SNORT VRT Certified Rules Updates

Miscellaneous updates and information for Smoothwall Express 3

Moderator: Forum Moderators

SNORT VRT Certified Rules Updates

Postby wkitty42 » Wed Apr 02, 2008 11:20 pm

i thought that, with the confusion there has been about Sourcefire's SNORT rules updates, that i'd post the update announcements as they arrive in my inbox... some of the confusion has been regarding updates and how often new updates are released, so i figure that by posting the announcements here, it will give everyone a chance to see how often...

those who have Sourcefire subscriptions can get these updated rules immediately... everyone else has to wait at least 30 days or wait for a new version of SNORT to be released...

don't shoot me! i'm just the messenger ;)

so, without further ado, here're the latest update announcements that i've received...
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2007-09-25

Postby wkitty42 » Wed Apr 02, 2008 11:21 pm

VRT Certified Rules Update 2007-09-25 wrote:The Sourcefire VRT is aware of vulnerabilities affecting Firefox, ClamAV and the Apache HTTP Server.

Details:
Firefox QuickTime Argument Injection (CVE-2007-5045):
A remote attacker may be able to execute commands via a QuickTime Media Link (QTL) file on systems using Firefox prior to version 2.0.7.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12593.

ClamAV Command Execution (CVE-2007-4560):
The clamav-milter used in ClamAV prior to version 0.91.2 when run in black hole mode, may allow a remote attacker to execute commands via shell meta-characters.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12592.

Apache HTTP Server Denial of Service (CVE-2007-1863):
The Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, is vulnerable to a Denial of Service (DoS) condition via a request using certain Cache-Control headers.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12591.


Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt ... 09-25.html

Download Rules:
These rules will be available to subscribers only until Thursday, October 25, 2007. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2007-10-02

Postby wkitty42 » Wed Apr 02, 2008 11:22 pm

VRT Certified Rules Update 2007-10-02 wrote:The Sourcefire VRT is aware of a vulnerability in Computer Associates BrightStor ARCserve Backup for Laptops and Desktops.


Details:
Computer Associates BrightStor ARCserve buffer overflow (CVE-2007-5003):
Computer Associates BrightStor ARCserve Backup contains multiple errors that may allow a remote attacker to cause a buffer overflow condition to occur. The attacker may be presented with the opportunity to execute code on an affected host.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12596.


Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt ... 10-02.html

Download Rules:
These rules will be available to subscribers only until Thursday, November 1, 2007. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 1007-10-09

Postby wkitty42 » Wed Apr 02, 2008 11:23 pm

VRT Certified Rules Update 1007-10-09 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.


Details:
Microsoft Security Bulletin MS07-055:
Kodak Image Viewer contains a flaw that may allow a remote attacker to execute code via a specially crafted image file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified as SIDs 12631 through 12634.

Microsoft Security Bulletin MS07-056:
Microsoft Outlook Express and Windows Mail for Vista contain a programming error that may allow a remote attacker to execute code on an affected host via an NNTP server response.

A shared object rule to detect attacks targeting this vulnerability is included in this release and is identified as GID 3 SID 12636.

Microsoft Security Bulletin MS07-057:
Microsoft Internet Explorer does not correctly handle errors encountered when handling file download queues. This may allow a remote attacker to execute code on a vulnerable host.

Previously released rules identified as SIDs 10504 and 10505 will generate events on attempts to exploit this vulnerability. Additionally, a rule to detect other attack vectors targeting this vulnerability is included in this release and is identified as SID 12630.

Microsoft Security Bulletin MS07-058:
Microsoft Windows systems using RPC may be vulnerable to a Denial of Service (DoS) condition that occurs when a malformed authentication request is transmitted to an affected host.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12635.

Microsoft Security Bulletin MS07-059:
Microsoft Windows SharePoint Services and Microsoft Office SharePoint Server suffer from a programming error that may allow an attacker to execute code and escalate privileges on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 12629.


Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt ... 10-09.html

Download Rules:
These rules will be available to subscribers only until Friday, November 9, 2007. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2007-12-18

Postby wkitty42 » Wed Apr 02, 2008 11:24 pm

VRT Certified Rules Update 2007-12-18 wrote:The Sourcefire VRT is aware of a vulnerability affecting Samba and has updated coverage for MS07-068.


