Cisco Intrusion Prevention System Signature Update S407 June 09, 2009 Copyright (C) 1999-2009 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S407 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - E3 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S366 AND LATER IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPSMC SIGNATURE UPDATE INSTRUCTIONS - CSM VERSION 3.1 AND ABOVE - INSTALLATION - UNINSTALLATION - CAVEATS - CSM VERSION 3.0/ IPS MC - INSTALLATION - UNINSTALLATION - CAVEATS S339-S406 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== ================================================================================================= S407 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 18418.0 Microsoft Office Remote string-tcp high true Code Execution 18419.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18420.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18421.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18437.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18438.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18441.0 Microsoft Office Excel string-tcp high true Remote Code Execution 18457.0 Microsoft Internet string-tcp high true Explorer Cross Domain Information Leak 18458.0 Microsoft Internet string-tcp high true Explorer Zone Restriction Bypass 18459.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution 18460.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Vulnerability 18461.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution Vulnerability 18462.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution Vulnerability 18463.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Vulnerability 18464.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Vulnerability 18559.0 Microsoft Word Remote string-tcp high true Code Execution Vulnerability 18560.0 Microsoft Word Memory string-tcp high true Corruption Condition 18600.0 Active Directory Invalid string-tcp high true Free Vulnerability 18619.0 Active Directory Memory string-tcp high true Leak Vulnerability 18624.0 Microsoft Office Excel string-tcp high true Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= IMPORTANT NOTES E3 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S366 AND LATER Beginning with S366, all signature updates will require that your sensors be updated with the E3 engine update. Engine and Signature Updates can be downloaded automatically using Cisco Security Manager (CSM) or by sensors running IPS Version 6.1(1) or later. Sensors running IPS Version 6.1(1) or later that have been configured for automatic updates from cisco.com will automatically be updated with E3. The updates can also be downloaded manually from the following locations: IPS Version 6.x: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6 IPS Version 5.1: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 NOTE: You must have an active Cisco Service for IPS contract to download this software. Please consult the table below for recommendations on upgrade paths: Installed Release Recommended Update --------------------------------------------- 5.1(8)E2 or earlier 5.1(8)E3 6.0(5)E2 or earlier 6.0(5)E3 6.1(1)E2 or earlier 6.1(1)E3 or 6.2(1)E3 Warning: Beginning with S366, signature updates will only be released for E3-level sensor software releases. These include: 5.1(8)E3, 6.0(5)E3, 6.1(1)E3, and 6.2(1)E3. Your sensors MUST be on one of these releases to receive further signature updates. For more details regarding the E3 engine update, please refer to the readme files available at the download links listed above. Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release. After 60 days, only the current release will receive an engine update. Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80365daa.html ======================================================================== IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S366, signature updates have a minimum required Engine update level of E3. You must be running the E3 engine update to install signature update S368 or later. The E3 engine update is supported on sensors running IPS versions 5.1(8), 6.0(5), 6.0(5), 6.1(1) or 6.2(1). ------------------------------------------------------------------------ Note2: The S365 signature update has been packaged into the E3 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ Note3: All signature updates are cumulative. The S407 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S407-req-E3.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - AIM-IPS Cisco Advanced Integration Module for ISR Routers The sensor must running engine update version E3 before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: Signature updates may take a while to install depending on the sensors upgrade history, configuration, and amount of traffic the sensor is processing. The AIM-IPS, for example, has taken up to 40 minutes to update during testing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.1: http://www.cisco.com/en/US/docs/security/ips/6.1/command/reference/crCmds.html#wp458440 IPS Version 6.0: http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp458440 IPS Version 5.1: http://www.cisco.com/en/US/docs/security/ips/5.1/command/reference/crCmds.html#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S407 signature update: 1. Download the binary file IPS-sig-S407-req-E3.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S407-req-E3.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S407-req-E3.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S407 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS The IPS-CS-MGR-sig-S340-req-E2.zip and later signature update files which require the E2 update have been tested for all platforms with CSM 3.2 SP2 or later. For pushing E2 based signature update files to the AIM IPS platform, CSM 3.2 SP2 is required at a minimum since it has E2 specific fixes for AIM IPS. The E3 Engine Update packages for sensors are deployed automatically the first time a signature set that requires E3 is deployed by CSM. If the target sensor is already running E3, the signature Update will be applied directly without deploying the E3 package. E3 updates are not listed or available for selection in the Apply Update Wizard and cannot be applied independently by CSM. To ensure that the E3 update is applied to your sensors, please ensure that you push signature update S365 or later to your sensors. ------------------------------------------------------------------------ Note: Beginning with S366, signature updates have a minimum required Engine update level of E3. You must be running the E3 engine update to install signature update S366 or later. The E3 engine update is supported on sensors running IPS versions 5.1(8), 6.0(5), 6.1(1) or 6.2(1). ------------------------------------------------------------------------ Note2: The S365 signature update has been packaged into the E2 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ ------------------------- CSM VERSION 3.1 AND ABOVE INSTALLATION For Automating IPS Update Tasks, please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wpxref37046 For setting up the Updates Server in CSM 3.1 and above please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wp1333602 To manually install the version S407 signature update on CSM3.1 and above, follow these steps: 1. Start the Cisco Security Manager client. 2. Click Tools > Apply IPS Update to open the Apply IPS Update wizard. 3. Click Download Latest Updates. 4. (pre-CSM3.2 only) Click on the Start button to start downloading the latest updates. 5. Close the popup when download is complete. 6. On the first page of the wizard, select the update that you want to apply > Click Next to continue. 5. On the second page of the wizard, select the devices (local policies) and/or shared policies you want to update 6. Click Finish to apply your update to the policies. 7. Submit & Deploy your changes to the devices. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.1 and above, follow the IPS rollback instructions listed in the Configuration Archive section of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1075918 Please also refer to the section Understanding Rollback for IPS and IOS IPS of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1098793. CAVEATS None. CSM VERSION 3.0/ IPS MC INSTALLATION To install the version S407 signature update on CSM 3.0 or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.0 or IPS MC, follow the uninstallation instructions listed in the IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ================================================================================================= S406 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5547.1 SMB File Name Overflow string-tcp high true 6086.0 Windows Graphics string-tcp high false Rendering Engine Buffer Overflow 6088.0 Windows Compressed string-tcp high false Folders Buffer Overflow 6089.0 PHP memory_limit string-tcp high false Vulnerability 6090.0 Libpng Chunk Length string-tcp high false Buffer Overflow 6205.0 NetBackup Vmd Buffer string-tcp high false Overflow 6207.0 FreeBSD nfsd Request string-tcp medium false Denial of Service 6208.0 NetBackup Volume Manager string-tcp high false Buffer Overflow 6209.0 NetBackup Vnetd Buffer string-tcp high false Overflow 6212.0 IE HTML Tag Memory string-tcp high false Corruption 6213.0 Firefox JavaScript Focus string-tcp high false Buffer Overflow 6214.0 LibTIFF TIFFFetchData string-tcp high false Integer Overflow 6215.0 Novell Print Services string-tcp high false Integer Overflow 6216.0 EMC Retrospect Client string-tcp high false Buffer Overflow 6239.0 Apple QuickTime RTSP Long string-tcp high false URL 6432.0 Subversion svn Protocol string-tcp high false String Parsing Vulnerability 6446.0 Adobe Acrobat Reader string-tcp high false eBook plug-in Format String Vulnerability 7304.1 Microsoft Word File string-tcp high false Parsing Overflow 16039.0 Adobe Invalid BMP Header string-tcp high false Buffer Overflow 16913.0 Mozilla Firefox IFrame string-tcp high false Style Change Handling Code Execution 16914.0 MySQL MaxDB Webtool GET service-http high false Command Buffer Overflow Vulnerability 17037.0 Macrovision InstallShield string-tcp high false Update Service isusweb.dll Remote Buffer Overflow 17245.0 Squid HTTP Version Number service-http medium false DoS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6143.0 Borland Interbase string-tcp high false Database Service Create-Request Buffer Overflow CAVEATS None. Modified signature(s) detail: 6143-0 ================================================================================================= S405 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5490.1 Firefox JavaScript IFRAME string-tcp high false Exploitation 5935.0 Quicktime string-tcp high false FlipFileTypeAtom_BtoN Underflow 5944.0 eTrust IDS Encryption Key string-tcp medium false DoS 5952.0 WordPerfect string-tcp high false Importer/Exporter Heap Overflow 5955.0 QuickTime udta Buffer string-tcp high false Overflow 5957.0 QuickTime Heap Corruption string-tcp high false 5960.0 Mozilla Regular string-tcp high false Expressions Heap Corruption 5973.0 Publisher Font Overflow string-tcp high false 6071.0 Oracle Database Server string-tcp high false XDB.DBMS_XMLSCHEMA Buffer Overflow 6073.0 Visual Studio Crystal string-tcp high false Reports RPT File Code Execution 6092.0 Qt BMP Buffer Overflow string-tcp high false 6450.0 pcAnywhere Buffer Overflow string-tcp medium false 17286.0 Long IMAP UNSUBSCRIBE string-tcp high