[Snort-sigs] Snort Community Rules Update

Sourcefire VRT research at ...435...
Tue Sep 5 10:37:12 EDT 2006

This message is to announce the availability of an update for the Sourcefire community rule set, which can be downloaded free of cost or registration from http://www.snort.org/pub-bin/downloads.cgi.

New rules in this release are identified as SIDs 100000874-100000891. These rules cover detection of TOR and Google Talk traffic, which may be policy violations in some environments; cross-site scripting attempts against the Roller Weblog system; a buffer overflow attempt against ImageMagick; remote file inclusion attacks against PHP Live Helper and Inlink; SQL injection against SimpleBlog; and other attacks against the pHNews, Proxima, pmwiki, tikiwiki, yappa-ng, and Webmin/Usermin systems.

Sourcefire would like to thank the following submitters for their contributions:

* Dan Ramaswami for SIDs 100000874-100000875
* Will Young for 100000876-100000877
* p3rlhax at ...2420... for SIDs 100000878-100000880

As a reminder, anyone who wishes to submit rules may do so at http://www.snort.org/reg-bin/rulesubmit.cgi.

A list of modified rules and their SIDs follows.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

100000874 || COMMUNITY MISC DLR-TOR Directory server response
100000875 || COMMUNITY MISC DLR-TOR Client Traffic
100000876 || COMMUNITY MISC Google Talk Version Check
100000877 || COMMUNITY MISC Google Talk Startup
100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit
100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit
100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit
100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt
100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include
100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit
100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt
100000885 || COMMUNITY WEB-PHP pHNews access attempt
100000886 || COMMUNITY WEB-PHP Proxima access attempt
100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt
100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt
100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt
100000890 || COMMUNITY WEB-MISC Webmin null char attempt
100000891 || COMMUNITY WEB-MISC Usermin null char attempt

More information about the Snort-sigs mailing list