Details:
Samba Buffer Overflow (CVE-2007-2446):
Samba suffers from multiple buffer overflow conditions which may be exploited by a remote attacker via special MS-RPC requests. The attacker may be able to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified as SIDs 12984 through 13157.

Microsoft Security Bulletin (MS07-068):
Microsoft Windows Media Format Runtime suffers from a programming error that may allow a remote attacker to execute code on a vulnerable system via a malformed Advanced Systems Format (ASF) file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified as SIDs 13158 through 13160.


Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt ... 12-18.html

Download Rules:
These rules will be available only to subscribers until Thursday, January 17, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-01-08

Postby wkitty42 » Wed Apr 02, 2008 11:25 pm

VRT Certified Rules Update 2008-01-08 wrote:The Sourcefire VRT is aware of vulnerabilities affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Bulletin (MS08-001):
The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system. It should be noted however, that the likelihood of this issue being actively exploited is minimal.

Shared object rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3 and SIDs 13287 and 13288.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-01-08.html

Download Rules:
These rules will be available only to subscribers until Thursday, February 7, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

IMPORTANT INFORMATION:
The structure of the "so_rules" directory inside the rule packages has changed. The following is a breakout of the new directory structure:

Code: Select all
so_rules/
   src/
   precompiled/
         [distro]/
            [platform]/
                 [snort-version]>

Where:
[distro] is one of the following values:
  1. CentOS-4.6
  2. CentOS-5.1
  3. FC-5
  4. OSX-10.4
  5. ubuntu-6.01.1
[platform] is one of the following values:
  1. i386
[snort-version] is one of the following values:
  1. 2.6.1.5
  2. 2.7.0
  3. 2.8.0.1
There have been no changes to the src/ directory layout from previous packages.

The reason for this change is twofold. First, due to contract terms with some third-party research organizations, a small number of VRT certified rules will now only be delivered as binaries. This change applies only to SO rules. Non-SO rules will not be affected. Additionally, because of this change and to better serve the Snort community the VRT will pre-compile the "SO" rules so they are easier to use on the various platforms utilized by the Snort community and the VRT subscribers.

If your platform / distribution is not currently listed above, this does not mean these shared objects won't work on your platform. Numerous Linux distributions share common libc versions and it is possible that one of the above distributions and platforms will work on your system. If none of the above combinations work on your platform, please send a note to the snort-sigs mailing list so we can gauge the need for additional platforms and distributions to be added to the list of supported platforms.

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-01-10

Postby wkitty42 » Wed Apr 02, 2008 11:27 pm

VRT Certified Rules Update 2008-01-10 wrote:The Sourcefire VRT is aware of vulnerabilities affecting Samba, Skype and Apple QuickTime.

Details:
Samba Buffer Overflow (CVE-2007-6015):
A stack based buffer overflow condition is present in nmbd in certain versions of Samba. A remote attacker may be able to execute code on an affected system via a GETDC mailslot request.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 13291.

Skype Technologies Heap Corruption (CVE-2007-5989):
A programming error in the Skype URI handler may allow a remote attacker to cause memory corruption, which may lead to code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 13292.

Apple QuickTime Buffer Overflow (CVE-2007-4675):
Apple QuickTime does not perform adequate checks on user supplied data in QuickTime Virtual Reality movie files. A remote attacker may use this flaw to cause a buffer overflow and execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified as SID 13293.

This SEU also contains an updated UI component package.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-01-10.html

Download Rules:
These rules will be available only to subscribers until Saturday, February 9, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-02-05

Postby wkitty42 » Wed Apr 02, 2008 11:28 pm

VRT Certified Rules Update 2008-02-05 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting ActiveX controls and has expanded coverage for CVE-2007-2446.

Details:
Samba Buffer Overflow (CVE-2007-2446):
Samba is prone to multiple buffer overflow conditions that may allow a remote attacker to execute code on a vulnerable host.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified as SIDs 13367 through 13414.

Additional rules are included in this release to detect attacks targeting ActiveX controls from SwiftView and Facebook Photo Uploader.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-02-05.html

Download Rules:
These rules will be available only to subscribers until Thursday, March 6, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-02-12

Postby wkitty42 » Wed Apr 02, 2008 11:29 pm

VRT Certified Rules Update 2008-02-12 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Bulletin (MS08-004):
Hosts using the Microsoft Windows operating system may be vulnerable to a Denial of Service (DoS) attack. The problem lies in the processing of DHCP requests provided to a host system by a server.