false Command 17359.0 PhpBB XS phpbb_root_path service-http high false File Include 17364.0 CCRP Folder Treeview string-tcp medium false ActiveX DoS 17433.0 IE FolderItem Object string-tcp medium false Access DoS 17781.0 IPSwitch WS_FTP Logging atomic-ip medium false Server Remote DoS 17797.1 Apache Tomcat URL service-http high false Information Disclosure 17818.0 Ipswitch Imail STATUS string-tcp high false Buffer Overflow 18037.0 Office Malformed PNG File string-tcp high false Code Execution 18077.0 CA Brightstore Backup RPC atomic-ip-adva medium false Server DoS nced 18078.0 Windows Explorer WMF File string-tcp medium false DoS 18097.0 C6 Messenger URL string-tcp high false Downloader File Download 18123.0 NetBackup Volume Manager string-tcp high false Daemon Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5400.0 Beagle.B (Bagle.B) Web service-http high false Beacon 5498.0 Media Player IE Zone meta medium false Bypass 5760.0 Novell GroupWise service-http high false Messenger Accept-Language Value Overflow 5766.0 DNS Resolution Response atomic-ip high true Code Execution 5843.0 CA BrightStor Tape Engine service-msrpc high true Overflow 5921.0 Apple Quicktime Color string-tcp high true Table Overflow 6131.2 Microsoft Plug and Play meta high true Overflow 6131.5 Microsoft Plug and Play meta high true Overflow 6131.7 Microsoft Plug and Play meta high true Overflow 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6178.0 SIP Message DoS atomic-ip high true 6258.0 Microsoft IE HTML string-tcp high true Rendering Memory Corruption 6259.0 HP Linux Printing And string-tcp high true Imaging hpssd Command Injection 6264.0 Excel Malformed Header string-tcp high true 6265.0 Microsoft Jet Database string-tcp high true Engine Buffer Overflow 6266.0 Excel Malformed Header string-tcp high true 6270.0 HP OpenView Network Node string-tcp high true Manager Integer Overflow 6274.0 McAfee ePolicy atomic-ip high true Orchestrator Format String 6412.0 Malformed BGP Message atomic-ip high true 6505.1 Trinoo Client Request atomic-ip medium false 6527.0 Microsoft Publisher string-tcp high true Invalid Memory Reference RCE 6530.0 SynCE Command Injection string-tcp high true 6533.0 Computer Associates string-tcp high true BrightStor ARCserve Backup Discovery Service 6768.0 Samba WINS Remote Code meta high true Execution Vulnerability 6794.0 CA BrightStor ARCserve meta high true Backup Listservcntrl ActiveX Overflow CAVEATS None. Modified signature(s) detail: Signatures 5400-0, 5498-0, 5760-0, 6505-1, have been retired due to age. Signatures 5766-0, 5843-0, 5921-0, 6131-2, 6131-5, 6131-7, 6131-10, 6131-11, 6178-0, 6258-0, 6259-0, 6264-0, 6265-0, 6266-0, 6270-0, 6274-0, 6412-0, 6527-0, 6530-0, 6533-0, 6768-0, and 6794-0 have had their sfr and/or severity increased due to positive field performance. Signature 6794-0 has had its all components required setting configured to yes. ================================================================================================= S404 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5403.1 OpenSSL SSL/TLS Malformed string-tcp high false Handshake DoS 5937.0 Oracle Database string-tcp medium false SUBSCRIPTION_NAME Parameter SQL Injection 5938.0 Oracle Database string-tcp high false sys.pbsde.init Procedure Buffer Overflow 5963.0 Kerberos V5 Principal atomic-ip high false Name Buffer Overflow 5966.0 Symantec Veritas string-tcp high false NetBackup Server bpcd Long Request Buffer Overflow 5967.0 Symantec Veritas string-tcp high false NetBackup CONNECT_OPTIONS Request Buffer Overflow 5974.0 Oracle Database Server string-tcp high false SDO_CS.TRANSFORM_LAYER Buffer Overflow 5975.0 Microsoft Windows Media string-tcp high false Player ASX Playlist Parsing Buffer Overflow 5978.0 MailEnable SMTP Service string-tcp medium false SPF Lookup Buffer Overflow 5987.0 Mozilla Products SVG string-tcp medium false layout vulnerability 5998.0 SYS.KUPW-WORKER Package string-tcp medium false MAIN Procedure SQL Injection Attempt 6039.0 DOMNodeRemoved Mutation string-tcp medium false Memory Corruption 6040.0 Symantec Scan Engine string-tcp medium false Authentication Bypass 6041.0 Mozilla Firefox CSS string-tcp high false Letter-Spacing Heap Overflow 6095.0 Apache apr-util IPv6 URI service-http high false Parsing Vulnerability 6138.0 Non-ASCII Hostname string-tcp high false 6139.0 Malicious BMP File string-tcp high false 6140.0 Squid ASN.1 Header atomic-ip medium false Parsing Denial of Service 6162.0 Ipswitch IMail Server string-tcp high false Date String Overflow 6164.0 Microsoft Word Document string-tcp high false Parsing Buffer Overflow 6172.0 Novell eDirectory string-tcp high false evtFilteredMonitorEventsR- equest Function 6244.0 Microsoft Windows SNMP atomic-ip high false Service Memory Corruption 6417.0 JavaScript Navigator string-tcp high false Object Memory Corruption 6418.0 Apache HTTP Server string-tcp high false mod_rewrite Module LDAP Scheme Handling Buffer Overflow 6419.0 Oracle Database string-tcp high false dbms_assert Filter Bypass Vulnerability 6420.0 Microsoft Office string-tcp high false Malformed GIF File Processing Code Execution 6422.0 Microsoft ASP.NET service-http medium false Application Folder Information Disclosure 6423.0 Microsoft XML Core string-tcp high false Services Integer Overflow 6427.0 zlib Denial of Service string-tcp medium false 6436.0 Citrix Program string-tcp high false Neighborhood Agent Buffer Overflow 6437.0 RealNetworks RealPlayer string-tcp high false Compressed Skin Buffer Overflow 6458.0 Microsoft Windows Media string-tcp low false Player File Information Disclosure 6728.0 Microsoft Windows GUID string-tcp high false Folder Code Execution 6741.0 Symantec Discovery string-tcp high false XFERWAN Buffer overflow 7416.0 Microsoft Internet string-tcp high false Explorer COM Object Instantiation Memory Corruption 15007.0 CA Products Message string-tcp high false Queuing Buffer Overflow 16033.0 Microsoft Excel File string-tcp high false Parsing Buffer Overflow 16040.0 Quicktime Crafted VR string-tcp high false Movie Buffer Overflow 16614.0 Oracle Web Cache string-tcp high false Unspecified Client Request 16615.0 Microsoft PowerPoint PPT string-tcp high false Document Parsing Code Execution 16653.0 Ipswitch WhatsUp Gold Web string-tcp high false Server BUffer Overflow 16796.0 Atrium Software MERCUR string-tcp high false IMAPD NTLMSSP Command Handling Memory Corruption Exploit 16814.0 Novell NetMail WebAdmin string-tcp high false Username Stack Buffer Overflow 16815.0 Trend Micro ServerProtect string-tcp high false EarthAgent DCE-RPC Stack Overflow 16853.0 HP OpenView Products string-tcp high false OVTrace Service Stack Buffer Overflow 16873.0 CA DBASVR RPC Server service-msrpc high false Crafted Pointer Buffer Overflow 16997.0 MSWord CSS Processing string-tcp high false Code Execution 17057.0 CA BrightStor ARCserve service-rpc high false Backup Media Server Buffer Overflow 17078.0 MS DirectX Crafted MJPEG string-tcp high false Stream Handling Code Execution 17097.0 Microsoft Word RTF File string-tcp high false Handling Memory Corruption 17117.0 Microsoft Rich Textbox string-tcp high false Control SaveFile Insecure Method Arbitrary File Overwrite 17139.0 KAME Racoon Auth Bypass atomic-ip high false 17140.0 Trend Micro OfficeScan string-tcp high false Console Buffer Overflow 17141.0 WS_FTP Log Server Denial atomic-ip medium false Of Service 17244.0 SonicWALL Global VPN string-tcp high false Client Format String Vulnerability 17248.0 HP OpenView Network Node service-http high false Manager CGI Buffer Overflow Vulnerabilities 17249.0 Opera HREF Tag DoS string-tcp medium false 17251.0 BitDefender Online string-tcp high false Scanner OScan.OCX Buffer Overflow 17253.0 AOL AmpX SetName ActiveX string-tcp high false Control Buffer Overflow 17277.0 MS SQL Hello Buffer string-tcp high false Overflow 17280.0 MS IE Object Tag Overflow string-tcp high false 17282.0 Cachemgr.cgi string-tcp medium false 17288.0 CA eTrust Intrusion string-tcp high false Detection Caller.DLL Remote Code Execution Vulnerability 17290.0 MS IE EDraw Office Viewer string-tcp medium false ActiveX Arbitrary File Delete 17317.0 Mozilla Firefox OnUnload string-tcp high false Memory Corruption 17341.0 Hpufunction.dll Overflow string-tcp high false 17343.0 PhpBB Remote File string-tcp high false Inclusion 17346.0 Adobe Acrobat Reader string-tcp high false Plugin Vulnerability 17355.0 Navicopa 2.01 GET Buffer string-tcp high false Overflow 17360.0 Visual FoxPro ActiveX string-tcp high false Arbitrary Command Execution 17361.0 Safari KHTMLParser string-tcp high false popOneBlock code execution 17362.0 Mcrosoft MDAC string-tcp high false WMIScripUtils.WMIOjectBro- ker ActiveX Code Execution 17366.0 IE COM Object string-tcp high false Instantiation Memory Corruption Vulnerability 17372.0 eSupportDiagnostics string-tcp medium false ActiveX ReadTextFile 17398.0 Microsoft Internet string-tcp high false Explorer HTML Tag Memory Corruption 17400.0 Microsoft PowerPoint string-tcp high true Legacy Format BO 17417.0 Backdoor Bump-Rat 1.2 string-tcp high false 17419.0 Microsoft Word Bulleted string-tcp high false Lists Buffer Overflow 17420.0 Microsoft IE Native string-tcp medium false Function DoS 17421.0 MS Excel Null Pointer DoS string-tcp high false 17422.0 StarTeam MPX Heap Overflow string-tcp high false 17423.0 MS Excel Null Pointer DoS string-tcp medium false 17427.0 Microsoft Windows string-tcp high false Embedded Web Font Buffer Overflow 17428.0 Acunetix Resource string-tcp medium false Starvation Attack 17429.0 Firefox WYCIWYG URI Cache string-tcp medium false Zone Bypass 17432.0 HP OpenView Directory service-http medium false Traversal 17457.0 Linux Kernel SCTP FWD-TSN atomic-ip high true Handling Buffer Overflow 17622.0 Lotus Domino Memory string-tcp high false Mapped Files Arbitrary Access 17637.0 Oracle Rapid Install Web service-http high false Server Secondary Login Page CSS 17659.0 IE MHTML Redirection string-tcp medium false Information Disclosure 17678.0 Borland StarTeam MPX Heap string-tcp high false Overflow 17680.0 Borland StarTeam MPX string-tcp high false Integer Overflow 17779.0 WS_FTP server Manager service-http medium false Information Leak 17780.0 SAP Web Application service-http medium false Server XSS 17790.0 HTTP Apache 2.0 Path service-http low false Disclosure 17797.0 Apache Tomcat URL service-http high false Information Disclosure TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3551.0 POP User Root string-tcp medium true 6449.0 Apache Tomcat Mod_jk service-http high true Stack Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S403 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16758.0 Oracle RDBMS TNS Listener string-tcp high true Attack 17077.3 PowerPoint Legacy File string-tcp high true Format 17998.0 JRE Deserialization string-tcp high true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3140.4 Bagle Virus Activity service-http high false 4055.2 B02K-UDP trojan-udp high false 5469.1 TrackerCam PHP Argument service-http high false Overflow 5479.0 MySQL MaxDB WebDAV string-tcp high false Lock-Token Overflow 5853.0 SIP Invite DoS atomic-ip medium false 5873.0 Microsoft Speech API 4 string-tcp high false ActiveX Overflow 5874.0 Microsoft Speech API 4 string-tcp high false ActiveX Overflow 5876.0 WinZip ActiveX Control string-tcp high false Instantiation 5887.0 Microsoft PDWizard string-tcp high false ActiveX Overflow 5912.0 CUCM SIP INVITE UDP atomic-ip medium false Denial of Service 6271.0 VMWare ActiveX Arbitrary string-tcp high false File Access 6272.0 Novell iPrint