[Snort-sigs] VRT Certified Rules Update
mwatchinski at ...435...
Tue Apr 5 14:54:29 EDT 2005
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting various implementations of Telnet.
The Telnet protocol can be used to remotely connect machines over a
networked connection. A telnet client and server can negotiate various
options such as the character set to be used in the communication
exchange. Various environment variables can also be set by issuing
commands from the client.
Programming errors in the telnet client code from various vendors may
present an attacker with the opportunity to overflow a fixed length buffer.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3533 and 3537.
Below is the complete list of rules modified and added in the Sourcefire
VRT Certified Rule Pack.
3532 - FTP ORACLE password buffer overflow attempt (ftp.rules)
3533 - TELNET client LINEMODE SLC overflow attempt (telnet.rules)
3534 - WEB-CLIENT Mozilla GIF heap overflow (web-client.rules)
3535 - WEB-CLIENT GIF transfer (web-client.rules)
3536 - WEB-CLIENT Mozilla GIF multipacket heap overflow (web-client.rules)
3537 - TELNET client ENV OPT escape overflow attempt (telnet.rules)
3538 - EXPLOIT RADIUS registration MSID overflow attempt (exploit.rules)
3539 - EXPLOIT RADIUS MSID overflow attempt (exploit.rules)
3540 - EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt
3541 - EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt (exploit.rules)
3542 - MS-SQL SA brute force login attempt (sql.rules)
3543 - MS-SQL SA brute force login attempt TDS v7/8 (sql.rules)
3544 - WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal
3545 - WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure
3546 - WEB-MISC TrackerCam User-Agent buffer overflow attempt
3547 - WEB-MISC TrackerCam overly long php parameter overflow attempt
3548 - WEB-MISC TrackerCam negative Content-Length attempt (web-misc.rules)
1826 - WEB-MISC WEB-INF access (web-misc.rules)
2505 - WEB-MISC SSLv3 invalid data version attempt (deleted.rules)
3152 - MS-SQL sa brute force failed login attempt (sql.rules)
3273 - MS-SQL sa brute force failed login unicode attempt (sql.rules)
This ruleset is available at http://www.snort.org/pub-bin/downloads.cgi
Director, Vulnerability Research
More information about the Snort-sigs