[Snort-sigs] Snort Community Rules Update
research at ...435...
Wed Dec 14 13:57:11 EST 2005
This message is to announce the availability of an update for the
Sourcefire community rule set, which can be downloaded free of cost or
registration from http://www.snort.org/pub-bin/downloads.cgi.
New rules in this release are identified as SIDs 100000207-100000214.
These rules detect a format string attack against the GNU Mailutils
imap4d server; the use of the NTSX tool to tunnel normal IP traffic over
DNS; a command execution attack against the FtpLocate system; the use of
"=|" constructs in URIs, which typically signify an attempt to inject
arbitrary commands; and access to four vulnerable parameters for the
Gallery g2 main.php script.
Sourcefire would like to thank rmkml for submitting SIDs 100000207 and
100000209-100000214, as well as Romain Chartier, Sylvain Sarmejeanne,
and Pierre Lalet for their collaborative submission of SID 100000208. As
a reminder, anyone who wishes to submit rules may do so at
A list of new rules and their SIDs follows.
Community Rules Maintainer
100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt
100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX
100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command
100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt
100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access
100000212 || COMMUNITY WEB-PHP Gallery g2_return access
100000213 || COMMUNITY WEB-PHP Gallery g2_view access
100000214 || COMMUNITY WEB-PHP Gallery g2_subView access
More information about the Snort-sigs