Client string-tcp high false ActiveX Buffer Overflow 6273.0 Microsoft Works ActiveX string-tcp high false WkImgSrv.dll Insecure Function 6299.0 Namo ActiveSquare6 string-tcp high false ActiveX Vulnerability 6526.0 Lighttpd FastCGI Header service-http high false Overrun CAVEATS None. Modified signature(s) detail: The following signatures are being set to disabled and retired by default: 3140-4, 4055-2, 5469-1, 5479-0, 5853-0, 5873-0, 5874-0, 5876-0, 5887-0, 5912-0, 6271-0, 6272-0, 6273-0, 6299-0, 6526-0 ================================================================================================= S402 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5933.0 Oracle Database string-tcp medium false DBMS_Scheduler Privilege Escalation 5943.0 Oracle Database Server string-tcp medium false SQL Query Directory Traversal 5945.0 MS IE Cross Frame string-tcp low false Scripting Restriction Bypass 5949.0 Multiple HP Web Jetadmin service-http medium false Vulnerabilities 5949.1 Multiple HP Web Jetadmin service-http high false Vulnerabilities 5956.0 Multiple Vendor SOAP DoS string-tcp medium false 5961.0 Oracle Database Server string-tcp high false MD2 package SDO_CODE_SIZE procedure Buffer Overflow 6134.0 Microsoft ASP.NET service-http low false Canonicalization 6137.0 Wordpad Default Font string-tcp high false Overflow 6284.0 Openwsman HTTP Basic service-http high true Authentication Buffer Overflow 15010.0 MIT Kerberos KAdminD string-tcp high false klog_vsyslog Buffer Overflow 16759.0 Firefox UI Dispatcher DoS string-tcp high false 16760.0 VLC TTA Buffer Overflow string-tcp high false 17137.0 Realplayer URL Parsing string-tcp high false Buffer Overflow 17138.0 Internet Explorer string-tcp high false Malformed BMP Buffer Overflow 17142.0 ACDSee Plugins ID_X.APL string-tcp high false and IDE_ACDSTD.APL Buffer Overflow 17145.0 FFmpeg libavformat string-tcp high false psxstr.c STR Data Heap Based Buffer Overflow 17148.0 Appian Enterprise string-tcp high false Business Process Management Suite 5.6 Denial of Service 17197.0 MicroWorld Technologies service-http low false MailScan Multiple Remote Vulnerabilities 17197.1 MicroWorld Technologies service-http low false MailScan Multiple Remote Vulnerabilities 17197.2 MicroWorld Technologies service-http high false MailScan Multiple Remote Vulnerabilities 17200.0 C6 Messenger Installation string-tcp high false Url DownloaderActiveX Control 17201.0 HPISDataManagerLib.Datamg- string-tcp high false r ActiveX Control Vulnerability 17202.0 Apple Quicktime Image string-tcp high false File IDSC Atom Memory Corruption 17237.0 CA BrightStor ARCserve string-tcp high false Backup Media Server Buffer Overflow 17238.0 CA BrightStor ARCserve string-tcp high false Backup Media Server Buffer Overflow 17239.0 Samba LSA RPC Buffer string-tcp high false Overflow 17240.0 Samba RPC Routine Buffer string-tcp high false Overflow 17241.0 TrendMicro serverProtect string-tcp high false Crafted RPC Buffer Overflow 17243.0 OpenBSD Tcp Timestamp string-tcp medium false Handling DoS 17246.0 Sun Java Web Start string-tcp high false ActiveX Control Buffer Overflow 17247.0 IBiz E-Banking Integrator string-tcp high false ActiveX Vulnerability 17250.0 Firefox Memory Corruption string-tcp medium false 17252.0 Crystal Reports XI string-tcp high false ActiveX Buffer Overflow 17255.0 Check Point VPN-1 UTM string-tcp high false Edge Login Page Cross-Site Scripting 17256.0 HPISDataManager.dll string-tcp high true Arbitrary File Download 17257.0 HPISDataManager.dll string-tcp high false GetFileTime Overflow 17262.0 Savant Web Server Remote string-tcp high false Buffer Overflow Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: 3531-0 This Signature was retired. ================================================================================================= S401 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3328.0 Windows SMB/RPC NoOp Sled string-tcp medium false 3328.1 Windows SMB/RPC NoOp Sled service-msrpc medium false 3328.3 Windows SMB/RPC NoOp Sled service-msrpc medium false 3402.0 BSD Telnet Daemon Buffer string-tcp high false Overflow 3402.1 BSD Telnet Daemon Buffer string-tcp high false Overflow 3402.2 BSD Telnet Daemon Buffer string-tcp high false Overflow 3402.4 BSD Telnet Daemon Buffer string-tcp high false Overflow 3550.0 POP Buffer Overflow string-tcp high false 3577.0 IMAP LOGIN Command string-tcp high true Invalid Username 3728.0 Long pop username string-tcp medium false 3729.0 Long pop password string-tcp medium false 3785.0 Oracle 9i XDB FTP UNLOCK string-tcp high true Buffer Overflow 3786.0 Oracle 9i XDB FTP PASS string-tcp high true Buffer Overflow 4511.0 Avaya SNMP Hidden service-snmp high true Community Name 4614.0 TFTP Overflow atomic-ip high false 5114.0 WWW IIS Unicode Attack service-http high false 5114.1 WWW IIS Unicode Attack service-http high false 5114.2 WWW IIS Unicode Attack service-http high false 5114.3 WWW IIS Unicode Attack service-http high false 5114.4 WWW IIS Unicode Attack service-http high false 5114.5 WWW IIS Unicode Attack service-http high false 5114.6 WWW IIS Unicode Attack service-http high false 5114.7 WWW IIS Unicode Attack service-http high false 5114.8 WWW IIS Unicode Attack service-http high false 5429.0 WINS Replication Protocol string-tcp high false Buffer Overflow 5429.1 WINS Replication Protocol string-tcp high false Buffer Overflow 5436.0 RXBot Activity string-tcp high true 5436.1 RXBot Activity string-tcp high true 5467.0 Computer Associates string-tcp medium false License Suite PUTOLF Directory Traversal 5488.0 Icecast Server HTTP string-tcp high true Header Buffer Overflow 5525.0 Outlook Express Overflow string-tcp high true 5560.0 MailEnable IMAP Overflow string-tcp high false 5594.0 Samba call_trans2open service-smb-ad high false Overflow vanced 5595.0 Windows Startup Folder service-smb-ad high true Remote Access vanced 5601.0 Windows LSASS RPC Overflow service-msrpc high true 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5636.0 vBulletin Template PHP service-http high false Code Injection Vulnerability 5743.0 PeerCast Buffer Overflow string-tcp high true 5764.0 ShixxNOTE Font Buffer string-tcp high false Overflow 5769.0 Malformed HTTP Request string-tcp medium false 5769.1 Malformed HTTP Request string-tcp medium false 5802.0 MHTML URI Buffer Overflow string-tcp high false 5817.0 ASP .NET Cross Site string-tcp high true Scripting 6246.0 Gateway Weblaunch Activex string-tcp high false Control 6794.0 CA BrightStor ARCserve meta high true Backup Listservcntrl ActiveX Overflow CAVEATS Patch 6.0(5p2)E3 is now available. This patch resolves CSCsy77167 and can be obtained by contacting Cisco TAC. Modified signature(s) detail: CSCsz29091 Older IPS signature Retirements 3328-0 3328-1 3328-3 3402-4 3402-1 3402-2 3402-0 3550-0 5114-8 5114-3 5114-5 5114-2 5114-0 5114-6 5114-4 5114-7 5114-1 5802-0 5764-0 5769-0 5769-1 5636-0 5429-1 5429-0 5467-0 3729-0 3728-0 4614-0 5560-0 5594-0 6246-0 CSCsz29118 IPS Signature sfr increase 5817-0 5743-0 5601-0 5601-1 5488-0 5525-0 5436-1 5436-0 5595-0 3577-0 3786-0 3785-0 4511-0 6794-0 ================================================================================================= S400 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16933.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 16956.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 16957.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 16958.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 16977.0 Microsoft Powerpoint File string-tcp high true Parsing Vulnerability 17077.0 PowerPoint Legacy File string-tcp high true Format 17077.1 PowerPoint Legacy File string-tcp high true Format 17077.2 PowerPoint Legacy File string-tcp high true Format 17127.0 Microsoft PowerPoint RCE string-tcp high true Vulnerability 17146.0 PowerPoint 4.0 Legacy string-tcp high true File Format Vulnerability 17152.0 PowerPoint Legacy File string-tcp high true Format Vulnerability 17153.0 Microsoft PowerPoint RCE string-tcp high true Vulnerability 17155.0 Malicious Microsoft string-tcp high true PowerPoint File Exploit TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S399 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6703.0 Snort SACK TCP Option service-generi low false Handling Denial of c Service Details 15773.0 Adobe Flash Player string-tcp high true Invalid Object Reference Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3234.1 IE Local Trusted Resource service-http high true Execution 3326.0 Windows Startup Folder string-tcp medium false Remote Access 3402.3 BSD Telnet Daemon Buffer string-tcp high false Overflow 3525.0 IMAP Authenticate Buffer string-tcp high false Overflow 3576.0 INN Control Message string-tcp high false Exploit 3739.0 Nullsoft SHOUTcast Format service-http high false String Attack 5307.0 Mercantec Softcart service-http high false Overflow 5444.0 MySQL MaxDB WebAgent string-tcp high false logon Buffer Overflow 5587.0 Microsoft Windows 9x service-smb-ad high false NetBIOS NULL Name vanced Vulnerability 5718.0 VERITAS NetBackup Volume string-tcp high false Manager Daemon Buffer Overflow 5723.0 Microsoft IIS .dll DoS service-http medium false 5798.0 Mambo PHP sbp File service-http high false Inclusion Vulnerability 5833.0 Quicktime RTSP URL string-tcp high false Vulnerability 6013.1 IRCBOT_JK DNS Lookup atomic-ip high false 6302.0 General Loki ICMP traffic-icmp high false Tunneling 6788.0 SonicWALL SSL VPN Client meta high false Remote ActiveX Vulnerability 6788.1 SonicWALL SSL VPN Client string-tcp informational false Remote ActiveX Vulnerabilities 6788.2 SonicWALL SSL VPN Client string-tcp informational false Remote ActiveX Vulnerability 6788.3 SonicWALL SSL VPN Client meta high false Remote ActiveX Vulnerabilities 6788.4 SonicWALL SSL VPN Client string-tcp medium false Remote ActiveX Vulnerability 6922.0 VBScript/JScript Remote string-tcp high true Code Execution 7301.0 Excel Global Array Memory string-tcp high true Corruption CAVEATS None. Modified signature(s) detail: CSCsz29091 - Older IPS signature Reitrements 6788-4 6788-2 6788-0 6788-3 6788-1 6302-0 6013-1 5833-0 5798-0 5723-0 5718-0 5587-0 5444-0 5307-0 3739-0 3576-0 3525-0 3402-3 3326-0 CSCsy55875 Signature sfr increase - now blocking 3234-1 Changed regex - did not fire in s385 7301-0 Excel Global Array Memory Corruption ================================================================================================= S398 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16953.0 Shockwave File Processing string-tcp medium true Arbitrary File Upload TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S397 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3408.1 Telnet Client LINEMODE string-tcp high false SLC Option Overflow 6133.0 Microsoft Excel Cell string-tcp high false Length Buffer Overflow CVE-2004-0846 6141.0 Macromedia JRun 4.x service-http low false Server File Disclosure 6165.0 nfs-utils TCP Connection string-tcp medium false Termination Denial of Service 6170.0 Novell eDirectory string-tcp high false evtFilteredMonitorEventsR- equest Function Overflow 6173.0 Empty DNS Query atomic-ip medium false 6245.0 IBM Tivoli Storage string-tcp high false Manager Initial Sign-on Request Buffer Overflow 6247.0 Sun Microsystems Java GIF string-tcp high false File Handling Memory Corruption 6248.0 HP Mercury Loadrunner string-tcp high false Agent Command Processing Buffer Overflow 6430.0 Microsoft Internet string-tcp medium false Explorer CSS Memory Corruption 6457.0 Lotus Notes URI Handler string-tcp high false Argument Injection 6466.0 Squid WCCP Message