Sourcefire VRT Rules Update

Date: 2011-01-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18303 <-> SPECIFIC-THREATS Microsoft Internet Explorer script action handler overflow attempt (specific-threats.rules, High)
18304 <-> WEB-CLIENT Microsoft Internet Explorer span tag memory corruption attempt (web-client.rules, High)
18305 <-> SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt (specific-threats.rules, High)
18306 <-> SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt (specific-threats.rules, High)
18307 <-> SPECIFIC-THREATS Microsoft Internet Explorer frameset memory corruption attempt (specific-threats.rules, High)
18308 <-> WEB-CLIENT Adobe Acrobat Reader icc mluc interger overflow attempt (web-client.rules, High)
18309 <-> WEB-CLIENT VML fill method overflow attempt (web-client.rules, High)
18310 <-> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules, High)
18311 <-> WEB-MISC Novell iManager getMultiPartParameters unauthorized file upload attempt (web-misc.rules, High)
18312 <-> EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt (exploit.rules, High)
18313 <-> SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt (specific-threats.rules, High)
18314 <-> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (specific-threats.rules, Low)
18315 <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (netbios.rules, High)
18316 <-> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 attempt (netbios.rules, Low)
18317 <-> SMTP RCPT TO IPSwitch proxy overflow attempt (smtp.rules, High)
18318 <-> WEB-MISC TLSv1 Client Change Cipher Spec message (web-misc.rules, Low)
18319 <-> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (specific-threats.rules, Low)
18320 <-> SPECIFIC-THREATS WINS association context validation overflow attempt (specific-threats.rules, Medium)

Updated rules:
6584 <-> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt (netbios.rules, High)
8925 <-> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (netbios.rules, High)
10603 <-> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (netbios.rules, High)
10900 <-> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (netbios.rules, High)
12220 <-> EXPLOIT IBM Informix Dynamic Server long username buffer overflow attempt (exploit.rules, High)
12269 <-> WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access (web-activex.rules, High)
12270 <-> WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call (web-activex.rules, High)
12271 <-> DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call access (deleted.rules, High)
12272 <-> DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access (deleted.rules, High)
12417 <-> WEB-ACTIVEX Microsoft Visual FoxPro ActiveX clsid access (web-activex.rules, High)
12424 <-> RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (rpc.rules, High)
12450 <-> WEB-ACTIVEX Microsoft Agent Control ActiveX function call access (web-activex.rules, High)
15670 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access (web-activex.rules, High)
15671 <-> WEB-ACTIVEX Microsoft Video 6 ActiveX function call (web-activex.rules, High)
15904 <-> DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call access (deleted.rules, High)
15905 <-> DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access (deleted.rules, High)
15930 <-> NETBIOS Microsoft Windows SMB malformed process ID high field remote code execution attempt (netbios.rules, Medium)
16499 <-> DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (deleted.rules, High)
16500 <-> DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (deleted.rules, High)
16523 <-> POLICY PDF with click-to-launch executable (policy.rules, Low)
17047 <-> DELETED NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt (deleted.rules, High)
17326 <-> EXPLOIT Citrix Program Neighborhood Client buffer overflow attempt (exploit.rules, High)