Sourcefire VRT Rules Update

Date: 2009-11-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16286 <-> WEB-MISC TrueType font file download request (web-misc.rules, Low)
16287 <-> NETBIOS SMB Negotiate Protocol response DoS attempt (netbios.rules, Medium)
16288 <-> SPECIFIC-THREATS Sun Java Runtime AWT setDifflCM stack buffer overflow attempt (specific-threats.rules, High)
16289 <-> BACKDOOR Clob bot traffic (backdoor.rules, High)
16290 <-> ORACLE Oracle database server CREATE_TABLES SQL injection attempt (oracle.rules, High)
16291 <-> WEB-CLIENT Mozilla Network Security Services regexp heap overflow attempt (web-client.rules, High)
16292 <-> SPECIFIC-THREATS Mozilla CSS value counter overflow attempt (specific-threats.rules, High)
16293 <-> WEB-CLIENT Adobe Shockwave Flash memory corruption attempt (web-client.rules, High)
16295 <-> WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields (web-client.rules, High)
16296 <-> WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields (web-client.rules, High)
16297 <-> SPECIFIC-THREATS Palevo bot DNS request for C&C attempt (specific-threats.rules, High)
16298 <-> SPECIFIC-THREATS Palevo bot DNS request attempt (specific-threats.rules, Low)
16299 <-> SPECIFIC-THREATS Palevo bot DNS request attempt (specific-threats.rules, Low)
16300 <-> WEB-CLIENT HTML DOM invalid DHTML comment creation attempt (web-client.rules, High)
16301 <-> WEB-CLIENT HTML DOM invalid DHTML textnode creation attempt (web-client.rules, High)

Updated rules:
 241 <-> DDOS shaft synflood (ddos.rules, Medium)
2950 <-> DELETED NETBIOS SMB too many stacked requests (deleted.rules, Low)
3549 <-> WEB-CLIENT HTML DOM invalid DHTML element creation attempt (web-client.rules, High)
5888 <-> SPYWARE-PUT Hijacker shopnav runtime detection - ie auto search hijack (spyware-put.rules, Low)
13465 <-> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low)
13584 <-> WEB-CLIENT csv file download request (web-client.rules, Low)
13763 <-> DELETED Snoopware xpress remote runtime detection - init connection (deleted.rules, Medium)
13764 <-> SPYWARE-PUT Snoopware xpress remote runtime detection - init connection (spyware-put.rules, Medium)
13801 <-> WEB-CLIENT RTF file download (web-client.rules, Low)
13924 <-> EXPLOIT Lotus Domino HTTP header overflow attempt (exploit.rules, High)
14019 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules, High)
14020 <-> WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt (web-client.rules, High)
15294 <-> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low)
15442 <-> MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt (mysql.rules, Medium)
15443 <-> MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt (mysql.rules, Medium)
15895 <-> DELETED CHAT Pidgin MSN P2P message 64bit integer overflow attempt (deleted.rules, High)