Sourcefire VRT Rules Update

Date: 2010-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.0.

The format of the file is:

sid - Message (rule group, priority)

New rules:
13472 <-> EXPLOIT Microsoft Works invalid chunk size (exploit.rules, High)
17710 <-> EXPLOIT Veritas NetBackup vmd shared library buffer overflow attempt (exploit.rules, High)
17711 <-> WEB-CLIENT Microsoft Windows ASF parsing memory corruption attempt (web-client.rules, High)
17712 <-> SPECIFIC-THREATS TFTP PUT Microsoft RIS filename overwrite attempt (specific-threats.rules, High)
17713 <-> EXPLOIT Novell NetMail NMAP STOR buffer overflow attempt (exploit.rules, High)
17714 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules, Low)
17715 <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules, Low)
17716 <-> SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow (specific-threats.rules, High)
17717 <-> SMTP IBM Lotus Notes HTML input tag buffer overflow attempt (smtp.rules, High)
17718 <-> SPECIFIC-THREATS Oracle MDSYS drop table trigger injection attempt (specific-threats.rules, High)
17719 <-> SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt (specific-threats.rules, High)
17722 <-> ORACLE Oracle XDB.XDB_PITRIG_PKG buffer overflow attempt (oracle.rules, High)
17724 <-> SPECIFIC-THREATS malicious ASP file upload attempt (specific-threats.rules, High)
17725 <-> WEB-CLIENT Opera file URI handling buffer overflow (web-client.rules, High)
17726 <-> SPECIFIC-THREATS Internet Explorer address bar spoofing attempt (specific-threats.rules, Low)
17727 <-> SPECIFIC-THREATS Sun JDK image parsing library ICC buffer overflow attempt (specific-threats.rules, High)
17728 <-> MISC Panda Antivirus ZOO archive decompression buffer overflow attempt (misc.rules, High)
17729 <-> SPECIFIC-THREATS Microsoft Internet Explorer EMBED element memory corruption attempt (specific-threats.rules, High)
17730 <-> WEB-CLIENT Microsoft XML Core Services MIME Viewer memory corruption attempt (web-client.rules, High)
17732 <-> WEB-CLIENT TIFF file request (web-client.rules, Low)
17733 <-> WEB-MISC XML file download request (web-misc.rules, Low)
17734 <-> WEB-MISC Excel REPT integer underflow attempt (web-misc.rules, High)
17735 <-> SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt (specific-threats.rules, High)
17736 <-> SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt (specific-threats.rules, High)
17737 <-> SPECIFIC-THREATS Microsoft collaboration data objects buffer overflow attempt (specific-threats.rules, High)
17738 <-> SPECIFIC-THREATS Linux Kernel SNMP Netfilter Memory Corruption attempt (specific-threats.rules, Medium)
17739 <-> POLICY FlashPix file download request (policy.rules, High)
17740 <-> SPECIFIC-THREATS Apple Quicktime FlashPix processing overflow attempt (specific-threats.rules, High)
17745 <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules, Low)
17746 <-> NETBIOS SMB client TRANS response Find_First2 filesize overflow attempt (netbios.rules, High)
17748 <-> WEB-MISC TLSv1 Client_Certificate handshake (web-misc.rules, Low)
17749 <-> RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt (rpc.rules, Medium)
17751 <-> WEB-CLIENT OpenType Font file download request (web-client.rules, Low)

