Sourcefire VRT Rules Update

Date: 2011-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.3.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18605 <-> SCADA Tecnomatix FactoryLink CSService path overflow attempt (scada.rules, High)
18606 <-> SCADA Tecnomatix FactoryLink CSService file access attempt (scada.rules, High)
18607 <-> SCADA Tecnomatix FactoryLink CSService file information access attempt (scada.rules, High)
18608 <-> POLICY Dropbox Desktop Software in use (policy.rules, High)
18609 <-> POLICY Dropbox Desktop Software in use (policy.rules, High)
18610 <-> SCADA Tecnomatix FactoryLink vrn.exe opcode 9 or 10 string parsing overflow attempt (scada.rules, High)
18611 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High)
18612 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High)
18613 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High)
18614 <-> SCADA Tecnomatix FactoryLink vrn.exe file access attempt (scada.rules, High)
18615 <-> SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt (specific-threats.rules, High)
18616 <-> SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt (specific-threats.rules, High)
18617 <-> SPECIFIC-THREATS Tecnomatix FactoryLink CSService null pointer attempt (specific-threats.rules, Medium)
18618 <-> BLACKLIST Win32.Scar.dpvy/Parkchicers.A/Delf checkin (blacklist.rules, High)
18648 <-> SCADA IGSS IGSSDataServer.exe file upload/download attempt (scada.rules, High)
18649 <-> SCADA IGSS IGSSDataServer.exe file operation overflow attempt (scada.rules, High)
18651 <-> SCADA IGSS IGSSDataServer.exe report template overflow attempt (scada.rules, High)
18652 <-> SCADA IGSS IGSSDataServer.exe report template operation overflow attempt (scada.rules, High)
18654 <-> SCADA IGSS IGSSDataServer.exe format string attempt (scada.rules, High)
18656 <-> SCADA IGSS IGSSDataServer.exe strep overflow attempt (scada.rules, High)
18657 <-> SCADA IGSS dc.exe file execution directory traversal attempt (scada.rules, High)
18658 <-> SCADA RealWin 2.1 FC_CONNECT_FCS_LOGIN overflow attempt (scada.rules, High)
18659 <-> SCADA RealWin 2.1 SCPC_INITIALIZE overflow attempt (scada.rules, High)
18674 <-> WEB-MISC Cover page document file download attempt (web-misc.rules, Low)
18675 <-> WEB-MISC Cover page document file download attempt (web-misc.rules, Low)

Updated rules:
3693 <-> WEB-MISC IBM WebSphere j_security_check overflow attempt (web-misc.rules, High)
6695 <-> WEB-CLIENT Malformed PNG detected tRNS overflow attempt (web-client.rules, High)
7002 <-> WEB-CLIENT excel url unicode overflow attempt (web-client.rules, High)
12283 <-> WEB-MISC xlw file download (web-misc.rules, Low)
12284 <-> WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt (web-client.rules, High)
12285 <-> WEB-MISC Excel Workspace file download (web-misc.rules, Low)
14774 <-> EXPLOIT HP OpenView Network Node Manger connectedNodes command injection attempt (exploit.rules, High)
15948 <-> SPECIFIC-THREATS CA License Software invalid command overflow attempt (specific-threats.rules, High)
17212 <-> WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt (web-client.rules, High)
17355 <-> WEB-CLIENT Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt (web-client.rules, High)
17522 <-> SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow (specific-threats.rules, High)
17662 <-> DELETED SPECIFIC-THREATS Sun Solaris DHCP Client Arbitrary Code Execution attempt (deleted.rules, High)
17898 <-> BLACKLIST URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (blacklist.rules, High)
18241 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access (web-activex.rules, High)
18242 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)
18329 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)
18335 <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High)
18462 <-> NETBIOS Microsoft Windows 2003 browser election remote heap overflow attempt (netbios.rules, High)