atomic-ip low false Parsing Denial of Service 6467.0 Mozilla Firefox Click string-tcp low false Event Classification Vulnerability 6468.0 Multiple Vendor AV string-tcp high false Gateway Virus Detection Bypass 6496.0 Microsoft Internet string-tcp high false Explorer URL Spoofing Vulnerability Details 6710.0 Macromedia Flash Player string-tcp medium false LoadMovie DoS 6727.0 Nullsoft Winamp Midi File string-tcp high false Header Handling Buffer Overflow 6727.1 Nullsoft Winamp Midi File string-tcp high false Header Handling Buffer Overflow 7420.0 Microsoft Help Workshop string-tcp medium false HPJ OPTIONS Section Buffer Overflow 15012.0 Oracle BEA WebLogic service-http medium true Server Apache Connector Buffer Overflow 15574.0 SoftEther P2P Activity fixed-tcp informational false 16035.0 Iseemedia LPViewer meta high false ActiveX Buffer Overflows 16035.1 Iseemedia LPViewer string-tcp informational false ActiveX Buffer Overflows 16038.0 Adobe Flash Insufficient string-tcp high false Data Validation Buffer Overflow 16096.0 IBM SolidDB Format String string-tcp medium false Bug 16553.0 MailEnable SMTP Service string-tcp low true VRFY/EXPN Command DoS 16793.0 Adobe Reader getAnnots() meta high true Remote Code Execution 16793.1 Adobe Reader getAnnots() string-tcp informational true Remote Code Execution 16813.0 Adobe Reader meta high true customDictionaryOpen Buffer Overflow 16813.1 Adobe Reader string-tcp informational true customDictionaryOpen Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2158.0 Nachi Worm ICMP Echo atomic-ip high true Request 3143.0 BERBEW Trojan Activity string-tcp high true 3169.0 FTP SITE EXEC tar string-tcp high true 3178.0 Denial Of Service in string-tcp high true Microsoft SMS Client 3333.0 SMB MSRPC Messenger string-tcp high true Overflow 3342.0 Windows NetDDE Overflow service-smb high true 3342.1 Windows NetDDE Overflow string-tcp high true 3347.2 Windows ASN.1 Library Bit service-http high true String Heap Corruption 3406.0 Solaris TTYPROMPT string-tcp high true /bin/login Overflow 3527.1 UW imapd Overflows string-tcp high false 3527.4 UW imapd Overflows string-tcp high false 3884.0 Cfengine Authentication string-tcp high true Heap Based Buffer Overflow 5435.0 Crystal Reports Remote string-tcp high false Code Execution 5438.0 Cisco IOS Call Processing string-tcp medium false Solutions DoS 5455.0 Arkeia Type 77 Request string-tcp high false Buffer Overflow 5464.1 Computer Associates string-tcp high false License Suite Network Buffer Overflow 5469.0 TrackerCam PHP Argument service-http high false Overflow 5487.0 IA WebMail Buffer Overflow service-http high false 5684.0 Malformed SIP Packet atomic-ip medium false 5825.0 SIP Malformed Invite atomic-ip medium false Packet 6222.0 HP OpenView Client string-tcp high false Configuration Manager Radia Notify Daemon Code Execution 6969.0 Microsoft Word Smart Tag string-tcp high true Corruption Exploit CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S396 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6166.0 Novell eDirectory HTTP service-http high false Server Redirection Buffer Overflow 6169.0 mod_tcl Module Format string-tcp high false String Vulnerability 6238.0 GNU RADIUS SQL Accounting atomic-ip high false Format String Vulnerability 6240.0 IMAP LOGIN Negative Value string-tcp high false 6243.0 Sun JRE Abstract string-tcp high false Windowing Toolkit Module Memory Corruption 6976.1 Microsoft Powerpoint 2003 string-tcp high false Viewer Buffer Overflow 15255.0 PacketiX Network Traffic atomic-ip informational false 15913.0 Linux Kernel nfsd atomic-ip medium true Subsystem Buffer Overflow 15993.0 Mozilla Firefox SVG string-tcp high true Memory Corruption 15994.0 BitDefender Adobe PDF string-tcp high true Memory Corruption Vulnerability 15996.0 Apple QuickTime VR Track string-tcp high true Header Atom Corruption 16153.0 Apple QuickTime MOV File string-tcp high false HREFTrack Cross-Zone Scripting 16194.0 PacketiX VPN Connection fixed-tcp low false 16473.1 Internet Explorer Memory string-tcp high true Corruption Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3118.0 rwhoisd format string string-tcp high false 3155.0 FTP RETR Pipe Filename string-tcp medium false Command Execution 3180.0 BakBone NetVault Remote string-tcp high false Heap Overflow 3336.0 Windows ASN.1 Bit String string-tcp high false NTLMv2 Integer Overflow 3352.0 Samba Fragment string-tcp high false Reassembly Overflow 3714.0 Oracle TNS 'Service_Name' string-tcp high false Overflow 3788.0 Solaris LPD Remote string-tcp high false Command Execution 4501.0 CVCO/4K Remote Username / service-snmp medium false Password Retrieve 4614.1 TFTP Overflow atomic-ip high false 4617.0 PoPToP PPtP Short Length string-tcp high false Overflow 4617.1 PoPToP PPtP Short Length string-tcp high false Overflow 5365.0 Long WebDAV Request string-tcp high false 5433.0 Jabberd Username Overflow string-tcp high false 5458.0 WebConnect MS-DOS Device service-http medium false Name DoS 5465.0 Computer Associates string-tcp high false License Suite Checksum Buffer Overflow 5478.0 Microsoft Exchange SMTP string-tcp high false Overflow 5480.0 MySQL MaxDB WebDAV If string-tcp high false Header Overflow 5549.0 Evolution Message Size string-tcp high false Overflow 5574.0 OpenView Network Node service-http high false Manager Command Injection 5598.1 Windows Workstation service-smb-ad high false Service Overflow vanced 5648.1 Tomcat Denial of Service string-tcp medium false Attack 5672.0 Computer Associates string-tcp high false Message Queuing Buffer Overflow 5720.0 Lyris ListManager SQL service-http high false Command Injection 5740.0 Kerio Personal Firewall string-tcp high false Remote Authentication Buffer Overflow 5892.0 Motive Communications string-tcp high false ActiveUtils Buffer Overflow 5913.0 PIX/ASA/FWSM MGCP DoS multi-string medium false 6007.0 Management Console string-tcp high false Cross-Site Scripting 6012.0 EIQ License Buffer string-tcp high false Overflow 6268.0 HP Openview Network Node string-tcp high false Manager Buffer Overflow 6504.0 Stacheldraht Server Reply traffic-icmp medium false CAVEATS There is a defect present (CSCsy77167) in the memory manager that is causing unused memory to not be returned during a signature update as designed. This could cause the sensor to fail the signature update. As a short-term solution, rebooting the sensor after the failures will recover the system. The IPS Engineering team is working on a patch for this issue. Modified signature(s) detail: Signatures 6504-0, 6268-0, 6166-0, 6012-0, 5574-0, 5598-1, 5648-1, 5672-0, 5720-0, 5740-0, 5892-0, 5913-0, 6007-0, 5549-0, 5480-0, 5478-0, 5465-0, 5458-0, 5433-0, 5365-0, 4617-1, 4617-0, 4614-1, 4501-0, 3788-0, 3714-0, 3352-0, 3336-0, 3180-0, 3155-0, 3118-0 have been retired due to age. ================================================================================================= S395 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6230.0 F-Secure Products Web string-tcp high false Console Buffer Overflow 6231.0 Citrix Presentation string-tcp medium false Server IMA 6233.0 Computer Associates string-tcp high false BrightStor ARCserve Backup Tape Engine Service 6237.0 MailEnable IMAP Service string-tcp high false Login Overflow 6711.0 Microsoft Internet service-http low false Explorer Image Download Spoofing 6717.0 Microsoft Internet string-tcp low false Explorer Status Bar URL Spoofing 6718.0 Multiple AV Vendor string-tcp low false Invalid Archive Checksum 6722.0 Oracle Application Server service-http medium false 10g emagent.exe Stack Buffer Overflow 15002.0 TeamViewer Activity atomic-ip low false 15002.1 TeamViewer Activity string-tcp low false 15002.2 TeamViewer Activity service-http low false 15453.0 eBuddy Network Traffic atomic-ip informational false 15453.1 eBuddy Network Traffic service-http informational false 15997.0 Apple CUPS SGI Image RLE string-tcp high false Memory Corruption 16114.0 IBM Tivoli Storage string-tcp high false Manager Express Backup Heap Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3526.0 Imap Login Buffer Overflow string-tcp high false 5464.0 Computer Associates string-tcp high false License Suite Network Buffer Overflow 5481.0 MySQL MaxDB WebDBM service-http high false Overflow 5754.0 PAJAX Remote Code service-http high true Execution Vulnerability 5850.0 Snort DCE/RPC atomic-ip high true Preprocessor Vulnerability 6269.0 HP Openview Operations string-tcp high true Buffer Overflow 6517.0 Malformed Via Header atomic-ip high true 6798.0 HP StorageWorks Buffer string-tcp high true Overflow 16296.0 Potential Conficker service-http high false Command And Control Request CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S394 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6157.0 MIT Kerberos Kadmind string-tcp high false Remote Code Injection 6159.0 Microsoft Windows Active string-tcp medium false Directory Crafted LDAP Request DoS 6160.0 Microsoft Windows Active string-tcp high false Directory Crafted LDAP Buffer Overflow 6161.0 Ingres Database string-tcp high false Communications Server Component Buffer Overflow 6174.0 OpenLDAP Server BIND string-tcp medium false Request Denial of Service 6222.0 HP OpenView Client string-tcp high false Configuration Manager Radia Notify Daemon Code Executionmu: HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution 6223.0 Citrix MetaFrame IMA string-tcp high false Authentication Processing Buffer Overflow 6225.0 KAME IKE raccoon HASH atomic-ip medium false 6225.1 KAME IKE raccoon HASH atomic-ip medium false 6488.0 Symantec Veritas string-tcp high false NetBackup Command Chaining 6702.0 Microsoft SQL Server 7 string-tcp high false TDS Denial Of Service 6705.0 Internet Explorer Drag string-tcp high false And Drop Vulnerability 15000.0 GoToMyPC Activity atomic-ip low false 16219.0 Mozilla Firefox XSL string-tcp high true Parsing Remote Memory Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3109.0 Long SMTP Command state high false 3129.0 Mimail Virus C Variant state medium false File Attachment 3234.0 IE Local Trusted Resource service-http high true Execution 3250.0 TCP Hijack normalizer high true 3339.0 Windows System32 service-smb medium false Directory File Creation 3528.0 IPSwitch IMail DELETE string-tcp high false Command Overflow 3529.0 IMAP Long EXAMINE Command string-tcp high true 3789.0 DistCC Daemon Command string-tcp high false Execution 5464.2 Computer Associates string-tcp high false License Suite Network Buffer Overflow 5466.0 Computer Associates string-tcp high true License Suite PUTOLF Buffer Overflow 5484.0 Sambar Server Search service-http high true Overflow 5505.0 RIP Trace atomic-ip high false 5803.0 Sygate Login Servlet SQL service-http high true Injection 5866.0 IBM Lotus Domino IMAP string-tcp high true CRAM-MD5 Overflow 6201.0 Ident Newline service-ident high true 6760.1 RealPlayer ActiveX Buffer string-tcp informational true Overflow 7298.0 MS Visual Basic Flexgrid meta high true Control Buffer Overflow 7298.1 MS Visual Basic Flexgrid string-tcp informational true Control Buffer Overflow 15634.0 Cisco ACE Crafted SSH string-tcp high true Packet Vulnerability 15653.0 Crafted SNMPv3 packet may atomic-ip high true crash ACE appliance CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S393 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16373.0 Buffer Overflow In string-tcp high true Wordpad And Office Text Converters 16413.0 Microsoft Excel Remote string-tcp high true Code Execution 16414.0 Microsoft Excel Remote string-tcp high true Code Execution 16415.0 MS IE Remote Code string-tcp