Snort - Network Intrusion Detection & Prevention System

VRT Rules 2014-10-08

This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the browser-plugins, file-office, file-other, protocol-dns, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2956

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)

2961

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)

Modified Rules:


 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)

2962

2014-10-08 15:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32109 <-> DISABLED <-> SERVER-WEBAPP Easy File Management stack buffer overflow attempt (server-webapp.rules)
 * 1:32105 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32104 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX function call access (browser-plugins.rules)
 * 1:32103 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32102 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Content CheckOutAndOpen.dll ActiveX control code execution ActiveX clsid access (browser-plugins.rules)
 * 1:32100 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 1:32099 <-> DISABLED <-> FILE-OTHER Adobe Flash Player integer overflow out-of-bounds read attempt (file-other.rules)
 * 3:32106 <-> ENABLED <-> SERVER-OTHER Cisco ASA SCPS command injection attempt (server-other.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:32116 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32115 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
 * 3:32113 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32114 <-> ENABLED <-> SERVER-OTHER Cisco ASA SunRPC inspection engine denial of service attempt (server-other.rules)
 * 3:32112 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32111 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32110 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 denial of service attempt (server-other.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules)
 * 1:16216 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18582 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:18581 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt (server-other.rules)
 * 1:31525 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:31529 <-> ENABLED <-> SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt (server-other.rules)
 * 1:31526 <-> ENABLED <-> SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt (server-other.rules)
 * 1:663 <-> DISABLED <-> SERVER-MAIL Sendmail rcpt to command attempt (server-mail.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)