A shared object rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 and SID 13450.

Microsoft Security Bulletin (MS08-008):
A vulnerability in OLE Automation may present an attacker with the opportunity to execute code on an affected system via a specially crafted web page.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3 and SIDs 13457 through 13460 and SID 13474.

Microsoft Security Bulletin (MS08-009):
Microsoft Word contains a vulnerability that may allow an attacker to execute code on an affected host.

A shared object rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 and SID 13469.

Microsoft Security Bulletin (MS08-010):
Microsoft Internet Explorer contains a number of memory corruption vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3 and SIDs 13451 through 13456.

Microsoft Security Bulletin (MS08-011):
Microsoft Works File Converter contains vulnerabilities that may allow an attacker to execute code on an affected system via a specially crafted Works file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3 and SIDs 13466 and 13472.

Microsoft Security Bulletin (MS08-012):
Microsoft Publisher contains two vulnerabilities that may allow a remote attacker to execute code on an affected system via specially crafted Publisher files.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3 and SIDs 13470 and 13471.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-02-12.html

Download Rules:
These rules will be available only to subscribers until Thursday, March 13, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-03-04

Postby wkitty42 » Wed Apr 02, 2008 11:30 pm

VRT Certified Rules Update 2008-03-04 wrote:The Sourcefire VRT has added multiple rules in the spyware-put and web-client categories to provide coverage for emerging spyware and ActiveX control threats.

Details:
As a result of ongoing research, the Sourcefire VRT has added multiple rules to the spyware-put and web-client rule sets to provide coverage for emerging threats from these technologies.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-03-04.html

Download Rules:
These rules will be available only to subscribers until Thursday, April 3, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-03-11

Postby wkitty42 » Wed Apr 02, 2008 11:31 pm

VRT Certified Rules Update 2008-03-11 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting products from the Microsoft Corporation.

Details:
Microsoft Security Bulletin (MS08-014):
Microsoft Excel suffers from multiple vulnerabilities, the most serious of which may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 13569 through 13571 and 13582. Additional rules to detect attacks targeting these vulnerabilities are also in this release and are identified with GID 1 and SIDs 13583 through 13585.

Microsoft Security Bulletin (MS08-015):
Microsoft Outlook does not correctly handle user-supplied input to mailto URIs. This may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 and SID 13573.

Microsoft Security Bulletin (MS08-016):
Microsoft Office does not correctly handle malformed PowerPoint files. This may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 and SID 13572.

Microsoft Security Bulletin (MS08-017):
Microsoft Office Web Components suffer from multiple vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3 and SIDs 13574 through 13581. Additionally, previously released rules will also detect attempts to attack these vulnerabilities and are identified with GID 1 and SIDs 4170, 4177, 7870, 7871 and 13468.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-03-11.html

Download Rules:
These rules will be available only to subscribers until Thursday, April 10, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-04-02

Postby wkitty42 » Thu Apr 03, 2008 1:51 am

VRT Certified Rules Update 2008-04-02 wrote:The Sourcefire VRT has added multiple rules in the spyware-put and web-client categories to provide coverage for emerging spyware and ActiveX control threats.

Details:
As a result of ongoing research, the Sourcefire VRT has added multiple rules to the spyware-put and web-client rule sets to provide coverage for emerging threats from these technologies.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-04-02.html

Download Rules:
These rules will be available only to subscribers until Friday, May 2, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-04-08

Postby wkitty42 » Wed Apr 09, 2008 12:12 pm

VRT Certified Rules Update 2008-04-08 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting products from the Microsoft Corporation.

Details:
Microsoft Security Bulletin (MS08-019)
Microsoft Visio contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 SID 13665.

Microsoft Security Bulletin (MS08-020)
A vulnerability in the Microsoft DNS client may allow a remote attacker to spoof DNS replies and redirect traffic away from the intended target.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 SID 13667.

Microsoft Security Bulletin (MS08-021)
A vulnerability in Microsoft GDI may allow a remote attacker to execute code on a vulnerable system via specially crafted EMF or WMF files.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1 SID 13678, GID 3 SID 13676 and GID 3 SID 13666.

Microsoft Security Bulletin (MS08-022)
A vulnerability in the Microsoft VBScript and JScript scripting engines may allow a remote attacker to execute code on a vulnerable machine via a specially crafted file hosted on the Internet.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 13448 and 13449.

