[Snort-sigs] Sourcefire VRT Certified Snort Rules Update

research at ...435... research at ...435...
Fri Apr 10 17:17:10 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Snort Rules Update

Synopsis:
The Sourcefire VRT is aware of a vulnerability in Microsoft Powerpoint.
This release also contains a fix for a known issue that affects the
3Dx800 platforms of the Sourcefire 3D system.

Details:
This release provides a fix to the shared object rules for detecting
Conficker activity that caused a detection engine crash on the 3Dx800
platforms.

Conficker SIDs 15449 and 15450 have been updated to prevent the crash
from occuring.

Microsoft Powerpoint Code Execution (CVE-2009-0556):
Microsoft Powerpoint contains a programming error that may allow a
remote attacker to execute code on a vulnerable system. An attacker
would need to supply a specially crafted file to cause the fault and
execute code.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3 SID 15454.

Microsoft Security Advisory MS08-068:
A vulnerability in the Microsoft Server Message Block (SMB) protocol
may allow a remote attacker to execute code on an affected system. The
problem lies in the way that the protocol handles NTLM credentials when
users attempt to login to a system.

An additional rule to detect attacks targeting this vulnerability is
included in this release and is identified with GID 3, SID 15453.

Conficker Worm Update:
SIDs 15449 and 15450 detect DNS traffic generated by Conficker-infected
hosts, while SIDs 15451 and 15452 detect other Conficker-related
traffic. The rules that detect variants C and D are more prone to the
generation of false positive events than the A and B variant rules.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor
performance. If this is the case, disable these two rules in favor of
SIDs 15451 and 15452 which also detect Conficker traffic but are prone
to false positive event generation.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2009-04-10.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJ36OXQcQOxItLLaMRAkJqAJ9i2fXShYrFWXvCam0jfiGEWyMLuwCgnHUL
AvmHJwT2/foZYEDHZSu1R6o=
=hysC
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list