[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Wed Aug 2 17:14:03 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has added multiple rules to detect attempts to
exploit vulnerabilities in the Microsoft DHCP Client Service, Microsoft
Excel and Microsoft Word.


Details:
Microsoft Security Bulletin MS06-036
A buffer overflow condition in the Microsoft Windows DHCP client
service may allow a remote attacker to execute code of their choosing
on a target system. The overflow can be triggered when the client
service attempts to process a malformed server response.

A module to detect attacks against this vulnerability is included in
this rule pack and is identified as gid 3 sid 7196.

Microsoft Security Bulletin MS06-038
Multiple vulnerabilities exist in the Microsoft Office suite of
programs that may allow a remote attacker to execute code of their
choosing on an affected host. The vulnerabilities lie in the processing
of malformed strings or properties in a document.

Rules to detect attacks against these vulnerabilities are included in
this rule pack and are identified as sids 7197 through 7205.

Microsoft Security Bulletin MS06-035
Microsoft Windows SMB service is subject to a Denial of Service
condition. While this is not related directly to the vulnerabilities
outlined in MS06-035, after continuing research the Sourcefire VRT has
determined that slight modifications to rules previously released will
detect attempts to use attack vectors targeting this vulnerability.

The updated rules are included in this rule pack and are identified as
sids 7035 through 7046.


New rules:
7020 - WEB-CLIENT isComponentInstalled function call access
(web-client.rules)
7021 - DOS linux kernel SCTP chunkless packet denial of service attempt
(dos.rules)
7022 - WEB-CLIENT windows explorer invalid url file overflow attempt
(web-client.rules)
7023 - WEB-CLIENT xls file download (web-client.rules)
7024 - WEB-CLIENT excel style handling overflow attempt
(web-client.rules)
7025 - WEB-CLIENT excel url unicode overflow attempt (web-client.rules)
7026 - WEB-CLIENT RDS.Dataspace ActiveX function call access
(web-client.rules)
7027 - WEB-IIS frontpage server extensions 2002 cross site scripting
attempt (web-iis.rules)
7028 - WEB-IIS frontpage server extensions 2002 cross site scripting
attempt (web-iis.rules)
7029 - WEB-IIS frontpage server extensions 2002 cross site scripting
attempt (web-iis.rules)
7030 - POLICY silc server response attempt (policy.rules)
7031 - POLICY silc client outbound connection attempt (policy.rules)
7032 - POLICY GoToMyPC startup (policy.rules)
7033 - POLICY GoToMyPC local service running (policy.rules)
7034 - POLICY GoToMyPC remote control attempt (policy.rules)
7035 - NETBIOS SMB Trans mailslot heap overflow attempt (netbios.rules)
7036 - NETBIOS SMB Trans unicode mailslot heap overflow attempt
(netbios.rules)
7037 - NETBIOS SMB-DS Trans mailslot heap overflow attempt
(netbios.rules)
7038 - NETBIOS SMB-DS Trans unicode mailslot heap overflow attempt
(netbios.rules)
7039 - NETBIOS-DG SMB Trans mailslot heap overflow attempt
(netbios.rules)
7040 - NETBIOS-DG SMB Trans unicode mailslot heap overflow attempt
(netbios.rules)
7041 - NETBIOS SMB Trans andx mailslot heap overflow attempt
(netbios.rules)
7042 - NETBIOS SMB Trans unicode andx mailslot heap overflow attempt
(netbios.rules)
7043 - NETBIOS SMB-DS Trans andx mailslot heap overflow attempt
(netbios.rules)
7044 - NETBIOS SMB-DS Trans unicode andx mailslot heap overflow attempt
(netbios.rules)
7045 - NETBIOS-DG SMB Trans andx mailslot heap overflow attempt
(netbios.rules)
7046 - NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt
(netbios.rules)
7047 - WEB-CLIENT excel object record overflow attempt
(web-client.rules)
7048 - WEB-CLIENT excel object record overflow attempt
(web-client.rules)

Updated rules:
1801 - DELETED WEB-IIS .asp HTTP header buffer overflow attempt
(deleted.rules)
5704 - IMAP SELECT overflow attempt (imap.rules)
7002 - WEB-CLIENT excel url unicode overflow attempt (web-client.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFE0RWaMpm0ve0NhMcRAo3sAJ9e88et6EYbiJ8RVRyaDu6x1gn3HgCfW890
14G7hDfr+LRgFVZBHJgwTOM=
=HkNf
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list