Microsoft Security Bulletin (MS08-023)
Microsoft Internet Explorer contains vulnerabilities that may allow the execution of code by a remote attacker via various ActiveX controls.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3 and SIDs 13668 through 13675.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-04-08.html

Download Rules:
These rules will be available only to subscribers until Thursday, May 8, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Re: SNORT VRT Certified Rules Updates

Postby wkitty42 » Sun May 18, 2008 7:53 pm

VRT Certified Rules Update 2008-05-13 wrote:The Sourcefire VRT is aware of vulnerabilities affecting Microsoft Word and the Microsoft Jet Database Engine.

Details:
Microsoft Security Bulletin (MS08-026):
Microsoft Word contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The problem occurs when Word parses a file that includes a malformed CSS value.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 SID 13790.

Microsoft Security Bulletin (MS08-028):
The Microsoft Jet Database Engine contains a programming error that may allow a remote attacker to execute code on an affected system.

Previously released rules are able to detect attacks targeting this vulnerability and are identified with GID 3 and SIDs 13626, 13629, 13630 and 13633.

The Sourcefire VRT has also added multiple rules in the web-client and specific-threats categories to provide coverage for emerging threats.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-05-13.html

Download Rules:
These rules will be available only to subscribers until Thursday, June 12, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-07-01

Postby wkitty42 » Sun Jul 06, 2008 8:20 pm

VRT Certified Rules Update 2008-07-01 wrote:The Sourcefire VRT has added multiple rules in the spyware-put and backdoor categories to provide coverage for emerging spyware and backdoor threats.

Details:
As a result of ongoing research, the Sourcefire VRT has added multiple rules to the spyware-put and backdoor rule sets to provide coverage for emerging threats from these technologies.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-07-01.html

Download Rules:
These rules will be available only to subscribers until Thursday, July 31, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at +1 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

VRT Certified Rules Update 2008-07-08

Postby wkitty42 » Thu Jul 10, 2008 11:13 am

VRT Certified Rules Update 2008-07-08 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

Details:
Microsoft Security Advisory (MS08-037):
Microsoft Windows DNS client and server are prone to a DNS spoofing vulnerability that may allow an attacker to redirect network traffic.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 and SID 13887. In addition, a previously released rule will detect attacks targeting this vulnerability and is identified with GID 3 and SID 13667.

Microsoft Security Advisory (MS08-038):
Microsoft Windows Explorer does not correctly parse search files when saving. Explorer may exit and restart in an exploitable manner, allowing a remote attacker to execute code on an affected system in the context of the current user.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 13893 and 13911.

Microsoft Security Advisory (MS08-039):
Microsoft Outlook Web Access for Exchange Server is vulnerable to a cross site scripting attack that may allow remote attackers to escalate their level of privilege on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 13894 and 13895.

Microsoft Security Advisory (MS08-040):
Microsoft SQL Server contains multiple vulnerabilities that may allow an attacker to escalate their level of privilege on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 13888 through 13892.

Advisory:
A detailed advisory as well as a complete list of modified and deleted rules is available at:

http://www.snort.org/vrt/advisories/vrt-rules-2008-07-08.html

Download Rules:
These rules will be available only to subscribers until Thursday, August 7, 2008. Subscribers can download the rules at:

http://www.snort.org/pub-bin/downloads.cgi

If you would like to purchase a subscription, please visit:

http://www.snort.org/vrt/why_subscribe.html

or contact Sourcefire at +1 734.542.8540.

For more information:
For more information about Snort or this advisory, please contact Steve Kane from Sourcefire Product Management: steve.kane@sourcefire.com
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Sourcefire VRT Certified Snort Rules Update 2008-10-14

Postby wkitty42 » Thu Oct 16, 2008 12:10 am

Sourcefire VRT Certified Snort Rules Update 2008-10-14 wrote:The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

Details:
Microsoft Security Advisory MS08-057
Microsoft Excel contains multiple vulnerabilities that may allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 14641, 14642 and 14645.

Microsoft Security Advisory MS08-058
Microsoft Internet Explorer contains multiple vulnerabilities, the most serious of which may allow a remote attacker to execute code on a vulnerable system. It is also vulnerable to cross domain and cross site scripting attacks.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 14643, 14644, 14645, 14656 and 14657.

