Sourcefire VRT Rules Update
Date: 2011-03-15
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.2.
The format of the file is:
sid - Message (rule group, priority)
New rules: 18545 <-> POLICY Microsoft Excel with embedded Flash file transfer attempt (policy.rules, High) 18546 <-> POLICY Microsoft Word with embedded Flash file transfer attempt (policy.rules, High) 18547 <-> POLICY Microsoft Powerpoint with embedded Flash file transfer attempt (policy.rules, High) 18548 <-> POLICY Microsoft Excel with embedded Flash file attachment attempt (policy.rules, High) 18549 <-> POLICY Microsoft Word with embedded Flash file attachment attempt (policy.rules, High) 18550 <-> POLICY Microsoft Powerpoint with embedded Flash file attachment attempt (policy.rules, High) 18551 <-> SMTP Microsoft Word .doc attachment (smtp.rules, Low) 18552 <-> SMTP Microsoft Excel .xls attachment (smtp.rules, Low) 18553 <-> SMTP Microsoft Excel .xlw attachment (smtp.rules, Low) 18554 <-> SMTP Microsoft Powerpoint .ppt attachment (smtp.rules, Low) Updated rules: 7583 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set big (spyware-put.rules, Low) 7584 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set open (spyware-put.rules, Low) 7585 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set image (spyware-put.rules, Low) 7586 <-> SPYWARE-PUT Hacker-Tool clandestine runtime detection - image transferred (spyware-put.rules, Low) 15364 <-> EXPLOIT Ganglia Meta Daemon process_path stack buffer overflow attempt (exploit.rules, High) 16515 <-> SMTP Novell Groupwise Internet Agent RCPT command overflow attempt (smtp.rules, High) 16524 <-> FTP ProFTPD username sql injection attempt (ftp.rules, High) 17294 <-> DOS Microsoft Windows NAT Helper DNS query denial of service attempt (dos.rules, Medium) 17275 <-> SPECIFIC-THREATS Symantec Brightmail AntiSpam nested Zip handling denial of service attempt (specific-threats.rules, Medium) 17483 <-> DNS squid proxy dns A record response denial of service attempt (dns.rules, Medium) 18310 <-> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules, High) 18476 <-> SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow (specific-threats.rules, High) 18477 <-> SMTP Lotus Notes MIF viewer statement data overflow 2 (specific-threats.rules, High)
