[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Wed May 24 12:21:02 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has learned of vulnerabilities affecting hosts using
RealVNC.

Details:
RealVNC is a multi platform remote administration tool that allows
networked hosts to connect to other hosts or mobile devices. It has a
client-server architecture that requires the remote user to
authenticate on connection to a RealVNC server.

A programming error in the authentication mechanism for RealVNC may
allow an attacker to gain access to the host without supplying the
correct credentials.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 6469 through 6471.

In response to continued feedback regarding the spyware-put rules, the
Sourcefire VRT is continuing to improve coverage provided by these
rules and the accuracy of detection. This rulepack contains
modifications to this set of rules.

New rules:
6467 - CHAT jabber traffic detected (chat.rules)
6468 - CHAT jabber file transfer request (chat.rules)
6469 - EXPLOIT RealVNC connection attempt (exploit.rules)
6470 - EXPLOIT RealVNC authentication types sent attempt
(exploit.rules)
6471 - EXPLOIT RealVNC password authentication bypass vulnerability
attempt (exploit.rules)

Updated rules:
~ 108 - BACKDOOR QAZ Worm Client Login access (backdoor.rules)
6021 - BACKDOOR silent spy 2.10 command response port 4225
(backdoor.rules)
6022 - BACKDOOR silent spy 2.10 command response port 4226
(backdoor.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD4DBQFEdLHRMpm0ve0NhMcRAjOBAJ9FzNMa8S97iDLtAPlcIS8op8mv1QCSAy1B
GpkEJWOmi29K0VttTjkQkQ==
=/L8g
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list