high true Execution 16416.0 MS IE Remote Code string-tcp high true Execution 16433.0 Microsoft Office Text string-tcp high true Converter Buffer Overflow 16473.0 Internet Explorer Memory string-tcp high true Corruption Vulnerability 16474.0 IE Uninitialized Memory string-tcp high true Corruption 16475.0 Microsoft Wordpad Word 97 string-tcp high true Text Converter Code Execution Vulnerability 16476.0 Windows HTTP Services meta high true Credential Reflection Vulnerability 16476.1 Windows HTTP Services atomic-ip informational true Credential Reflection Vulnerability 16476.2 Windows HTTP Services atomic-ip informational true Credential Reflection Vulnerability 16476.3 Windows HTTP Services atomic-ip informational true Credential Reflection Vulnerability 16476.4 Windows HTTP Services atomic-ip informational true Credential Reflection Vulnerability 16494.0 ISA Server Cross Site service-http medium true Scripting Vulnerability 16513.0 Microsoft DirectShow string-tcp high true MJPEG Decompression Vulnerability 16514.0 WordPad Word 97 Text string-tcp high true Converter Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S392 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16294.0 ASA Crafted H.323 Packet string-tcp medium true DoS 16297.1 Worm Activity - Brute meta high true Force 16393.0 Cisco ASA Crafted TCP service-generi medium true Packet DoS Vulnerability c TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5930.4 Generic SQL Injection service-http high true 16296.0 Potential Conficker service-http high true Command And Control Request 16297.0 Worm Activity - Brute string-tcp informational true Force CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S391 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16353.0 Malformed PowerPoint File string-tcp high true Code Execution Vulnerability 16354.0 Malformed PowerPoint File string-tcp high true Code Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S390 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16333.0 Malformed PowerPoint File string-tcp high true Code Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S389 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16293.0 Conficker Worm Shellcode string-tcp high true 16293.1 Conficker Worm Shellcode string-tcp high true 16293.2 Conficker Worm Shellcode fixed-tcp high true 16296.0 Potential Conficker service-http high true Command And Control Request 16297.0 Worm Activity - Brute string-tcp high true Force TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S388 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3791.1 Solaris Printd Unlink string-tcp medium false File Deletion 6085.0 IE Table Column Record string-tcp high false Handling 6106.0 Cisco Secure ACS EAP-TLS string-udp medium false Authentication Bypass 6108.0 FreeRADIUS Denial of atomic-ip medium false Service 6135.0 Sun Solaris in.rwhod string-udp high false Buffer Overflow 6719.0 MySQL COM_TABLE_DUMP string-tcp high false Function Stack Overflow 6720.0 MySQL Login Handshake string-tcp high false Information Disclosure 6721.0 OpenBSD ISAKMP Message atomic-ip low false Handling Denial Of Service 6723.0 Sun Directory Server LDAP string-tcp medium false Denial of Service Details 6732.0 CA BrightStor ARCServe string-tcp high true Backup LGServer Password Buffer Overflow 6734.0 CA ARCserve Backup string-tcp high false LGServer Multiple Buffer Overflows 6735.0 Microsoft Internet multi-string medium false Explorer HHCtrl.ocx Image Property Heap Corruption 6736.0 Apple QuickTime FLIC string-tcp medium false Animation File Buffer Overflow Details 6737.0 OpenSSL string-tcp high false SSL_get_shared_ciphers Function Buffer Overflow 6739.0 Novell GroupWise string-tcp low false Messenger HTTP POST Request Invalid Memory Access 6740.0 Trend Micro OfficeScan string-tcp medium false Atxconsole ActiveX Control Format String 6742.0 Microsoft PowerPoint string-tcp medium false Malformed Record Code Execution 7246.1 Microsoft Excel string-tcp high false Spreadsheet Buffer Overflow 15133.0 XML Race Condition in string-tcp high false Internet Explorer 15954.0 CA Multiple Products string-tcp high false Console Server Buffer Overflow 16013.0 Borland Interbase Integer string-tcp high true Overflow Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3003.0 TCP Frag SYN Port Sweep sweep high true 3157.0 FTP PASV Port Spoof service-ftp high true 3180.1 BakBone NetVault Remote string-tcp high false Heap Overflow 3251.0 TCP Hijack Simplex Mode normalizer high false 3408.0 Telnet Client LINEMODE string-tcp high false SLC Option Overflow 3534.0 IMAP Long AUTHENTICATE string-tcp high true Command 5463.0 Computer Associates string-tcp high false License Software GETCONFIG Buffer Overflow 5569.0 MDaemon Imap string-tcp high true Authentication Overflow 5602.0 Windows System32 service-smb-ad medium true Directory File Access vanced 6008.0 First 4 Internet XCP string-tcp high false Uninstallation ActiveX Control CAVEATS None. Modified signature(s) detail: SFR has been increased for the following sigs: 3003-0 TCP Frag SYN Port Sweep 3157-0 FTP PASV Port Spoof 3534-0 IMAP Long AUTHENTICATE Command The following sigs have been retired: 3180-1 BakBone NetVault Remote Heap Overflow 3251-0 TCP Hijack Simplex Mode 3408-0 Telnet Client LINEMODE SLC Option Overflow 5463-0 Computer Associates License Software GETCONFIG Buffer Overflow 6008-0 First 4 Internet XCP Uninstallation ActiveX Control The following sigs have been modified to increase fidelity: 5569-0 MDaemon Imap Authentication Overflow 5602-0 Windows System32 Directory File Access ================================================================================================= S387 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5908.3 NNTP Overflow string-tcp high false 6080.0 Adobe Products PNG Parsing string-tcp high false 6081.0 Microsoft Excel BIFF string-tcp high false Parsing 6082.0 Microsoft Excel Column string-tcp high false Record Handling 6083.0 Microsoft Excel SetFont string-tcp high false 6084.0 IE 7 HTML Object Memory string-tcp high false Corruption 6107.0 CVS File Existence string-tcp medium false Information Disclosure 6119.0 MySQL Authentication string-tcp high false Vulnerability 6132.0 Mod SSL- Mod Proxy Hook string-tcp high false Format String 6143.0 Borland Interbase string-tcp high false Database Service Create-Request Buffer Overflow 6144.0 X.Org X Font Server string-tcp high false Buffer Overflow 6145.0 Trend Micro ServerProtect string-tcp high false TMregChange Buffer Overflow 6146.0 Squid WCCP Message string-udp high false Receive Buffer Overflow 6147.0 RealPlayer RealMedia string-tcp high false Security Bypass 6149.0 MySQL Arbitrary Library string-tcp high false Injection 6156.0 MIT Kerberos kadmind RPC string-tcp high false Library Unix Authentication 6158.0 MIT Kerberos Kadmind string-tcp high false Rename Buffer Overflow 6297.0 RealPlayer ActiveX Import meta high true Method Buffer Overflow 6730.0 IBM Tivoli Storage string-tcp high false Manager Express Buffer Overflow 6731.0 CA BrightStor ARCServe string-tcp high false Backup LGServer Username Buffer Overflow 6733.0 CA BrightStor ARCServe string-tcp high false Backup LGServer Arbitrary File Upload 6759.0 Apple Safari Regular string-tcp high true Expression Overflow 6770.0 OpenOffice PRTDATA Heap string-tcp high false Overflow 7244.1 Microsoft Excel Buffer string-tcp high false Overflow 7256.0 ActSoft DVD-Tools ActiveX meta high true control Buffer Overflow 7256.1 ActSoft DVD-Tools ActiveX string-tcp informational true control Buffer Overflow 7256.2 ActSoft DVD-Tools ActiveX string-tcp informational true control Buffer Overflow 7285.0 Samba Unauthorized Root service-smb-ad medium true File System Access vanced 7291.0 VideoLAN VLC Media Player meta high true WAV Processing Integer Overflow 7291.1 VideoLAN VLC Media Player string-tcp informational true WAV Processing Integer Overflow 7291.2 VideoLAN VLC Media Player string-tcp informational true WAV Processing Integer Overflow 7292.0 Apple QuickTime Crafted string-tcp high false HTTP Error Response Buffer Overflow 15009.0 Microsoft Office string-tcp high false MSODataSourceControl Denial Of Service 15017.0 Oracle Secure Backup service-http high true Login.php Command Injection 15115.0 Sun Java System Web Proxy string-tcp high false sockd Daemon Overflow 15274.0 IBM Lotus Domino LDAP string-tcp high false Server Memory Exception 15275.0 SpamAssassin Spamd Remote string-tcp high false Command Execution 15294.0 Chrome URI Handler Remote string-tcp high true Command Execution 15314.0 Symantec Firewall DNS atomic-ip high false Response Denial Of Service 15374.0 Microsoft Windows Media string-tcp high false Player Skin Decompression Vulnerability 15375.0 Microsoft Windows Media string-tcp high false Player Skin Parsing Vulnerability 15376.0 Trend Micro ServerProtect service-msrpc high false RPC Overflow 15393.0 Asterisk T.38 Buffer atomic-ip high false Overflow 15454.0 LogMeIn Hamachi Activity atomic-ip informational false 15455.0 LogMeIn Product Activity atomic-ip low false 15513.0 Apple Mac OS X iChat AIM string-tcp high false URL Format String Vulnerability 15573.0 Apple Mac OS X string-tcp high false FinderMemory Corruption 15753.0 CVS Line Entry Heap string-tcp high false Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S386 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15593.0 Windows System32 service-smb-ad informational false Directory Write Access vanced 15816.0 WPAD Registration atomic-ip medium false Vulnerability 15833.0 Windows Kernel Input string-tcp high true Validation Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3113.1 Email Attachment with string-tcp medium false Malicious Payload 3128.1 Exchange xexch50 overflow string-tcp high false 3130.0 Mimail Virus I Variant string-tcp medium false File Attachment 3133.0 Novarg / Mydoom Virus string-tcp high false Mail Attachment Variant B 3137.6 Sober Virus Activity string-tcp high false 3328.2 Windows SMB/RPC NoOp Sled string-tcp medium false 5416.1 IE object data remote meta informational false execution 5499.0 HTML Link in Object Tag string-tcp informational false in IE 5503.0 Object Creation In IE string-tcp informational false Local Zone 5520.0 XEXCH50 Command Usage string-tcp informational false 5635.0 Plug and Play Overflow string-tcp informational false 5635.1 Plug and Play Overflow string-tcp informational false 5635.2 Plug and Play Overflow meta high false 5644.0 Client Service for string-tcp informational false NetWare Overflow 5644.1 Client Service for string-tcp informational false NetWare Overflow 5644.2 Client Service for string-tcp medium false NetWare Overflow 5644.3 Client Service for meta high false NetWare Overflow 5706.0 Persistent Content in a string-tcp medium false Dynamic Webpage 5731.0 Windows Media Player BMP meta high false Processing Vulnerability 5731.1 Windows Media Player BMP string-tcp informational false Processing Vulnerability 5731.2 Windows Media Player BMP string-tcp medium false Processing Vulnerability 5737.0 Internet Explorer Action string-tcp high false Handlers Overflow 5747.0 MDAC Function Remote Code meta high false Execution 5747.1 MDAC Function Remote Code string-tcp informational false Execution 5747.2 MDAC Function Remote Code string-tcp medium false Execution 5748.0 Non-SMTP Session Start meta low false 5748.1 Non-SMTP Session Start string-tcp informational false 5748.2 Non-SMTP Session Start string-tcp informational false 5748.3 Non-SMTP Session Start string-tcp informational false 5748.4 Non-SMTP Session Start string-tcp informational false 5748.5 Non-SMTP