> WEB-CLIENT Internet Explorer nested tag memory corruption attempt (web-client.rules, High) 15157 <-> WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST (web-client.rules, High) 15166 <-> WEB-CLIENT VideoLAN VLC Media Player RealText buffer overflow attempt (web-client.rules, High) 15428 <-> WEB-CLIENT Mozilla Firefox SVG data processing memory corruption attempt (web-client.rules, High) 15434 <-> WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt (web-misc.rules, High) 15478 <-> SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt (specific-threats.rules, High) 15484 <-> IMAP CRAM-MD5 authentication method buffer overflow (imap.rules, High) 16036 <-> WEB-CLIENT Mozilla Products QueryInterface method memory corruption attempt (web-client.rules, High) 17246 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High) 17247 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High) 17248 <-> DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt (deleted.rules, High)
