[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Wed Mar 8 15:28:02 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has also added rules and improved detection
capabilities as a result of ongoing research into vulnerabilities and
in response to feedback regarding rule performance in certain
situations.


Details:
Microsoft Security Bulletin MS05-027
A buffer overflow exists in the SMB (Server Message Block) Protocol
implementation in Microsoft Windows 2000, Windows XP and Windows 2003
that allows attackers to cause a denial of service via a malformed
request.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 5727 through 5783.

Apple Macintosh OS X suffers from a poorly designed use of resource
forking for applications. It may be possible for an attacker to execute
code of their choosing or execute system commands by exploiting the way
in which OS X handles the opening of files determined to be safe.

A rule to detect exploits against this vulnerability is included in
this rule pack and is identified as sid 5713.


New rules:
5714 - SMTP x-unix-mode executable mail attachment (smtp.rules)
5715 - WEB-MISC malformed ipv6 uri overflow attempt (web-misc.rules)
5716 - NETBIOS SMB-DS Trans Max Param/Count DOS attempt (netbios.rules)
5717 - NETBIOS SMB-DS Trans unicode Max Param/Count DOS attempt
(netbios.rules)
5718 - NETBIOS-DG SMB Trans Max Param/Count DOS attempt (netbios.rules)
5719 - NETBIOS-DG SMB Trans unicode Max Param/Count DOS attempt
(netbios.rules)
5720 - NETBIOS SMB Trans Max Param/Count DOS attempt (netbios.rules)
5721 - NETBIOS SMB Trans unicode andx Max Param/Count DOS attempt
(netbios.rules)
5722 - NETBIOS SMB-DS Trans andx Max Param/Count DOS attempt
(netbios.rules)
5723 - NETBIOS SMB-DS Trans unicode andx Max Param/Count DOS attempt
(netbios.rules)
5724 - NETBIOS-DG SMB Trans andx Max Param/Count DOS attempt
(netbios.rules)
5725 - NETBIOS-DG SMB Trans unicode andx Max Param/Count DOS attempt
(netbios.rules)
5726 - NETBIOS SMB Trans andx Max Param/Count DOS attempt
(netbios.rules)
5727 - NETBIOS SMB Trans unicode Max Param DOS attempt (netbios.rules)
5728 - NETBIOS SMB-DS Trans Max Param DOS attempt (netbios.rules)
5729 - NETBIOS-DG SMB Trans Max Param DOS attempt (netbios.rules)
5730 - NETBIOS SMB Trans Max Param DOS attempt (netbios.rules)
5731 - NETBIOS-DG SMB Trans unicode Max Param DOS attempt
(netbios.rules)
5732 - NETBIOS SMB-DS Trans unicode Max Param DOS attempt
(netbios.rules)
5733 - NETBIOS SMB Trans unicode andx Max Param DOS attempt
(netbios.rules)
5734 - NETBIOS SMB-DS Trans andx Max Param DOS attempt (netbios.rules)
5735 - NETBIOS-DG SMB Trans andx Max Param DOS attempt (netbios.rules)
5736 - NETBIOS SMB Trans andx Max Param DOS attempt (netbios.rules)
5737 - NETBIOS-DG SMB Trans unicode andx Max Param DOS attempt
(netbios.rules)
5738 - NETBIOS SMB-DS Trans unicode andx Max Param DOS attempt
(netbios.rules)

Updated rules:
~ 337 - FTP CEL overflow attempt (ftp.rules)
1379 - FTP STAT overflow attempt (ftp.rules)
1529 - FTP SITE overflow attempt (ftp.rules)
1621 - FTP CMD overflow attempt (ftp.rules)
1624 - FTP PWD overflow attempt (ftp.rules)
1625 - FTP SYST overflow attempt (ftp.rules)
1734 - FTP USER overflow attempt (ftp.rules)
1792 - NNTP return code buffer overflow attempt (nntp.rules)
1919 - FTP CWD overflow attempt (ftp.rules)
1942 - FTP RMDIR overflow attempt (ftp.rules)
1972 - FTP PASS overflow attempt (ftp.rules)
1973 - FTP MKD overflow attempt (ftp.rules)
1974 - FTP REST overflow attempt (ftp.rules)
1975 - FTP DELE overflow attempt (ftp.rules)
1976 - FTP RMD overflow attempt (ftp.rules)
2101 - NETBIOS SMB Trans unicode Max Param/Count DOS attempt
(netbios.rules)
2338 - FTP LIST buffer overflow attempt (ftp.rules)
2343 - FTP STOR overflow attempt (ftp.rules)
2344 - FTP XCWD overflow attempt (ftp.rules)
2373 - FTP XMKD overflow attempt (ftp.rules)
2374 - FTP NLST overflow attempt (ftp.rules)
2389 - FTP RNTO overflow attempt (ftp.rules)
2391 - FTP APPE overflow attempt (ftp.rules)
2392 - FTP RETR overflow attempt (ftp.rules)
2449 - FTP ALLO overflow attempt (ftp.rules)
2546 - FTP MDTM overflow attempt (ftp.rules)
3680 - P2P AOL Instant Messenger file send attempt (p2p.rules)
3681 - P2P AOL Instant Messenger file receive attempt (p2p.rules)
4990 - MS-SQL Heap-Based Overflow Attempt (sql.rules)
5316 - EXPLOIT CA CAM log_security overflow attempt (exploit.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFED2hCMpm0ve0NhMcRAm7jAJ9Aey7Vux9CtylBKQBOwIvAB//DMACgorSg
altloa2PwE7Co20ipRKR6Dw=
=uEGZ
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list