Session Start string-tcp informational false 5749.0 Internet Explorer Double string-tcp high false Byte Character Parsing 5775.0 MHTML Redirection string-tcp low false 5799.1 Server Service Code string-tcp informational false Execution 5799.2 Server Service Code string-tcp informational false Execution 5799.3 Server Service Code string-tcp informational false Execution 5799.4 Server Service Code meta high false Execution 5799.5 Server Service Code string-tcp informational false Execution 5799.6 Server Service Code string-tcp informational false Execution 5799.7 Server Service Code meta high false Execution 5800.0 HTTP Large Content-Type string-tcp medium false 5814.0 Step-by-Step Interactive meta high false Training Remote Code Execution 5814.1 Step-by-Step Interactive string-tcp informational false Training Remote Code Execution 5814.2 Step-by-Step Interactive string-tcp informational false Training Remote Code Execution 5815.0 WebViewFolderIcon meta high false setSlice() Overflow 5815.1 WebViewFolderIcon string-tcp informational false setSlice() Overflow 5815.2 WebViewFolderIcon string-tcp informational false setSlice() Overflow 5827.1 Internet Explorer ActiveX string-tcp informational false Control Arbitrary Code Execution 5827.2 Internet Explorer ActiveX string-tcp informational false Control Arbitrary Code Execution 5840.0 Internet Explorer CLSID string-tcp high false Code Execution 5856.0 Agent URL Parsing Remote meta high false Code Execution 5856.1 Agent URL Parsing Remote string-tcp informational false Code Execution 5856.2 Agent URL Parsing Remote string-tcp informational false Code Execution 5863.0 Internet Explorer meta high false CAPICOM.Certificates Remote Code Execution 5863.1 Internet Explorer string-tcp informational false CAPICOM.Certificates Remote Code Execution 5863.2 Internet Explorer string-tcp informational false CAPICOM.Certificates Remote Code Execution 5865.0 Microsoft WMS Arbitrary meta high false File Rewrite Vulnerability 5865.1 Microsoft WMS Arbitrary string-tcp informational false File Rewrite Vulnerability 5865.2 Microsoft WMS Arbitrary string-tcp informational false File Rewrite Vulnerability 5870.0 Win32 API Vulnerability string-tcp high false 5880.0 Sun Java Web Start JNLP string-tcp high false File Stack Overflow 5909.0 Browser Address Bar string-tcp medium false Spoofing Attack 6228.0 Mac OSX Software Update meta high false Remote Code Execution 6228.1 Mac OSX Software Update string-tcp informational false Remote Code Execution 6228.2 Mac OSX Software Update string-tcp informational false Remote Code Execution 6228.3 Mac OSX Software Update string-tcp informational false Remote Code Execution 6229.0 MS SQL Server sqldmo.dll meta high false Overflow 6229.1 MS SQL Server sqldmo.dll string-tcp informational false Overflow 6229.2 MS SQL Server sqldmo.dll string-tcp informational false Overflow 6513.0 Macrovision FlexNet meta medium false DownloadManager Insecure Methods 6513.1 Macrovision FlexNet string-tcp informational false DownloadManager Insecure Methods 6513.2 Macrovision FlexNet string-tcp informational false DownloadManager Insecure Methods 6777.0 Windows OLE Automation meta high false Remote Code Execution 6777.1 Windows OLE Automation string-tcp informational false Remote Code Execution 6777.2 Windows OLE Automation string-tcp informational false Remote Code Execution 6778.0 Microsoft Works Converter string-tcp high false Index Table Vulnerability 6924.0 MS Publisher Remote Code string-tcp high false Execution 6925.0 IE Property Memory meta high false Corruption 6925.1 IE Property Memory string-tcp informational false Corruption 6925.2 IE Property Memory string-tcp informational false Corruption 6925.3 IE Property Memory string-tcp informational false Corruption 12022.0 Perfect Keylogger Activity string-tcp low false 12022.1 Perfect Keylogger Activity string-tcp low false CAVEATS None. Modified signature(s) detail: The following signatures were set disabled and retired by default: 12022-0; 12022-1; 3113-1; 3128-1; 3130-0; 3133-0; 3137-6; 3328-2; 5416-1; 5499-0; 5503-0; 5520-0; 5635-0; 5635-1; 5635-2; 5644-0; 5644-1; 5644-2; 5644-3; 5706-0; 5731-0; 5731-1; 5731-2; 5737-0; 5747-0; 5747-1; 5747-2; 5748-0; 5748-1; 5748-2; 5748-3; 5748-4; 5748-5; 5749-0; 5775-0; 5799-0; 5799-1; 5799-2; 5799-3; 5799-4; 5799-5; 5799-6; 5799-7; 5800-0; 5814-0; 5814-1; 5814-2; 5815-0; 5815-1; 5815-2; 5827-1; 5827-2; 5840-0; 5856-0; 5856-1; 5856-2; 5863-0; 5863-1; 5863-2; 5865-0; 5865-1; 5865-2; 5870-0; 5880-0; 5909-0; 6228-0; 6228-1; 6228-2; 6228-3; 6229-0; 6229-1; 6229-2; 6513-0; 6513-1; 6513-2; 6777-0; 6777-1; 6777-2; 6778-0; 6924-0; 6925-0; 6925-1; 6925-2; 6925-3. The sig-type parameter missing from a number of signatures was populated in this release; however, the signatures in question were not re-released as no this change has no effect on functionality. The changes are visible in the386. edc.inc xml file. ================================================================================================= S385 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15733.0 MS Excel Invalid Object string-tcp high true Arbitrary Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S384 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15493.0 Cisco ANM Java Agent service-http medium true Privilege Escalation 15634.0 Cisco ACE Crafted SSH string-tcp high true Packet Vulnerability 15653.0 Crafted SNMPv3 packet may atomic-ip medium true crash ACE appliance 15673.0 Cisco Unified service-http high true MeetingPlace Stored XSS TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S383 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15613.0 Malicious Adobe Reader string-tcp high true PDF File 15613.1 Malicious Adobe Reader string-tcp high true PDF File TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S382 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15233.1 Internet Explorer string-tcp high true Uninitalized Memory Corruption 15233.2 Internet Explorer string-tcp high true Uninitalized Memory Corruption TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S381 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15233.0 Internet Explorer string-tcp high true Uninitalized Memory Corruption 15234.0 Internet Explorer CSS string-tcp high true Memory Corruption Vulnerability 15235.0 Exchange Server Memory state high true Corruption Vulnerability 15293.0 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.1 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.2 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.3 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.4 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.5 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.6 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.7 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.8 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15313.0 MS SQL string-tcp high true sp_replwritetovarbin Limited Memory Overwrite TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S380 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6402.0 Samba SPOOLSS Notify service-smb-ad high false Options Heap overflow vanced 15113.0 Long IMAP CREATE Command string-tcp high true 15116.0 MySQL Server Date_format string-tcp medium false Function Format String Vulnerability 15253.0 Novell GroupWise Internet state high true Agent RCPT Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3408.0 Telnet Client LINEMODE string-tcp high true SLC Option Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S379 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7289.0 SAP MaxDB Remote string-tcp high true Arbitrary Commands Execution 7293.0 Trend Micro OfficeScan service-http high true Password Decryption Function Buffer Overflow 15153.0 libspf2 DNS TXT Record atomic-ip high true Parsing Buffer Overflow 15175.0 Microsoft Internet string-tcp high true Explorer 7 Input Tag Denial of Service 15175.1 Microsoft Internet string-tcp high true Explorer 7 Input Tag Denial of Service 15193.0 Waledac Trojan Activity service-http high true 15193.1 Waledac Trojan Activity service-http high true 15193.2 Waledac Trojan Activity string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3347.1 Windows ASN.1 Library Bit string-tcp high true String Heap Corruption 5505.0 RIP Trace atomic-ip high true 5505.1 RIP Trace atomic-ip high true 7295.0 libspf2 DNS TXT Record service-dns high false Parsing Buffer Overflow CAVEATS None. Modified signature(s) detail: 3347-1 has been unretired and enabled, 139 added to service-ports. 5505-[01] - Source port has been added to the signatures to reduce false positives. 7295-0 has been retired/disabled and obsoleted by 15153-0. ================================================================================================= S378 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7249.0 Microsoft Help Project string-tcp high false Files (HPJ) Buffer Overflow 7284.0 Borland InterBase Service string-tcp high true Attach Request Overflow 7295.0 libspf2 DNS TXT Record service-dns high true Parsing Buffer Overflow 11203.1 IRC Channel Join fixed-tcp medium true 15001.0 AtTheOffice Activity string-tcp medium true 15016.0 DNS Query For ROOT atomic-ip high false TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S377 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 13491.0 Worm Activity - Brute meta high true Force 13492.0 Worm Activity - Brute meta high true Force TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S376 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15005.0 Microsoft Windows SMB string-tcp high true Remote Code Execution 15006.0 Microsoft Windows SMB service-smb-ad high true Remote Code Execution vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S375 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5991.0 MaxDB WebDBM Buffer service-http high true Overflow 7286.0 Citrix IMA Service Buffer string-tcp high true Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S374 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6282.1 Malformed PICT Filter string-tcp high true Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S373 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5859.0 uTorrent File Handling string-tcp high true Buffer Overflow 7306.2 Microsoft Internet string-tcp high true Explorer XML Code Execution 7306.3 Microsoft Internet string-tcp high true Explorer XML Code Execution 7307.0 MS SQL Server meta high true sp_replwritetovarbin memory overwrite 7307.1 MS SQL Server string-tcp informational true sp_replwritetovarbin memory overwrite 7307.2 MS SQL Server string-tcp informational true sp_replwritetovarbin memory overwrite 7308.0 DLL Memory Protection string-tcp high true Bypass TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7296.0 Word RTF Object Parsing string-tcp high true Vulnerability 7430.0 Microsoft Internet string-tcp high true Explorer Embedded Object Code Execution CAVEATS None. Modified signature(s) detail: 7296-0: The regex has been modified to improve fidelity. 