Sourcefire VRT Rules Update

Date: 2010-02-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version CURRENT.

The format of the file is:

sid - Message (rule group, priority)

New rules:
16438 <-> ORACLE WebLogic Server Node Manager arbitrary command execution attempt (oracle.rules, High)
16439 <-> SPECIFIC-THREATS Possible Zeus User-Agent - _TEST_ (specific-threats.rules, High)
16440 <-> SPECIFIC-THREATS Possible Zeus User-Agent - ie (specific-threats.rules, High)
16441 <-> SPECIFIC-THREATS Possible Zeus User-Agent - Download (specific-threats.rules, High)
16442 <-> SPECIFIC-THREATS Possible Zeus User-Agent - Mozilla (specific-threats.rules, High)
16443 <-> CHAT deny Gmail chat DNS request (chat.rules, High)
16444 <-> SPECIFIC-THREAT HP StorageWorks storage mirroring double take service code execution attempt (specific-threats.rules, High)
16445 <-> SPECIFIC-THREATS Digium Asterisk IAX2 ack response denial of service attempt (specific-threats.rules, Medium)
16446 <-> RPC portmap Solaris sadmin tcp request (rpc.rules, Medium)
16447 <-> RPC portmap Solaris sadmin udp request (rpc.rules, Medium)
16448 <-> RPC portmap Solaris sadmin tcp adm_build_path overflow attempt (rpc.rules, Medium)
16449 <-> RPC portmap Solaris sadmin udp adm_build_path overflow attempt (rpc.rules, Medium)
16450 <-> SQL Jive Software Openfire Jabber Server SQL injection attempt (sql.rules, High)
16451 <-> WEB-CLIENT Palm WebOS 1.2.0 floating point exception denial of service attempt (web-client.rules, Medium)

Updated rules:
1091 <-> WEB-MISC ICQ Webfront HTTP DOS (web-misc.rules, High)
2273 <-> IMAP login brute force attempt (imap.rules, Medium)
2274 <-> POP3 login brute force attempt (pop3.rules, Medium)
2275 <-> SMTP AUTH LOGON brute force attempt (smtp.rules, Medium)
2517 <-> IMAP PCT Client_Hello overflow attempt (imap.rules, High)
2518 <-> POP3 PCT Client_Hello overflow attempt (pop3.rules, High)
2528 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High)
2923 <-> NETBIOS SMB repeated logon failure (netbios.rules, High)
2924 <-> NETBIOS SMB-DS repeated logon failure (netbios.rules, High)
3152 <-> SQL sa brute force failed login attempt (sql.rules, High)
3192 <-> WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web-client.rules, High)
3273 <-> SQL sa brute force failed login unicode attempt (sql.rules, High)
3511 <-> SMTP PCT Client_Hello overflow attempt (smtp.rules, High)
3542 <-> SQL SA brute force login attempt (sql.rules, Medium)
3543 <-> SQL SA brute force login attempt TDS v7/8 (sql.rules, Medium)
4984 <-> SQL sa brute force failed login unicode attempt (sql.rules, High)
6031 <-> BACKDOOR fkwp 2.0 runtime detection - connection attempt server-to-client (backdoor.rules, High)
8426 <-> WEB-MISC SSLv2 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8427 <-> WEB-MISC SSLv3 openssl get shared ciphers overflow attempt (web-misc.rules, High)
8429 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8430 <-> POP3 SSLv3 openssl get shared ciphers overflow attempt (pop3.rules, High)
8431 <-> POP3 SSLv2 openssl get shared ciphers overflow attempt (pop3.rules, High)
8432 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8433 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8434 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8435 <-> SMTP SSLv3 openssl get shared ciphers overflow attempt (smtp.rules, High)
8437 <-> SMTP SSLv2 openssl get shared ciphers overflow attempt (smtp.rules, High)
8438 <-> IMAP SSLv2 openssl get shared ciphers overflow attempt (imap.rules, High)
8439 <-> IMAP SSLv3 openssl get shared ciphers overflow attempt (imap.rules, High)
13948 <-> DNS large number of NXDOMAIN replies - possible DNS cache poisoning (dns.rules, Medium)
13949 <-> DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers (dns.rules, Medium)
15259 <-> DOS DNS root query traffic amplification attempt (dos.rules, Low)
15260 <-> DOS DNS root query response traffic amplification attempt (dos.rules, Low)
15263 <-> ORACLE BEA WebLogic Apache connector HTTP version denial of service attempt (oracle.rules, Medium)
15414 <-> SCADA OMRON-FINS program area protect clear brute force attempt (scada.rules, Low)
15481 <-> SPECIFIC-THREATS Zeus/Zbot malware config file download request (specific-threats.rules, High)
15936 <-> SPECIFIC-THREATS Sendmail identd command parsing vulnerability (specific-threats.rules, High)
16350 <-> MISC ntp mode 7 denial of service attempt (misc.rules, Medium)
16429 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - GET request (web-misc.rules, High)
16430 <-> WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - POST request (web-misc.rules, High)
16433 <-> DELETED EXPLOIT Microsoft Active Directory LDAP query handling denial of service (deleted.rules, Medium)