Sourcefire VRT Rules Update

Date: 2009-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
15701 <-> SPECIFIC-THREATS Microsoft Windows 2000 domain authentication bypass attempt (specific-threats.rules, High)
15702 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt (netbios.rules, Medium)
15703 <-> WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt (web-client.rules, High)
15704 <-> WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt (web-client.rules, High)
15705 <-> WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt (web-client.rules, High)
15706 <-> WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt (web-client.rules, High)
15707 <-> WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt (web-client.rules, High)
15708 <-> EXPLOIT Unisys Business Information Server stack buffer overflow attempt (exploit.rules, High)
15709 <-> WEB-CLIENT Adobe Acrobat and Adobe Reader FlateDecode integer overflow attempt (web-client.rules, High)
15710 <-> NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x3B null strings attempt (netbios.rules, Medium)
15711 <-> CHAT mIRC PRIVMSG message processing overflow attempt (chat.rules, High)
15712 <-> SCADA DNP3 declared length too small (scada.rules, Low)
15713 <-> SCADA DNP3 device trouble (scada.rules, Low)
15714 <-> SCADA DNP3 corrupt configuration (scada.rules, Low)
15715 <-> SCADA DNP3 event buffer overflow error (scada.rules, Low)
15716 <-> SCADA DNP3 parameter error (scada.rules, Low)
15717 <-> SCADA DNP3 unknown object error (scada.rules, Low)
15718 <-> SCADA DNP3 unsupported function code error (scada.rules, Low)
15719 <-> SCADA DNP3 link service not supported (scada.rules, Low)
15720 <-> SCADA DNP3 reserved source address (scada.rules, Low)
15721 <-> SCADA DNP3 reserved destination address (scada.rules, Low)
15722 <-> SPECIFIC-THREATS Oracle database server Workspace Manager multiple SQL injection attempt (specific-threats.rules, High)
15723 <-> ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt (oracle.rules, High)
15724 <-> ORACLE Oracle database server MergeWorkspace SQL injection attempt (oracle.rules, High)
15725 <-> ORACLE Oracle database server RemoveWorkspace SQL injection attempt (oracle.rules, High)
15726 <-> EXPLOIT HP OpenView Network Node Manager URI rping stack buffer overflow attempt (exploit.rules, High)

Updated rules:
3682 <-> SMTP spoofed MIME-Type auto-execution attempt (smtp.rules, High)
3683 <-> WEB-CLIENT spoofed MIME-Type auto-execution attempt (web-client.rules, High)
4135 <-> WEB-CLIENT IE JPEG heap overflow single packet attempt (web-client.rules, Medium)
4136 <-> WEB-CLIENT IE JPEG heap overflow multipacket attempt (web-client.rules, Medium)
7829 <-> SPYWARE-PUT Adware gator user-agent detected (spyware-put.rules, Low)
12741 <-> EXPLOIT Apple Quicktime TCP RTSP sdp type buffer overflow attempt (exploit.rules, High)
12742 <-> EXPLOIT Apple Quicktime UDP RTSP sdp type buffer overflow attempt (exploit.rules, High)
15696 <-> SPECIFIC-THREATS Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory corruption attempt (specific-threats.rules, High)
15699 <-> SPECIFIC-THREATS Mozilla Firefox 3.5 Mozilla Firefox 3.5 unicode stack overflow attempt (specific-threats.rules, High)