7430-0 : The title of this signature has been changed to improve its accuracy. ================================================================================================= S372 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7306.1 Microsoft Internet string-tcp high true Explorer XML Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7428.0 Microsoft Word RTF File string-tcp high true Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S371 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7306.0 Microsoft Internet string-tcp high true Explorer XML Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S370 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5082.0 IE HTML Objects Memory string-tcp high true Corruption 6226.0 Trojan.Srizbi Bot atomic-ip high true 6227.0 Visual Basic Charts string-tcp high true Control Memory Corruption 6295.0 LANDesk Intel QIP Service multi-string high true Heal Packet Buffer Overflow 6977.0 Wonderware Suitlink string-tcp high true Denial Of Service 6977.1 Wonderware Suitlink string-tcp high true Denial Of Service 7221.0 Hierarchical FlexGrid meta high true Control Memory Corruption 7221.1 Hierarchical FlexGrid string-tcp informational true Control Memory Corruption 7221.2 Hierarchical FlexGrid string-tcp informational true Control Memory Corruption 7253.0 Novell ZENworks Desktop meta high true Management CanUninstall ActiveX Overflow 7253.1 Novell ZENworks Desktop string-tcp informational true Management CanUninstall ActiveX Overflow 7265.0 GDI Integer Overflow string-tcp high true 7296.0 Word RTF Object Parsing string-tcp high true Vulnerability 7297.0 MS Word Memory Corruption string-tcp high true Vulnerability 7298.0 MS Visual Basic Flexgrid meta high true Control Buffer Overflow 7298.1 MS Visual Basic Flexgrid string-tcp informational true Control Buffer Overflow 7299.0 Microsoft Word RTF RCE string-tcp high true 7300.0 Sharepoint Access Control service-http high true Vulnerability 7301.0 Excel Global Array Memory string-tcp high true Corruption 7302.0 Microsoft Windows Search string-tcp high true Remote Code Execution 7303.0 Microsoft Excel File string-tcp high true Parsing Overflow 7304.0 Microsoft Word File string-tcp high true Parsing Overflow 7422.1 Oracle WebLogic Apache string-tcp high true Connector Buffer Overflow 7425.0 Visual Basic 6 ActiveX meta high true Runtime Overflow 7425.1 Visual Basic 6 ActiveX string-tcp informational true Runtime Overflow 7426.0 Shell32 ActiveX meta high true Vulnerability 7426.1 Shell32 ActiveX string-tcp informational true Vulnerability 7427.0 Shell32 ActiveX meta high true Vulnerability 7427.1 Shell32 ActiveX string-tcp informational true Vulnerability 7428.0 Microsoft Word RTF File string-tcp high true Code Execution 7429.0 Microsoft Windows string-tcp high true Search-ms Protocol Handler Code Execution 7430.0 Microsoft Internet string-tcp high true Explorer Embeded Object Code Execution 7432.0 Word RTF Object Parsing meta high true Remote Code Execution 7432.1 Word RTF Object Parsing string-tcp informational true Remote Code Execution 7432.2 Word RTF Object Parsing string-tcp informational true Remote Code Execution 7434.0 Microsoft Word Memory string-tcp high true Corruption Vulnerability 7436.0 File Format Parsing string-tcp high true Remote Code Execution 7438.0 MS DataGrid Control string-tcp high true Memory Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7422.0 Oracle WebLogic Apache service-http high false Connector Buffer Overflow CAVEATS None. Modified signature(s) detail: 7422-0: This signature has been obsoleted by signature 7422-1 to increase its fidelity. ================================================================================================= S369 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6975.0 Arbitrary File Upload In string-tcp high true CA ARCserve TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S368 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5640.3 XML Race Condition in string-tcp informational true Internet Explorer 7232.0 CA ARCserve Backup string-tcp high true Authentication Username Overflow 7235.0 CoolPlayer m3u Playlist string-tcp high true Stack Overflow 7239.0 ChilkatHttp ActiveX meta high true Arbitrary File Overwrite 7239.1 ChilkatHttp ActiveX string-tcp informational true Arbitrary File Overwrite 7239.2 ChilkatHttp ActiveX string-tcp informational true Arbitrary File Overwrite 7241.0 Akamai Download Manager meta high true ActiveX Control Remote Code Execution 7241.1 Akamai Download Manager string-tcp informational true ActiveX Control Remote Code Execution 7241.2 Akamai Download Manager string-tcp informational true ActiveX Control Remote Code Execution 7251.0 Iseemedia LPViewer meta high true ActiveX Buffer Overflows 7251.1 Iseemedia LPViewer string-tcp informational true ActiveX Buffer Overflows 7264.0 Adobe util.printf meta high true JavaScript Stack Buffer Overflow 7264.1 Adobe util.printf string-tcp informational true JavaScript Stack Buffer Overflow 7264.2 Adobe util.printf string-tcp informational true JavaScript Stack Buffer Overflow 7264.3 Adobe util.printf string-tcp high true JavaScript Stack Buffer Overflow 7264.4 Adobe util.printf string-tcp high true JavaScript Stack Buffer Overflow 7282.0 SecurityGateway Username service-http high true Buffer Overflow 7422.0 Oracle WebLogic Apache service-http high true Connector Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5474.0 SQL Query in HTTP Request service-http low true 5575.0 NBT NetBIOS Session service-smb-ad informational true Service Failed Login vanced 5640.0 XML Race Condition in meta high true Internet Explorer 5916.0 URL Handler Vulnerability string-tcp high true 6522.0 Failed HTTP Login / HTTP atomic-ip medium false 401 7231.0 Windows Media Encoder 9 meta high true Remote Code Execution 7231.1 Windows Media Encoder 9 string-tcp informational true Remote Code Execution 7231.2 Windows Media Encoder 9 string-tcp informational true Remote Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S367 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5640.0 XML Race Condition in meta high true Internet Explorer 5640.1 XML Race Condition in string-tcp informational true Internet Explorer 5640.2 XML Race Condition in string-tcp informational true Internet Explorer 6795.0 Panda ActiveScan ActiveX meta high true Overflow 6795.1 Panda ActiveScan ActiveX string-tcp informational true Overflow 6990.3 Visual Studio meta informational true Msmask32.ocx ActiveX Buffer Overflow 6990.4 Visual Studio string-tcp informational true Msmask32.ocx ActiveX Buffer Overflow 6990.5 Visual Studio string-tcp informational true Msmask32.ocx ActiveX Buffer Overflow 7245.2 Microsoft Excel Integer string-tcp high true Overflow 7248.0 Microsoft SQL Server 2000 meta high true Client Components ActiveX Buffer Overflow 7248.1 Microsoft SQL Server 2000 string-tcp informational true Client Components ActiveX Buffer Overflow 7255.0 MSXML Chunked Request meta high true Vulnerability 7255.1 MSXML Chunked Request string-tcp informational true Vulnerability 7255.2 MSXML Chunked Request string-tcp informational true Vulnerability 7283.0 Microsoft XML Core string-tcp high true Services RCE 7283.1 Microsoft XML Core string-tcp high true Services RCE 7287.0 KernelBot service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3337.0 Windows RPC Race service-msrpc high false Condition Exploitation 3550.0 POP Buffer Overflow string-tcp high false 3735.0 CVS Flag Insertion string-tcp high false Overflow 3737.0 Squid Proxy NTLM string-tcp high false Authenticate Overflow 4703.0 MSSQL Resolution Service atomic-ip high true Stack Overflow 5055.0 HTTP Basic Authentication service-http high false Overflow 5565.4 Print Spooler Service service-smb-ad high true Overflow vanced 5579.0 SMB Remote Registry service-smb-ad informational true Access Attempt vanced 5586.0 Windows Locator Service service-smb-ad high true Overflow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 5591.0 SMB: Windows Share service-smb-ad informational true Enumeration vanced 5592.0 SMB: RFPoison Attack service-smb-ad high true vanced 5598.0 Windows Workstation service-smb-ad high true Service Overflow vanced 5598.1 Windows Workstation service-smb-ad high true Service Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5637.0 Internet Explorer FTP string-tcp high false Download Path Traversal 5717.0 Ipswitch SMTP Format string-tcp high false String 5846.0 FTP 230 Reply Code string-tcp informational false 5847.0 FTP Successful Privileged meta low false Login 5847.1 FTP Successful Privileged meta low false Login 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 5860.0 IOS FTPd Successful Login meta low false 6005.0 Unencrypted SSL Traffic service-http low false 6055.0 DNS Inverse Query Buffer service-dns high false Overflow 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6253.0 POP3 Authorization Failure string-tcp informational false 6769.0 Netware LSASS CIFS.NLM service-smb-ad high true Driver Overflow vanced 6946.0 Web Client Remote Code service-smb-ad high true Execution Vulnerability vanced 6990.0 Visual Studio meta high true Msmask32.ocx ActiveX Buffer Overflow 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.1 Windows Server Service service-smb-ad high true Remote Code Execution vanced 11020.1 BitTorrent Client Activity service-p2p low true 11245.3 IRC Server Connection fixed-tcp medium true CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S366 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4500.0 Cisco IOS Embedded SNMP service-snmp high false Community Names 4500.1 Cisco IOS Embedded SNMP service-snmp high false Community Names 5123.2 WWW IIS Internet Printing service-http high false Overflow 5442.0 Cursor/Icon File Format string-tcp high false Buffer Overflow 6250.0 FTP Authorization Failure string-tcp informational false 6979.0 BEA WebLogic Server string-tcp high false Apache Connector HTTP Version String BO 6996.0 GDI+ BMP Integer Overflow string-tcp high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S365 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1317.0 Zero Window Probe normalizer informational true 1400.0 GRE Over IPv6 atomic-ip-adva informational false Encapsulation nced 1401.0 IPIP Encapsulation atomic-ip-adva informational false nced 1402.0 MPLS Over IPv6 atomic-ip-adva informational false Encapsulation nced 1403.0 IPv4 Over IPv6 atomic-ip-adva informational false Encapsulation nced 1405.0 Teredo Destination IP atomic-ip-adva informational false Address nced 1406.0 Teredo Source Port atomic-ip-adva medium false nced 1407.0 Teredo Destination Port atomic-ip-adva informational false nced 1408.0 Teredo Data Packet atomic-ip-adva informational false nced 1409.0 GRE Tunnel Detected atomic-ip-adva informational false nced 1410.0 IPv6 Over MPLS Tunnel atomic-ip-adva informational false nced 1610.0 ICMPv6 Echo Request atomic-ip-adva informational false nced 1611.0 ICMPv6 Echo Reply atomic-ip-adva informational false nced 1612.0 ICMPv6 Destination atomic-ip-adva informational false Unreachable nced 1613.0 ICMPv6 Packet Too Big atomic-ip-adva informational false Message nced 1614.0 ICMPv6 Time Exceeded atomic-ip-adva informational false Message nced 1615.0 ICMPv6 Parameter Problem atomic-ip-adva informational false Message nced 1616.0 ICMPv6 Group Membership atomic-ip-adva informational false Query nced 1617.0 ICMPv6 Group Membership atomic-ip-adva informational false Report nced 1618.0 ICMPv6 Membership atomic-ip-adva informational true Reduction nced 1619.0 ICMPv6 Router Solicitation atomic-ip-adva informational false nced 1620.0 ICMPv6 Router atomic-ip-adva informational false Advertisement nced 1621.0 ICMPv6 Neighbor atomic-ip-adva informational false Solicitation nced 1622.0 ICMPv6 Neighbor atomic-ip-adva informational false Advertisement nced 1623.0 ICMPv6 Redirect atomic-ip-adva informational false nced 1624.0 ICMPv6 Router Renumbering atomic-ip-adva informational false nced 1625.0 ICMPv6 Membership Report atomic-ip-adva informational false V2 nced 1626.0 Large ICMPV6 Traffic atomic-ip-adva informational false nced 1627.0 Fragmented ICMPv6 Traffic atomic-ip-adva