Sourcefire VRT Rules Update
Date: 2010-09-27
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.0.
The format of the file is:
sid - Message (rule group, priority)
New rules: 17432 <-> WEB-MISC Squid Gopher protocol handling buffer overflow attempt (web-misc.rules, Medium) 17433 <-> EXPLOIT Sun Solaris DHCP Client Arbitrary Code Execution attempt (exploit.rules, High) 17434 <-> WEB-CLIENT Mozilla Firefox Unicode sequence handling stack corruption attempt (web-client.rules, High) 17435 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (netbios.rules, Low) 17436 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (netbios.rules, Low) 17437 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt (netbios.rules, Low) 17438 <-> NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt (netbios.rules, Low) 17439 <-> EXPLOIT Microsoft Distributed Transaction Controller TIP DoS attempt (exploit.rules, Medium) 17440 <-> WEB-MISC RSA authentication agent for web redirect buffer overflow attempt (web-misc.rules, High) 17441 <-> WEB-MISC .lnk file download attempt (web-misc.rules, Low) 17442 <-> POLICY download of Windows .lnk file that executes cmd.exe detected (policy.rules, High) 17443 <-> WEB-CLIENT Microsoft DirectShow AVI decoder buffer overflow attempt (web-client.rules, High) 17444 <-> SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt (specific-threats.rules, High) 17445 <-> SPECIFIC-THREATS Symantec Backup Exec System Recovery Manager unauthorized file upload attempt (specific-threats.rules, Low) 17446 <-> SPECIFIC-THREATS Microsoft Internet Explorer FTP client directory traversal attempt (specific-threats.rules, Low) 17447 <-> WEB-MISC 407 Proxy Authentication Required (web-misc.rules, Low) 17448 <-> SPECIFIC-THREATS Microsoft Internet Explorer HTTPS proxy information disclosure vulnerability (specific-threats.rules, Medium) 17449 <-> WEB-MISC Novell ZENworks patch management SQL injection attempt (web-misc.rules, High) 17450 <-> WEB-MISC CommuniGate Systems CommuniGate Pro LDAP Server buffer overflow attempt (web-misc.rules, High) 17451 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17452 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17453 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17454 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17455 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17456 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium) 17457 <-> WEB-CLIENT Macromedia Flash ActionDefineFunction memory access vulnerability exploit attempt (web-client.rules, High) 17458 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High) 17459 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High) 17460 <-> WEB-CLIENT BitDefender Internet Security script code execution attempt (web-client.rules, High) 17461 <-> SPECIFIC-THREATS RealNetworks RealPlayer zipped skin file buffer overflow attempt (specific-threats.rules, High) 17462 <-> WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt (web-client.rules, High) 17463 <-> SPECIFIC-THREATS Internet Explorer File Download Dialog Box Manipulation (specific-threats.rules, High) 17464 <-> WEB-ACTIVEX AOL Radio AmpX ActiveX clsid access (web-activex.rules, High) 17465 <-> WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access (web-activex.rules, High) 17466 <-> SPECIFIC-THREATS IBM Lotus Domino Web Access 7 ActiveX exploit attempt (specific-threats.rules, High) 17467 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High) 17468 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High) 17469 <-> SPECIFIC-THREAT Mplayer Real Demuxer stream_read heap overflow attempt (specific-threats.rules, High) 17470 <-> SPECIFIC-THREATS Apple QuickTime STSD JPEG atom heap corruption attempt (specific-threats.rules, High) 17471 <-> SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt (specific-threats.rules, High) 17472 <-> SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt (specific-threats.rules, High) 17473 <-> ORACLE DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW arbitrary command execution attempt (oracle.rules, Medium) 17474 <-> ORACLE DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium) 17475 <-> ORACLE DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium) 17476 <-> ORACLE DBMS_CDC_SUBSCRIBE.PURGE_WINDOW arbitrary command execution attempt (oracle.rules, Medium) 17477 <-> ORACLE DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium) 17478 <-> ORACLE DBMS_CDC_SUBSCRIBE.SUBSCRIBE arbitrary command execution attempt (oracle.rules, Medium) 17479 <-> ORACLE DBMS_CDC_ISUBSCRIBE.SUBSCRIBE arbitrary command execution attempt (oracle.rules, Medium) 17480 <-> ORACLE DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt (oracle.rules, Medium) 17481 <-> SPECIFIC-THREATS Microsoft Exchange and Outlook TNEF Decoding Integer Overflow attempt (specific-threats.rules, High) 17482 <-> WEB-CLIENT Mozilla NNTP URL Handling Buffer Overflow attempt (web-client.rules, High) 17483 <-> DNS squid proxy dns A record response denial of service attempt (dns.rules, Medium) 17484 <-> DNS squid proxy dns PTR record response denial of service attempt (dns.rules, Medium) 17485 <-> DNS Symantec Gateway products DNS cache poisoning attempt (dns.rules, Medium) 17486 <-> WEB-MISC Trend Micro Control Manager Chunked overflow attempt (web-misc.rules, High) 17487 <-> WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt (web-client.rules, Medium) 17488 <-> SPECIFIC-THREATS Excel Malformed Range Code Execution attempt (specific-threats.rules, High) 17489 <-> SPECIFIC-THREATS Microsoft Windows Help File Heap Buffer Overflow attempt (specific-threats.rules, High) 17490 <-> SPECIFIC-THREATS Microsoft Windows itss.dll CHM File Handling Heap Corruption attempt (specific-threats.rules, High) 17491 <-> SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine Memory Corruption (specific-threats.rules, High) 17492 <-> SPECIFIC-THREATS Microsoft Excel Malformed SELECTION Record Code Execution attempt (specific-threats.rules, High) 17493 <-> SPECIFIC-THREATS ClamAV UPX FielHandling Heap overflow attempt (specific-threats.rules, High) 17494 <-> WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt (web-client.rules, High) 17495 <-> SPECIFIC-THREATS Squid proxy DNS response spoofing attempt (specific-threats.rules, Medium) 17496 <-> WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt (web-client.rules, High) 17497 <-> WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt (web-client.rules, High) 17498 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17499 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17500 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17501 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17502 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High) 17503 <-> IMAP MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN (imap.rules, High) 17504 <-> EXPLOIT Novell ZENworks Asset Management buffer overflow attempt (exploit.rules, High) 17505 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High) 17506 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High) 17507 <-> WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt (web-client.rules, High) 17508 <-> WEB-MISC Microsoft .NET Application download attempt (web-misc.rules, Medium) 17509 <-> WEB-MISC Microsoft .NET Manifest download attempt (web-misc.rules, Medium) 17510 <-> WEB-MISC Microsoft .NET Deploy download attempt (web-misc.rules, Medium) 17511 <-> WEB-CLIENT Excel malformed Graphic Code Execution (web-client.rules, High) 17512 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High) 17513 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High) 17514 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High) 17515 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High) 17516 <-> WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt (web-client.rules, High) 17517 <-> WEB-CLIENT excel Malformed Record Code Execution attempt (web-client.rules, High) 17518 <-> FTP FlashGet PWD command stack buffer overflow attempt (ftp.rules, High) 17519 <-> SPECIFIC-THREATS Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow (specific-threats.rules, High) 17520 <-> EXPLOIT CA ARCserve Backup DB Engine Denial of Service (exploit.rules, Low) 17521 <-> SPECIFIC-THREATS GoodTech SSH Server SFTP Processing Buffer Overflow (specific-threats.rules, High) 17522 <-> SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow (specific-threats.rules, High) 17523 <-> SPECIFIC-THREATS Apple QuickTime H.264 Movie File Buffer Overflow (specific-threats.rules, High) 17524 <-> SPECIFIC-THREATS Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow (specific-threats.rules, High) 17525 <-> SPECIFIC-THREATS Microsoft IIS 5.0 WebDav Request Directory Security Bypass (specific-threats.rules, High) 17526 <-> SPECIFIC-THREATS Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow (specific-threats.rules, High) 17527 <-> SPECIFIC-THREATS VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow (specific-threats.rules, High) 17528 <-> SPECIFIC-THREATS ngnix URI parsing buffer overflow attempt (specific-threats.rules, High) 17529 <-> SPECIFIC-THREATS Adobe RoboHelp Server Arbitrary File Upload and Execute (specific-threats.rules, High) 17530 <-> SPECIFIC-THREATS HP OpenView Storage Data Protector Stack Buffer Overflow (specific-threats.rules, High) 17531 <-> SPECIFIC-THREATS Apple Quicktime MOV File JVTCompEncodeFrame Heap Overflow (specific-threats.rules, High) 17532 <-> SPECIFIC-THREATS Microsoft Excel TXO and OBJ Records Parsing Stack Memory Corruption (specific-threats.rules, High) 17533 <-> WEB-MISC Apache Struts Information Disclosure Attempt (web-misc.rules, Medium) 17534 <-> MISC IPP Application Content (misc.rules, Low) 17535 <-> MISC Apple CUPS Text to PostScript Filter Integer Overflow attempt (misc.rules, High) 17536 <-> WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt (web-misc.rules, High) 17537 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Null Page Name Memory Corruption Attempt (specific-threats.rules, High) 17538 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Page