Sourcefire VRT Rules Update

Date: 2010-10-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
17662 <-> SPECIFIC-THREAT Sun Solaris DHCP Client Arbitrary Code Execution attempt (specific-threats.rules, High)
17664 <-> WEB-CLIENT GIF image descriptor memory corruption attempt (web-client.rules, High)
17666 <-> WEB-CLIENT RealNetworks RealPlayer invalid chunk size heap overflow attempt (web-client.rules, High)
17668 <-> POLICY attempted download of a PDF with embedded JavaScript (policy.rules, High)
17669 <-> SPECIFIC-THREAT Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (oracle.rules, High)
17670 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX clsid access (web-activex.rules, High)
17671 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX clsid unicode access (web-activex.rules, High)
17672 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX function call access (web-activex.rules, High)
17673 <-> WEB-ACTIVEX BigAnt Office Manager ActiveX function call unicode access (web-activex.rules, High)
17674 <-> WEB-ACTIVEX Skype Extras Manager ActiveX clsid access (web-activex.rules, High)
17675 <-> WEB-ACTIVEX Skype Extras Manager ActiveX clsid unicode access (web-activex.rules, High)
17676 <-> WEB-ACTIVEX Skype Extras Manager ActiveX function call access (web-activex.rules, High)
17677 <-> WEB-ACTIVEX Skype Extras Manager ActiveX function call unicode access (web-activex.rules, High)
17678 <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules, High)
17679 <-> WEB-MISC Apple disk image download request (web-client.rules, Low)
17680 <-> SPECIFIC-THREATS ISC BIND DNSSEC Validation Multiple RRsets DoS (specific-threats.rules, Medium)
17698 <-> SPECIFIC-THREATS RealNetworks RealPlayer wav chunk string overflow attempt in email (specific-threats.rules, High)
17701 <-> SPECIFIC-THREATS Office Viewer ActiveX arbitrary command execution attempt (specific-threats.rules, High)
17702 <-> NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt (netbios.rules, Medium)
17703 <-> SPECIFIC-THREATS Internet Explorer popup title bar spoofing attempt (specific-threats.rules, Low)
17704 <-> SPECIFIC-THREATS McAfee LHA file parsing buffer overflow attempt (specific-threats.rules, High)
17705 <-> WEB-IIS web agent chunked encoding overflow attempt (web-iis.rules, High)
17706 <-> MISC Veritas NetBackup java user interface service format string attack attempt (misc.rules, High)
17707 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules, Low)
17708 <-> EXPLOIT VNC password request URL buffer overflow attempt (exploit.rules, High)

Updated rules:
2278 <-> WEB-MISC client negative Content-Length attempt (web-misc.rules, Medium)
3665 <-> MYSQL server greeting (mysql.rules, High)
3666 <-> MYSQL server greeting finished (mysql.rules, High)
8414 <-> WEB-CLIENT GIF image descriptor memory corruption attempt (web-client.rules, High)
13865 <-> WEB-CLIENT Adobe BMP image handler buffer overflow attempt (web-client.rules, High)
15364 <-> EXPLOIT Ganglia Meta Daemon process_path stack buffer overflow attempt (exploit.rules, High)
15554 <-> ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (oracle.rules, High)
16354 <-> POLICY Adobe PDF start-of-file alternate header obfuscation attempt (policy.rules, Low)
16425 <-> WEB-CLIENT request for Portable Executable binary file (web-client.rules, Low)
17276 <-> MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High)
17277 <-> WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High)
17278 <-> WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt (misc.rules, High)
17297 <-> SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt (specific-threats.rules, Medium)
17298 <-> MISC IBM Tivoli Monitoring Express Universal Agent Buffer Overflow (misc.rules, High)
17363 <-> WEB-CLIENT Apple computer finder DMG volume name memory corruption (web-client.rules, High)
17451 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17452 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17453 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17454 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17455 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17456 <-> WEB-MISC Sun Directory Server LDAP denial of service attempt (web-misc.rules, Medium)
17568 <-> WEB-MISC Microsoft Office XP URL Handling Buffer Overflow attempt (web-misc.rules, High)
17652 <-> WEB-MISC Microsoft IIS source code disclosure attempt (web-misc.rules, Medium)
3534 <-> WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 (web-client.rules, High)
3536 <-> WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 (web-client.rules, High)
5316 <-> EXPLOIT CA CAM log_security overflow attempt (exploit.rules, Medium)
6502 <-> WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0 (web-client.rules, High)
6503 <-> WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0 (web-client.rules, High)
8358 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - addressbar keyword search hijack (spyware-put.rules, Low)
8359 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - target website display (spyware-put.rules, Low)
8360 <-> SPYWARE-PUT Hijacker yok supersearch runtime detection - search info collect (spyware-put.rules, Low)
11176 <-> WEB-ACTIVEX PowerPoint Viewer ActiveX clsid access (web-activex.rules, High)
11181 <-> WEB-ACTIVEX Excel Viewer ActiveX clsid access (web-activex.rules, High)
11182 <-> WEB-ACTIVEX Excel Viewer ActiveX clsid unicode access (web-activex.rules, High)
11183 <-> WEB-ACTIVEX Excel Viewer ActiveX function call access (web-activex.rules, High)
11184 <-> WEB-ACTIVEX Excel Viewer ActiveX function call unicode access (web-activex.rules, High)
11187 <-> WEB-ACTIVEX Word Viewer ActiveX clsid access (web-activex.rules, High)
11199 <-> WEB-ACTIVEX Office Viewer ActiveX clsid access (web-activex.rules, High)
12659 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - automatic updates (spyware-put.rules, Low)
12660 <-> SPYWARE-PUT Trickler zlob media codec runtime detection - download redirect domains (spyware-put.rules, Low)
12678 <-> SPYWARE-PUT SpyTech Realtime Spy Detection (spyware-put.rules, Low)
12983 <-> EXPLOIT DirectX SAMI file CRawParser attempted buffer overflow attempt (exploit.rules, High)
13523 <-> WEB-ACTIVEX Novell iPrint ActiveX clsid access (web-activex.rules, High)
13524 <-> WEB-ACTIVEX Novell iPrint ActiveX clsid unicode access (web-activex.rules, High)
13525 <-> WEB-ACTIVEX Novell iPrint ActiveX function call access (web-activex.rules, High)
13526 <-> WEB-ACTIVEX Novell iPrint ActiveX function call unicode access (web-activex.rules, High)
13553 <-> EXPLOIT Sybase SQL Anywhere Mobilink username string buffer overflow (exploit.rules, High)
13554 <-> EXPLOIT Sybase SQL Anywhere Mobilink version string buffer overflow (exploit.rules, High)
13555 <-> EXPLOIT Sybase SQL Anywhere Mobilink remoteID string buffer overflow (exploit.rules, High)
13774 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #1 (spyware-put.rules, Low)
13775 <-> SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #2 (spyware-put.rules, Low)
14756 <-> WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX clsid access (web-activex.rules, High)
15230 <-> WEB-ACTIVEX Office Viewer 2 ActiveX clsid access (web-activex.rules, High)
15672 <-> WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access (web-activex.rules, High)
15673 <-> DELETED WEB-ACTIVEX Microsoft Video 7 ActiveX clsid unicode access (deleted.rules, High)
15910 <-> EXPLOIT Microsoft Internet Explorer getElementById object corruption (specific-threats.rules, High)