VRT Advisories

VRT Rules 2005-04-20

Sourcefire VRT Certified Rules Update

Date: 2005-04-20


After continuing research into to the Microsoft Security Bulletin (MS05-021) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has released a new rule to detect possible attempts to exploit a vulnerability associated with an extended verb request in Microsoft Exchange servers. The Sourcefire VRT has received reliable reports that a worm that uses this vulnerablity to propogate is being developed.


Microsoft Exchange Servers are able to use extensions to the SMTP protocol to help communicate between Exchange servers. The "X-Link2State" verb is used to share routing information between Exchange servers.

A buffer overflow condition in the processing of this command may present an attacker with the opportunity to execute code of their choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3627.


This rule will generate false positive events on normal traffic between Exchange servers. If these extensions are implemented in a network where Exchange servers are used, administrators should configure this rule as appropriate for their environment.

Rule Pack Summary:

For a complete list of new and modified rules, click here.


Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.