[Snort-sigs] VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Mon Mar 28 15:30:08 EST 2005


The Sourcefire Vulnerability Research Team (VRT) has learned of serious 
vulnerabilities affecting MySQL. A new VRT Certified Ruleset has been 
released which includes rules to detect attempts to exploit this 
vulnerability. In addition, the VRT has leveraged new detection engine 
capabilities to provide coverage for an FTP port bounce attack.

The VRT has also added rules and improved detection capabilities as a 
result of ongoing research into serious vulnerabilities affecting 
Computer Associates License Server, BrightStor ARCserver and Oracle 
database servers.

Below is the complete list of rules modified and added in the Sourcefire 
VRT Certified rule pack.

New rules:
3441 - FTP PORT bounce attempt (ftp.rules)
3523 - FTP SITE INDEX format string attempt (ftp.rules)
3524 - EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt 
(exploit.rules)
3525 - EXPLOIT Computer Associates license invalid GCR NETWORK attempt 
(exploit.rules)
3526 - ORACLE XDB FTP UNLOCK overflow attempt (oracle.rules)
3527 - EXPLOIT Solaris LPD overflow attempt (exploit.rules)
3528 - MYSQL CREATE FUNCTION attempt (mysql.rules)
3529 - EXPLOIT Computer Associates license GETCONFIG client overflow 
attempt (exploit.rules)
3530 - EXPLOIT ARCserve backup UDP msg 0x99 client name overflow 
(exploit.rules)
3531 - EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow 
(exploit.rules)

Updated rules:
 256 - DNS named authors attempt (dns.rules)
 257 - DNS named version attempt (dns.rules)
1435 - DNS named authors attempt (dns.rules)
1616 - DNS named version attempt (dns.rules)
3465 - WEB-CGI RiSearch show.pl proxy attempt (web-cgi.rules)
3466 - WEB-MISC Authorization Basic overflow attempt (web-misc.rules)
3469 - WEB-CGI Ipswitch WhatsUp Gold dos attempt (web-cgi.rules)
3481 - EXPLOIT ARCserve backup UDP slot info msg client domain overflow 
(exploit.rules)
3483 - EXPLOIT ARCserve backup UDP product info msg 0x9b client domain 
overflow (exploit.rules)
3485 - EXPLOIT ARCserve backup UDP product info msg 0x9c client domain 
overflow (exploit.rules)
3517 - EXPLOIT Computer Associates license PUTOLF overflow attempt 
(exploit.rules)
3520 - EXPLOIT Computer Associates license GCR NETWORK overflow attempt 
(exploit.rules)
3521 - EXPLOIT Computer Associates license GCR CHECKSUMS overflow 
attempt (exploit.rules)
3522 - EXPLOIT Computer Associates license GETCONFIG server overflow 
attempt (exploit.rules)

This ruleset is available at http://www.snort.org/pub-bin/downloads.cgi

Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.




More information about the Snort-sigs mailing list