[Snort-sigs] Snort Community Rules Update

Sourcefire VRT research at ...435...
Wed Dec 14 13:57:11 EST 2005

This message is to announce the availability of an update for the 
Sourcefire community rule set, which can be downloaded free of cost or 
registration from http://www.snort.org/pub-bin/downloads.cgi.

New rules in this release are identified as SIDs 100000207-100000214. 
These rules detect a format string attack against the GNU Mailutils 
imap4d server; the use of the NTSX tool to tunnel normal IP traffic over 
DNS; a command execution attack against the FtpLocate system; the use of 
"=|" constructs in URIs, which typically signify an attempt to inject 
arbitrary commands; and access to four vulnerable parameters for the 
Gallery g2 main.php script.

Sourcefire would like to thank rmkml for submitting SIDs 100000207 and 
100000209-100000214, as well as Romain Chartier, Sylvain Sarmejeanne, 
and Pierre Lalet for their collaborative submission of SID 100000208. As 
a reminder, anyone who wishes to submit rules may do so at 

A list of new rules and their SIDs follows.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt
100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX
100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command 
execution attempt
100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt
100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access
100000212 || COMMUNITY WEB-PHP Gallery g2_return access
100000213 || COMMUNITY WEB-PHP Gallery g2_view access
100000214 || COMMUNITY WEB-PHP Gallery g2_subView access

More information about the Snort-sigs mailing list