Microsoft Security Advisory MS08-059
The Microsoft Host Integration Server contains a vulnerability that may allow a remote unauthenticated attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 14737 through 14740.

Microsoft Security Advisory MS08-060
Microsoft Windows 2000 Server contains a vulnerability that is exposed when LDAP queries are processed. This may allow a remote unauthenticated attacker to execute code on a vulnerable system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 14646.

Microsoft Security Advisory MS08-062
Microsoft Internet Printing Protocol contains a vulnerability that may allow a remote unauthenticated attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 14661 through 14724.

Microsoft Security Advisory MS08-063
The Microsoft implementation of the Server Message Block (SMB) protocol contains a programming error that may allow a remote attacker to execute code on an affected system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 14647 through 14654.

Microsoft Security Advisory MS08-065
The Microsoft Message Queuing RPC service contains a vulnerability that may allow a remote attacker to execute code on an affected system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 14725 through 14736.

Advisory:
A detailed advisory as well as a complete list of new and modified rules is available at: http://www.snort.org/vrt/advisories/vrt-rules-2008-10-14.html

Download Rules:
These rules will be available only to subscribers until Thursday, November 13, 2008. Subscribers can download the rules at: http://www.snort.org/pub-bin/downloads.cgi
If you would like to purchase a subscription, please visit: http://www.snort.org/vrt/why_subscribe.html or contact Sourcefire at +1 (866) 505-9113 or +1 (703) 743-6550.

For more information:
For more information about Snort or this advisory, please contact Sourcefire at vrtrules@sourcefire.com.
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Sourcefire VRT Certified Snort Rules Update 2008-11-11

Postby wkitty42 » Wed Dec 17, 2008 1:23 am

Sourcefire VRT Certified Snort Rules Update 2008-11-11 wrote:On Tuesday, November 11, the Sourcefire VRT released an updated Snort Rule Pack providing detection for the vulnerabilities disclosed in Microsoft Security Advisories MS08-068 and MS08-069.

  • Microsoft Security Bulletin MS08-068 – Vulnerability in Microsoft Server Message Block (SMB) Protocol could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
  • Microsoft Security Bulletin MS08-069 – Multiple vulnerabilities exist in Microsoft XML Core Services, the most serious of which could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.

The VRT Advisory is available at: http://www.snort.org/vrt/advisories/vrt-rules-2008-11-11.html.

A list of new and updated rules is available at: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2008-11-11.html.

As a member of the Microsoft MAPP program, the Sourcefire VRT is the only source of Snort rules that receives advance notification of Microsoft Vulnerability Information. This program enables the VRT to lead the IPS industry in delivering same day protection for vulnerabilities disclosed in Microsoft Security Advisories.

Sourcefire VRT Certified Rules updates are available immediately to subscribers. Registered users of http://www.snort.org can access VRT rules updates 30-days after their initial release.

For more information on the Sourcefire VRT or information on a subscription, please visit: http://www.snort.org/vrt/why_subscribe.html.
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Sourcefire VRT Certified Snort Rules Update 2008-12-09

Postby wkitty42 » Wed Dec 17, 2008 1:24 am

Sourcefire VRT Certified Snort Rules Update 2008-12-09 wrote:On Tuesday, December 9, the Sourcefire VRT released an updated Snort Rule Pack providing detection for the vulnerabilities disclosed in Microsoft Security Advisories MS08-071, MS08-072, MS08-073, MS08-074, MS08-75, MS08-076 and MS08-77.

The VRT Advisory is available at: http://www.snort.org/vrt/advisories/vrt-rules-2008-12-09.html.

A list of new and updated rules is available at: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2008-12-09.html.

As a member of the Microsoft MAPP program, the Sourcefire VRT is the only source of Snort rules that receives advance notification of Microsoft Vulnerability Information. This program enables the VRT to lead the IPS industry in delivering same day protection for vulnerabilities disclosed in Microsoft Security Advisories.

Sourcefire VRT Certified Rules updates are available immediately to subscribers. Registered users of http://www.snort.org can access VRT rules updates 30-days after their initial release.

For more information on the Sourcefire VRT or information on a subscription, please visit: http://www.snort.org/vrt/why_subscribe.html.
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA


Return to SWE3 Misc

Who is online

Users browsing this forum: CommonCrawl [Bot] and 0 guests