Sourcefire VRT Rules Update
Date: 2009-11-18
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.
The format of the file is:
sid - Message (rule group, priority)
New rules: 16286 <-> WEB-MISC TrueType font file download request (web-misc.rules, Low) 16287 <-> NETBIOS SMB Negotiate Protocol response DoS attempt (netbios.rules, Medium) 16288 <-> SPECIFIC-THREATS Sun Java Runtime AWT setDifflCM stack buffer overflow attempt (specific-threats.rules, High) 16289 <-> BACKDOOR Clob bot traffic (backdoor.rules, High) 16290 <-> ORACLE Oracle database server CREATE_TABLES SQL injection attempt (oracle.rules, High) 16291 <-> WEB-CLIENT Mozilla Network Security Services regexp heap overflow attempt (web-client.rules, High) 16292 <-> SPECIFIC-THREATS Mozilla CSS value counter overflow attempt (specific-threats.rules, High) 16293 <-> WEB-CLIENT Adobe Shockwave Flash memory corruption attempt (web-client.rules, High) 16295 <-> WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields (web-client.rules, High) 16296 <-> WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields (web-client.rules, High) 16297 <-> SPECIFIC-THREATS Palevo bot DNS request for C&C attempt (specific-threats.rules, High) 16298 <-> SPECIFIC-THREATS Palevo bot DNS request attempt (specific-threats.rules, Low) 16299 <-> SPECIFIC-THREATS Palevo bot DNS request attempt (specific-threats.rules, Low) 16300 <-> WEB-CLIENT HTML DOM invalid DHTML comment creation attempt (web-client.rules, High) 16301 <-> WEB-CLIENT HTML DOM invalid DHTML textnode creation attempt (web-client.rules, High) Updated rules: 241 <-> DDOS shaft synflood (ddos.rules, Medium) 2950 <-> DELETED NETBIOS SMB too many stacked requests (deleted.rules, Low) 3549 <-> WEB-CLIENT HTML DOM invalid DHTML element creation attempt (web-client.rules, High) 5888 <-> SPYWARE-PUT Hijacker shopnav runtime detection - ie auto search hijack (spyware-put.rules, Low) 13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low) 13584 <-> WEB-CLIENT csv file download request (web-client.rules, Low) 13763 <-> DELETED Snoopware xpress remote runtime detection - init connection (deleted.rules, Medium) 13764 <-> SPYWARE-PUT Snoopware xpress remote runtime detection - init connection (spyware-put.rules, Medium) 13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low) 13924 <-> EXPLOIT Lotus Domino HTTP header overflow attempt (exploit.rules, High) 14019 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules, High) 14020 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules, High) 15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low) 15442 <-> MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt (mysql.rules, Medium) 15443 <-> MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt (mysql.rules, Medium) 15895 <-> DELETED CHAT Pidgin MSN P2P message 64bit integer overflow attempt (deleted.rules, High)
