Sourcefire VRT Rules Update
Date: 2011-02-01
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.0.
The format of the file is:
sid - Message (rule group, priority)
New rules: 18321 <-> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX clsid access (web-activex.rules, High) 18322 <-> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX function call access (web-activex.rules, High) 18323 <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX clsid access (web-activex.rules, High) 18324 <-> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX function call access (web-activex.rules, High) 18325 <-> WEB-ACTIVEX Image Viewer CP Gold 6 ActiveX clsid access (web-activex.rules, High) 18326 <-> FTP ProFTPD mod_site_misc module directory traversal attempt (ftp.rules, High) 18327 <-> SCADA Kingview HMI heap overflow attempt (scada.rules, High) 18328 <-> WEB-CLIENT Adobe Flash Player dwmapi.dll dll-load exploit attempt (web-client.rules, High) 18329 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High) 18330 <-> NETBIOS Adobe Flash Player dwmapi.dll dll-load exploit attempt (netbios.rules, High) 18331 <-> WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt (web-client.rules, High) 18332 <-> WEB-CLIENT Mozilla Firefox JS Web Worker arbitrary code execution attempt (web-client.rules, High) 18333 <-> WEB-MISC phpBook date command execution attempt (web-misc.rules, High) 18334 <-> WEB-MISC phpBook mail command execution attempt (web-misc.rules, High) 18335 <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High) Updated rules: 1324 <-> EXPLOIT ssh CRC32 overflow /bin/sh (exploit.rules, High) 1325 <-> EXPLOIT ssh CRC32 overflow filler (exploit.rules, High) 1326 <-> EXPLOIT ssh CRC32 overflow NOOP (exploit.rules, High) 1327 <-> EXPLOIT ssh CRC32 overflow (exploit.rules, High) 17416 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium) 17417 <-> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium) 18241 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access (web-activex.rules, High) 18242 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)
