[Snort-sigs] Sourcefire VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Wed Jun 29 12:38:05 EDT 2005

Sourcefire VRT Certified Rules Update
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting IBM Websphere and Squid HTTP proxy server.
A Squid proxy server can cache resources to make access to them more
efficient.  A malformed request sent to a Squid proxy server may be
interpreted and processed differently than the actual responding web
server.  A particular malformed request that contains two
"Content-Length" header fields can be used to try to poison the cache
by causing the Squid proxy server and an upstream server to process the
contents differently.
A Rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3694.
IBM WebSphere may use form-based authentication to permit access to
applications.  The CGI variables j_username and j_password are used for
this authentication process.  Overly long values passed to these
variables can cause a buffer overflow and the subsequent execution of
arbitrary code on the vulnerable server. This is due to a failure in
the code to accommodate wide-character expansion for the receiving
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3693.

New rules:
3690 - WEB-CGI Nucleus CMS action.php itemid SQL injection (web-cgi.rules)
3691 - CHAT Yahoo Messenger Message (chat.rules)
3692 - CHAT Yahoo Messenger File Transfer Initiation Request (chat.rules)
3693 - WEB-MISC IBM WebSphere j_security_check overflow attempt (web-misc.rules)
3694 - WEB-MISC Squid content length cache poisoning attempt (web-misc.rules)
Updated rules:
272 - DOS IGMP dos attack (dos.rules)
500 - MISC source route lssr (misc.rules)
501 - MISC source route lssre (misc.rules)
658 - SMTP exchange mime DOS (smtp.rules)
661 - SMTP majordomo ifs (smtp.rules)
939 - WEB-FRONTPAGE posting (web-frontpage.rules)
978 - WEB-IIS ASP contents view (web-iis.rules)
979 - WEB-IIS ASP contents view (web-iis.rules)
1007 - WEB-IIS cross-site scripting attempt (web-iis.rules)
1010 - WEB-IIS encoding access (web-iis.rules)
1019 - IIS Malformed Hit-Highlighting Argument File Access Attempt (web-iis.rules)
1021 - WEB-IIS ism.dll attempt (web-iis.rules)
1037 - WEB-IIS showcode.asp access (web-iis.rules)
1219 - WEB-CGI dfire.cgi access (web-cgi.rules)
1455 - WEB-CGI calendar.pl access (web-cgi.rules)
1507 - WEB-CGI alibaba.pl arbitrary command execution attempt (web-cgi.rules)
1725 - WEB-IIS +.htr code fragment attempt (web-iis.rules)
1847 - WEB-MISC webalizer access (web-misc.rules)
1911 - RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (rpc.rules)
1936 - POP3 AUTH overflow attempt (pop3.rules)
1970 - WEB-IIS MDAC Content-Type overflow attempt (web-iis.rules)
1991 - CHAT MSN login attempt (chat.rules)
2128 - WEB-CGI swsrv.cgi access (web-cgi.rules)
2338 - FTP LIST buffer overflow attempt (ftp.rules)
2456 - CHAT Yahoo Messenger File Transfer Receive Request (chat.rules)
2485 - WEB-CLIENT Norton antivirus sysmspam.dll load attempt (web-client.rules)
3218 - NETBIOS SMB OpenKey overflow attempt (netbios.rules)
3233 - NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt (netbios.rules)
3442 - DOS WIN32 TCP print service denial of service attempt (dos.rules)
3687 - TELNET client ENV OPT USERVAR information disclosure (telnet.rules)
3688 - TELNET client ENV OPT VAR information disclosure (telnet.rules)

Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

More information about the Snort-sigs mailing list