[Snort-sigs] VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Tue Apr 5 14:54:29 EDT 2005

The Sourcefire Vulnerability Research Team (VRT) has learned of serious 
vulnerabilities affecting various implementations of Telnet.

The Telnet protocol can be used to remotely connect machines over a 
networked connection. A telnet client and server can negotiate various 
options such as the character set to be used in the communication 
exchange. Various environment variables can also be set by issuing 
commands from the client.

Programming errors in the telnet client code from various vendors may 
present an attacker with the opportunity to overflow a fixed length buffer.

Rules to detect attacks against this vulnerability are included in this 
rule pack and are identified as sids 3533 and 3537.

Below is the complete list of rules modified and added in the Sourcefire 
VRT Certified Rule Pack.

New rules:
3532 - FTP ORACLE password buffer overflow attempt (ftp.rules)
3533 - TELNET client LINEMODE SLC overflow attempt (telnet.rules)
3534 - WEB-CLIENT Mozilla GIF heap overflow (web-client.rules)
3535 - WEB-CLIENT GIF transfer (web-client.rules)
3536 - WEB-CLIENT Mozilla GIF multipacket heap overflow (web-client.rules)
3537 - TELNET client ENV OPT escape overflow attempt (telnet.rules)
3538 - EXPLOIT RADIUS registration MSID overflow attempt (exploit.rules)
3539 - EXPLOIT RADIUS MSID overflow attempt (exploit.rules)
3540 - EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt 
3541 - EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt (exploit.rules)
3542 - MS-SQL SA brute force login attempt (sql.rules)
3543 - MS-SQL SA brute force login attempt TDS v7/8 (sql.rules)
3544 - WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal 
attempt (web-misc.rules)
3545 - WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure 
3546 - WEB-MISC TrackerCam User-Agent buffer overflow attempt 
3547 - WEB-MISC TrackerCam overly long php parameter overflow attempt 
3548 - WEB-MISC TrackerCam negative Content-Length attempt (web-misc.rules)

Updated rules:
1826 - WEB-MISC WEB-INF access (web-misc.rules)
2505 - WEB-MISC SSLv3 invalid data version attempt (deleted.rules)
3152 - MS-SQL sa brute force failed login attempt (sql.rules)
3273 - MS-SQL sa brute force failed login unicode attempt (sql.rules)

This ruleset is available at http://www.snort.org/pub-bin/downloads.cgi

Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

More information about the Snort-sigs mailing list