Updated rules:
1122 <-> WEB-MISC /etc/passwd (web-misc.rules, Medium)
2472 <-> NETBIOS SMB-DS C$ unicode share access (netbios.rules, Low)
2705 <-> WEB-CLIENT JPEG parser heap overflow attempt (web-client.rules, High)
3694 <-> WEB-MISC Squid content length cache poisoning attempt (web-misc.rules, Medium)
3820 <-> WEB-CLIENT multipacket CHM file transfer attempt (web-client.rules, High)
4170 <-> WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid access (web-activex.rules, High)
4676 <-> ORACLE Enterprise Manager Application Server Control POST Parameter Overflow Attempt (oracle.rules, High)
4677 <-> ORACLE Enterprise Manager Application Server Control GET Parameter Overflow Attempt (oracle.rules, High)
7870 <-> WEB-ACTIVEX Microsoft Office Data Source Control 9.0 ActiveX clsid access (web-activex.rules, High)
7871 <-> WEB-ACTIVEX Microsoft Office Data Source Control 9.0 ActiveX clsid unicode access (web-activex.rules, High)
9027 <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt (netbios.rules, High)
9431 <-> EXPLOIT Microsoft NNTP response overflow attempt (exploit.rules, High)
11192 <-> POLICY download of executable content (policy.rules, High)
11947 <-> WEB-CLIENT Windows schannel security package (web-client.rules, High)
12203 <-> WEB-ACTIVEX VMWare Vielib.dll ActiveX clsid access (web-activex.rules, High)
12204 <-> WEB-ACTIVEX VMWare Vielib.dll ActiveX clsid unicode access (web-activex.rules, High)
12205 <-> WEB-ACTIVEX VMWare Vielib.dll ActiveX function call access (web-activex.rules, High)
12206 <-> WEB-ACTIVEX VMWare Vielib.dll ActiveX function call unicode access (web-activex.rules, High)
12213 <-> IMAP Ipswitch IMail search date command buffer overflow attempt (imap.rules, High)
12448 <-> WEB-ACTIVEX Microsoft Agent Control ActiveX clsid access (web-activex.rules, High)
12449 <-> WEB-ACTIVEX Microsoft Agent Control ActiveX clsid unicode access (web-activex.rules, High)
12450 <-> WEB-ACTIVEX Microsoft Agent Control ActiveX function call access (web-activex.rules, High)
12451 <-> WEB-ACTIVEX Microsoft Agent Control ActiveX function call unicode access (web-activex.rules, High)
12452 <-> WEB-ACTIVEX MS Agent File Provider ActiveX clsid access (web-activex.rules, High)
12453 <-> WEB-ACTIVEX MS Agent File Provider ActiveX clsid unicode access (web-activex.rules, High)
12940 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt (netbios.rules, High)
15126 <-> WEB-CLIENT Internet Explorer nested tag memory corruption attempt (web-client.rules, High)
15445 <-> ORACLE Oracle Application Server BPEL module cross site scripting attempt (oracle.rules, High)
15477 <-> EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt (exploit.rules, Medium)
15910 <-> EXPLOIT Microsoft Internet Explorer getElementById object corruption (exploit.rules, High)
15950 <-> SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt (specific-threats.rules, High)
16006 <-> SPECIFIC-THREATS Quicktime color table id memory corruption attempt (specific-threats.rules, High)
16016 <-> SPECIFIC-THREATS Microsoft client for netware overflow attempt (specific-threats.rules, High)
16032 <-> WEB-CLIENT Microsoft Internet Explorer HTML Decoding memory corruption attempt (web-client.rules, High)
16142 <-> SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt (specific-threats.rules, High)
16143 <-> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16189 <-> ORACLE Oracle Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt (oracle.rules, High)
16444 <-> SPECIFIC-THREATS HP StorageWorks storage mirroring double take service code execution attempt (specific-threats.rules, High)
16521 <-> WEB-CLIENT Squid Proxy http version number overflow attempt (web-client.rules, High)
17042 <-> WEB-CLIENT Microsoft LNK shortcut download attempt (web-client.rules, High)
17231 <-> WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian (web-client.rules, High)
17232 <-> WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian (web-client.rules, High)
17237 <-> DELETED WEB-CLIENT XBM file download (deleted.rules, Low)
17257 <-> SPECIFIC-THREATS Adobe Flash Player and Reader remote code execution attempt (specific-threats.rules, High)
17282 <-> MISC Panda Antivirus ZOO archive decompression buffer overflow attempt (misc.rules, High)
17295 <-> WEB-MISC Trend Micro OfficeScan Console authentication buffer overflow attempt (web-misc.rules, High)
17314 <-> WEB-CLIENT OLE Document file download (web-client.rules, Low)
17468 <-> WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (web-client.rules, High)
17469 <-> SPECIFIC-THREATS Mplayer Real Demuxer stream_read heap overflow attempt (specific-threats.rules, High)
17651 <-> SPECIFIC-THREATS Multiple AV vendor invalid archive checksum bypass attempt (specific-threats.rules, High)
17669 <-> SPECIFIC-THREATS Oracle Application Server 10g OPMN service format string vulnerability exploit attempt (specific-threats.rules, High)