Name Memory Corruption Attempt (specific-threats.rules, High) 17539 <-> SPECIFIC-THREATS Microsoft Excel Unspecified Grafic Pointer Memory Corruption Attempt (specific-threats.rules, High) 17540 <-> WEB-CLIENT LZH file download (web-client.rules, Low) 17541 <-> SPECIFIC-THREATS Avast! Antivirus Engine Remote LHA buffer overflow attempt (specific-threats.rules, High) 17542 <-> SPECIFIC-THREATS Excel MalformedPalete Record Memory Corruption attempt (specific-threats.rules, High) 17543 <-> WEB-CLIENT Excel Column Record Handling Memory Corruption attempt (web-client.rules, High) 17544 <-> SPECIFIC-THREATS Wireshark LWRES Dissector getaddrsbyname buffer overflow attempt (specific-threats.rules, Medium) 17545 <-> WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt (web-activex.rules, High) 17546 <-> POLICY Microsoft Media Player compressed skin download - .wmd (policy.rules, High) 17547 <-> WEB-CLIENT Apple Quicktime SMIL transfer (web-client.rules, Low) 17548 <-> WEB-CLIENT Apple Quicktime SMIL File Handling Integer Overflow attempt (web-client.rules, High) 17549 <-> SPECIFIC-THREATS Internet Explorer Error Handling Code Execution (specific-threats.rules, High) 17550 <-> SPECIFIC-THREATS Microsoft Word Font Parsing Buffer Overflow attempt (specific-threats.rules, High) 17551 <-> CHAT MSN Messenger and Windows Live Messenger Code Execution attempt (chat.rules, High) 17552 <-> WEB-CLIENT Adobe Pagemaker file request (web-client.rules, Low) 17553 <-> SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt (specific-threats.rules, High) Updated rules: 1277 <-> RPC portmap ypupdated request UDP (rpc.rules, Medium) 1634 <-> POP3 PASS overflow attempt (pop3.rules, High) 1734 <-> FTP USER overflow attempt (ftp.rules, High) 1941 <-> TFTP GET filename overflow attempt (tftp.rules, High) 1972 <-> FTP PASS overflow attempt (ftp.rules, High) 1973 <-> FTP MKD overflow attempt (ftp.rules, High) 1975 <-> FTP DELE overflow attempt (ftp.rules, High) 1976 <-> FTP RMD overflow attempt (ftp.rules, High) 2088 <-> RPC ypupdated arbitrary command attempt UDP (rpc.rules, Medium) 2389 <-> FTP RNTO overflow attempt (ftp.rules, High) 2392 <-> FTP RETR overflow attempt (ftp.rules, High) 2435 <-> WEB-CLIENT Microsoft emf metafile access (web-client.rules, High) 2570 <-> WEB-MISC Invalid HTTP Version String (web-misc.rules, Medium) 2611 <-> ORACLE LINK metadata buffer overflow attempt (oracle.rules, High) 3084 <-> EXPLOIT Veritas backup overflow attempt (exploit.rules, High) 3679 <-> WEB-CLIENT Web-client IFRAME src javascript code execution (web-client.rules, High) 4131 <-> EXPLOIT SHOUTcast URI format string attempt (exploit.rules, High) 4142 <-> ORACLE reports servlet command execution attempt (oracle.rules, High) 4676 <-> ORACLE enterprise manager application server control POST parameter overflow attempt (oracle.rules, High) 7020 <-> WEB-CLIENT isComponentInstalled function buffer overflow (web-client.rules, High) 8059 <-> ORACLE SYS.KUPW-WORKER sql injection attempt (oracle.rules, High) 8091 <-> WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt (web-client.rules, High) 9629 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX clsid access (web-activex.rules, High) 9630 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX clsid unicode access (web-activex.rules, High) 9631 <-> WEB-ACTIVEX Citrix.ICAClient ActiveX function call access (web-activex.rules, High) 9840 <-> WEB-CLIENT QuickTime HREF Track Detected (web-client.rules, Low) 10030 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt (netbios.rules, High) 10486 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 15,16,17 attempt (netbios.rules, Low) 12278 <-> POLICY Microsoft Media Player compressed skin download - .wmz (policy.rules, High) 15153 <-> CHAT Jive Software Openfire Jabber Server setup Authentication bypass attempt (chat.rules, High) 15167 <-> POLICY Suspicious .cn dns query (policy.rules, High) 15168 <-> POLICY Suspicious .ru dns query (policy.rules, High) 15190 <-> WEB-MISC Youngzsoft CCProxy CONNECT Request buffer overflow attempt (web-misc.rules, High) 15431 <-> SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt (specific-threats.rules, High) 15473 <-> WEB-CLIENT Multiple media players M3U playlist file handling buffer overflow attempt (web-client.rules, High) 15493 <-> SPECIFIC-THREATS Adobe PDF getAnnots exploit attempt (specific-threats.rules, High) 15990 <-> WEB-MISC Multiple Vendor server file disclosure attempt (web-misc.rules, High) 15997 <-> SPECIFIC-THREATS Mozilla Firefox JIT escape function memory corruption attempt (specific-threats.rules, High) 16068 <-> SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit (specific-threats.rules, High) 16513 <-> SQL Jive Software Openfire Jabber Server SQL injection attempt (sql.rules, High) 17066 <-> WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid unicode access (web-activex.rules, High) 17287 <-> IMAP Cisco IOS HTTP service HTML injection attempt (imap.rules, Medium) 17391 <-> WEB-MISC Tomcat UNIX platform directory traversal (web-misc.rules, High)
