Sourcefire VRT Rules Update

Date: 2010-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.2.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18169 <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call unicode access (web-activex.rules, High)
18170 <-> SPECIFIC-THREATS Mozilla Firefox and SeaMonkey onUnload event handler memory corruption attempt (specific-threats.rules, High)
18171 <-> EXPLOIT Multiple product mailto uri handling code execution attempt (exploit.rules, High)
18172 <-> EXPLOIT Multiple product mailto uri handling code execution attempt (exploit.rules, High)
18173 <-> EXPLOIT Multiple product mailto uri handling code execution attempt (exploit.rules, High)
18174 <-> SPECIFIC-THREATS Microsoft Internet Explorer CSS memory corruption attempt (specific-threats.rules, High)
18175 <-> SPECIFIC-THREATS Microsoft Internet Explorer CSS memory corruption attempt (specific-threats.rules, High)
18176 <-> SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt (specific-threats.rules, High)
18177 <-> SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt (specific-threats.rules, High)
18178 <-> SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt (specific-threats.rules, High)
18179 <-> SCAN Proxyfire.net anonymous proxy scan (scan.rules, Low)
18181 <-> SPECIFIC-THREATS ProFTPd 1.3.3c backdoor activity (specific-threats.rules, High)
18182 <-> SPECIFIC-THREATS ProFTPd 1.3.3c backdoor help access attempt (specific-threats.rules, High)
18183 <-> BLACKLIST DNS request for known malware domain mailzou.com (blacklist.rules, High)
18184 <-> BLACKLIST DNS request for known malware domain dnf.gametime.co.kr (blacklist.rules, High)
18185 <-> BLACKLIST DNS request for known malware domain www.dd0415.net (blacklist.rules, High)

Updated rules:
 469 <-> DELETED ICMP PING NMAP (deleted.rules, Medium)
 471 <-> DELETED ICMP icmpenum v1.1.1 (deleted.rules, Medium)
 472 <-> DELETED ICMP redirect host (deleted.rules, Medium)
 473 <-> DELETED ICMP redirect net (deleted.rules, Medium)
 475 <-> DELETED ICMP traceroute ipopts (deleted.rules, Medium)
 477 <-> DELETED ICMP Source Quench (deleted.rules, Medium)
 478 <-> DELETED ICMP Broadscan Smurf Scanner (deleted.rules, Medium)
 485 <-> DELETED ICMP Destination Unreachable Communication Administratively Prohibited (deleted.rules, Low)
 486 <-> DELETED ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited (deleted.rules, Low)
 487 <-> DELETED ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited (deleted.rules, Low)
 500 <-> DELETED MISC source route lsrr (deleted.rules, Medium)
 501 <-> DELETED MISC source route lsrre (deleted.rules, Medium)
 502 <-> DELETED MISC source route ssrr (deleted.rules, Medium)
 521 <-> DELETED MISC Large UDP Packet (deleted.rules, Medium)
 523 <-> DELETED BAD-TRAFFIC ip reserved bit set (deleted.rules, Low)
 524 <-> DELETED BAD-TRAFFIC tcp port 0 traffic (deleted.rules, Low)
 525 <-> DELETED BAD-TRAFFIC udp port 0 traffic (deleted.rules, Low)
1627 <-> DELETED BAD-TRAFFIC Unassigned/Reserved IP protocol (deleted.rules, Medium)
2186 <-> DELETED BAD-TRAFFIC IP Proto 53 SWIPE (deleted.rules, Medium)
2187 <-> DELETED BAD-TRAFFIC IP Proto 55 IP Mobility (deleted.rules, Medium)
2188 <-> DELETED BAD-TRAFFIC IP Proto 77 Sun ND (deleted.rules, Medium)
2189 <-> DELETED BAD-TRAFFIC IP Proto 103 PIM (deleted.rules, Medium)
7502 <-> WEB-ACTIVEX tsuserex.ADsTSUserEx.1 ActiveX clsid access (web-activex.rules, High)
7503 <-> WEB-ACTIVEX tsuserex.ADsTSUserEx.1 ActiveX clsid unicode access (web-activex.rules, High)
8731 <-> DELETED MISC IP option TS timestamp set (deleted.rules, Medium)
8732 <-> DELETED MISC IP option SEC security set (deleted.rules, Medium)
8733 <-> DELETED MISC IP option SATID stream_id set (deleted.rules, Medium)
9129 <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid access (web-activex.rules, High)
9130 <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid unicode access (web-activex.rules, High)
9131 <-> WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call access (web-activex.rules, High)
13269 <-> EXPLOIT Multiple product nntp uri handling code execution attempt (exploit.rules, High)
13270 <-> EXPLOIT Multiple product news uri handling code execution attempt (exploit.rules, High)
13271 <-> EXPLOIT Multiple product telnet uri handling code execution attempt (exploit.rules, High)
13272 <-> EXPLOIT Multiple product mailto uri handling code execution attempt (exploit.rules, High)
15306 <-> WEB-CLIENT Portable Executable binary file transfer (web-client.rules, Low)
15684 <-> EXPLOIT Multiple product snews uri handling code execution attempt (exploit.rules, High)