Sourcefire VRT Rules Update
Date: 2011-04-12
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.0.5.
The format of the file is:
sid - Message (rule group, priority)
New rules: 18605 <-> SCADA Tecnomatix FactoryLink CSService path overflow attempt (scada.rules, High) 18606 <-> SCADA Tecnomatix FactoryLink CSService file access attempt (scada.rules, High) 18607 <-> SCADA Tecnomatix FactoryLink CSService file information access attempt (scada.rules, High) 18608 <-> POLICY Dropbox Desktop Software in use (policy.rules, High) 18609 <-> POLICY Dropbox Desktop Software in use (policy.rules, High) 18610 <-> SCADA Tecnomatix FactoryLink vrn.exe opcode 9 or 10 string parsing overflow attempt (scada.rules, High) 18611 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High) 18612 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High) 18613 <-> WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt (web-misc.rules, High) 18614 <-> SCADA Tecnomatix FactoryLink vrn.exe file access attempt (scada.rules, High) 18615 <-> SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt (specific-threats.rules, High) 18616 <-> SPECIFIC-THREATS Microsoft Works 4.x converter font name buffer overflow attempt (specific-threats.rules, High) 18617 <-> SPECIFIC-THREATS Tecnomatix FactoryLink CSService null pointer attempt (specific-threats.rules, Medium) 18618 <-> BLACKLIST Win32.Scar.dpvy/Parkchicers.A/Delf checkin (blacklist.rules, High) 18648 <-> SCADA IGSS IGSSDataServer.exe file upload/download attempt (scada.rules, High) 18649 <-> SCADA IGSS IGSSDataServer.exe file operation overflow attempt (scada.rules, High) 18651 <-> SCADA IGSS IGSSDataServer.exe report template overflow attempt (scada.rules, High) 18652 <-> SCADA IGSS IGSSDataServer.exe report template operation overflow attempt (scada.rules, High) 18654 <-> SCADA IGSS IGSSDataServer.exe format string attempt (scada.rules, High) 18656 <-> SCADA IGSS IGSSDataServer.exe strep overflow attempt (scada.rules, High) 18657 <-> SCADA IGSS dc.exe file execution directory traversal attempt (scada.rules, High) 18658 <-> SCADA RealWin 2.1 FC_CONNECT_FCS_LOGIN overflow attempt (scada.rules, High) 18659 <-> SCADA RealWin 2.1 SCPC_INITIALIZE overflow attempt (scada.rules, High) 18674 <-> WEB-MISC Cover page document file download attempt (web-misc.rules, Low) 18675 <-> WEB-MISC Cover page document file download attempt (web-misc.rules, Low) Updated rules: 3693 <-> WEB-MISC IBM WebSphere j_security_check overflow attempt (web-misc.rules, High) 6695 <-> WEB-CLIENT Malformed PNG detected tRNS overflow attempt (web-client.rules, High) 7002 <-> WEB-CLIENT excel url unicode overflow attempt (web-client.rules, High) 12283 <-> WEB-MISC xlw file download (web-misc.rules, Low) 12284 <-> WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt (web-client.rules, High) 12285 <-> WEB-MISC Excel Workspace file download (web-misc.rules, Low) 14774 <-> EXPLOIT HP OpenView Network Node Manger connectedNodes command injection attempt (exploit.rules, High) 15948 <-> SPECIFIC-THREATS CA License Software invalid command overflow attempt (specific-threats.rules, High) 17212 <-> WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt (web-client.rules, High) 17355 <-> WEB-CLIENT Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt (web-client.rules, High) 17522 <-> SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow (specific-threats.rules, High) 17662 <-> DELETED SPECIFIC-THREATS Sun Solaris DHCP Client Arbitrary Code Execution attempt (deleted.rules, High) 17898 <-> BLACKLIST URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (blacklist.rules, High) 18241 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access (web-activex.rules, High) 18242 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High) 18329 <-> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High) 18335 <-> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High) 18462 <-> NETBIOS Microsoft Windows 2003 browser election remote heap overflow attempt (netbios.rules, High)