informational false nced 1628.0 ICMPv6 Traffic over IPv4 atomic-ip-adva medium true nced 1629.0 ICMP Traffic over IPv6 atomic-ip-adva medium true nced 1630.0 ICMPv6 Packet Too Big atomic-ip-adva medium true nced 1700.0 IPv6 Hop-by-Hop Options atomic-ip-adva informational false Present nced 1701.0 IPv6 Destination Options atomic-ip-adva informational false Header Present nced 1702.0 IPv6 Routing Header atomic-ip-adva informational false Present nced 1703.0 IPv6 Fragmented Traffic atomic-ip-adva informational false nced 1704.0 IPv6 Authentication atomic-ip-adva informational false Header Present nced 1705.0 IPv6 ESP Header Present atomic-ip-adva informational false nced 1706.0 Invalid IPv6 Header atomic-ip-adva informational false Traffic Class Field nced 1707.0 Invalid IPv6 Header Flow atomic-ip-adva informational false Label Field nced 1708.0 IPv6 Header Contains An atomic-ip-adva informational false Invalid Address nced 1710.0 IPv6 Extensions Headers atomic-ip-adva low true Out Of Order nced 1711.0 Duplicate IPv6 Extension atomic-ip-adva low true Headers nced 1712.0 IPv6 Packet Contains atomic-ip-adva high true Duplicate Src And Dst nced Address 1713.0 IPv6 Header Contains atomic-ip-adva high true Multicast Source Address nced 1714.0 IPv6 Address Set To atomic-ip-adva high true localhost nced 1716.0 IPv6 Options Padding Too atomic-ip-adva low true Long nced 1717.0 Back To Back Padding atomic-ip-adva low true Options nced 1718.0 IPv6 Option Data Too Short atomic-ip-adva low true nced 1719.0 IPv6 Endpoint atomic-ip-adva informational false Identification Option Set nced 1720.0 IPv6 Jumbo Payload Option atomic-ip-adva informational true Set nced 1721.0 IPv6 Router Alert Option atomic-ip-adva informational false Set nced 1722.0 IPv6 Tunnel Encapsulation atomic-ip-adva medium true Limit Option Set nced 1723.0 IPv6 Packet Contains atomic-ip-adva medium true Unassigned Options nced 1724.0 IPv6 Endpoint atomic-ip-adva informational false Identification Option Set nced 1725.0 IPv6 Tunnel Encapsulation atomic-ip-adva informational false Limit Option Set nced 1726.0 IPv6 Invalid Option Set atomic-ip-adva medium true nced 1727.0 IPv6 Router Alert Option atomic-ip-adva medium true Set nced 1728.0 IPv6 Routing Header Type 0 atomic-ip-adva informational true nced 1730.0 IPv6 Type 1 Routing Header atomic-ip-adva informational true nced 1731.0 IPv6 Type 2 Routing Header atomic-ip-adva informational false nced 1732.0 IPv6 Routing Header Type atomic-ip-adva medium true Unknown Type nced 1733.0 Invalid IPv6 Routing atomic-ip-adva high true Header Length nced 1734.0 IPv6 Routing Header atomic-ip-adva high true Incomplete nced 1735.0 IPv6 Routing Header atomic-ip-adva high true Contains Invalid IP nced Address 1736.0 IPv6 Routing Header atomic-ip-adva high true Contains A Loop nced 1737.0 IPv6 Routing Header atomic-ip-adva medium false Reserved Bits Set nced 1738.0 IPv6 Unnecessary Fragment atomic-ip-adva informational true Header nced 1739.0 IPv6 Illegal Fragmentation atomic-ip-adva high true nced 1740.0 Small IPv6 Fragments atomic-ip-adva informational true nced 1741.0 IPv6 Fragment Header atomic-ip-adva low false Reserved Bits Set nced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1007.0 IPv6 over IPv4 or IPv6 atomic-ip informational false 1304.0 TCP Session Packet Queue normalizer informational true Overflow 5565.4 Print Spooler Service service-smb-ad high true Overflow vanced 5579.0 SMB Remote Registry service-smb-ad informational true Access Attempt vanced 5579.1 SMB Remote Registry service-smb-ad medium true Access Attempt vanced 5583.0 SMB Remote SAM Service service-smb-ad informational true Access Attempt vanced 5586.0 Windows Locator Service service-smb-ad high true Overflow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 5590.0 SMB: User Enumeration service-smb-ad informational true vanced 5590.1 SMB: User Enumeration service-smb-ad informational true vanced 5591.0 SMB: Windows Share service-smb-ad informational true Enumeration vanced 5591.1 SMB: Windows Share service-smb-ad informational true Enumeration vanced 5592.0 SMB: RFPoison Attack service-smb-ad high true vanced 5598.0 Windows Workstation service-smb-ad high true Service Overflow vanced 5598.1 Windows Workstation service-smb-ad high true Service Overflow vanced 5600.0 Windows ASN.1 Bit String service-smb-ad high true NTLMv2 Integer Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6769.0 Netware LSASS CIFS.NLM service-smb-ad high true Driver Overflow vanced 6946.0 Web Client Remote Code service-smb-ad high true Execution Vulnerability vanced 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.1 Windows Server Service service-smb-ad high true Remote Code Execution vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S364 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.1 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.1 Windows Server Service service-smb-ad high true Remote Code Execution vanced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S363 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S362 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7261.0 IPP Service Integer string-tcp high true Overflow Exploit 7261.0 IPP Service Integer string-tcp high true Overflow Exploit 7262.0 Active Directory Overflow string-tcp high true Exploit 7262.0 Active Directory Overflow string-tcp high true Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5683.0 Vista Feed Headlines meta high false Gadget Remote Code Execution 5683.0 Vista Feed Headlines meta high false Gadget Remote Code Execution 5683.1 Vista Feed Headlines string-tcp informational false Gadget Remote Code Execution 5683.1 Vista Feed Headlines string-tcp informational false Gadget Remote Code Execution 5683.2 Vista Feed Headlines string-tcp informational false Gadget Remote Code Execution 5683.2 Vista Feed Headlines string-tcp informational false Gadget Remote Code Execution 5930.5 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 6962.0 Cisco Unity DOS atomic-ip medium false 6962.0 Cisco Unity DOS atomic-ip medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S361 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5404.0 Internet Explorer string-tcp high true Uninitialized Memory Corruption 5925.0 Internet Explorer HTML string-tcp high true Object Memory Corruption 5930.8 Generic SQL Injection service-http high true 5930.9 Generic SQL Injection service-http high true 5930.10 Generic SQL Injection service-http high true 5930.11 Generic SQL Injection service-http high false 5930.12 Generic SQL Injection service-http high true 5930.13 Generic SQL Injection service-http high true 5930.14 Generic SQL Injection service-http high true 5930.15 Generic SQL Injection service-http high true 5930.16 Generic SQL Injection service-http high true 5930.17 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 5930.19 Generic SQL Injection service-http high true 5930.20 Generic SQL Injection service-http high true 7244.0 Microsoft Excel Buffer string-tcp high true Overflow 7245.0 Microsoft Excel Integer string-tcp high true Overflow 7245.1 Microsoft Excel Integer string-tcp high true Overflow 7246.0 Microsoft Excel string-tcp high true Spreadsheet Buffer Overflow 7247.0 Window Location Property string-tcp high true Cross Domain Information Disclosure 7257.0 Microsoft Internet string-tcp high true Explorer Cross Domain Information Disclosure 7258.0 SMB Remote Code Execution string-tcp high true 7259.0 Microsoft Message Queing service-msrpc high true Remote Code Execution 7270.0 Host Integration Server service-msrpc informational true Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6930.2 Office Web Components URL string-tcp informational true Parsing Vulnerability 6981.0 Microsoft PowerPoint meta high false Memory Allocation Exploit 6981.1 Microsoft PowerPoint string-tcp informational false Memory Allocation Exploit 6981.2 Microsoft PowerPoint string-tcp informational false Memory Allocation Exploit 6981.3 Microsoft PowerPoint meta informational false Memory Allocation Exploit CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S360 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5886.0 Sun Java Socks Proxy string-tcp high true Overflow 5894.2 Storm Worm fixed-udp high true 6070.0 Windows Media Format meta high true Remote Code Execution 6070.1 Windows Media Format string-tcp informational true Remote Code Execution 6070.2 Windows Media Format string-tcp informational true Remote Code Execution 6070.3 Windows Media Format string-tcp informational true Remote Code Execution 6070.4 Windows Media Format meta high true Remote Code Execution 6070.5 Windows Media Format string-tcp informational true Remote Code Execution 6070.6 Windows Media Format meta high true Remote Code Execution 6070.7 Windows Media Format string-tcp informational true Remote Code Execution 6962.0 Cisco Unity DOS atomic-ip medium true 6970.0 DirectShow SAMI Parsing meta high true Remote Code Execution 6970.1 DirectShow SAMI Parsing string-tcp informational true Remote Code Execution 6970.2 DirectShow SAMI Parsing meta high true Remote Code Execution 6970.3 DirectShow SAMI Parsing string-tcp informational true Remote Code Execution 6970.4 DirectShow SAMI Parsing string-tcp informational true Remote Code Execution 6971.0 Generic Exploit Component string-tcp informational true 9584.0 Backdoor Stumbler atomic-ip high false TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5894.1 Storm Worm atomic-ip high false 5899.0 MSN Messenger Webcam atomic-ip high false Buffer Overflow 5930.0 Generic SQL Injection service-http high true 5930.1 Generic SQL Injection service-http high true 5930.2 Generic SQL Injection service-http high true 5930.3 Generic SQL Injection service-http high true 5930.4 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5930.6 Generic SQL Injection service-http high true 5930.7 Generic SQL Injection service-http high false 6017.0 DirectShow SAMI Parsing meta high false Remote Code Execution 6017.1 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6017.2 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6017.3 DirectShow SAMI Parsing meta high false Remote Code Execution 6017.4 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6017.5 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6069.0 Windows Media Format meta high false Remote Code Execution 6069.1 Windows Media Format string-tcp informational false Remote Code Execution 6069.2 Windows Media Format string-tcp informational false Remote Code Execution 6069.3 Windows Media Format string-tcp informational false Remote Code Execution 6069.4 Windows Media Format meta high false Remote Code Execution 6069.5 Windows Media Format string-tcp informational false Remote Code Execution 6069.6 Windows Media Format meta high false Remote Code Execution 6069.7 Windows Media Format string-tcp informational false Remote Code Execution 6069.8 Windows Media Format string-tcp informational false Remote Code Execution 6545.0 WINS Local Privilege atomic-ip low true Escalation 7212.0 Web Application Security service-http high true Test/Attack CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S359 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6296.0 IBM Lotus Sametime Server service-http high true Multiplexer Stack Buffer Overflow 6981.2 Microsoft PowerPoint string-tcp informational true Memory Allocation Exploit 6981.3 Microsoft PowerPoint meta informational true Memory Allocation Exploit 7266.0 TWiki Remote Command service-http high true Execution 7274.0 FlashGet FTP PWD Buffer string-tcp high true Overflow 7278.0 Quicktime/Itunes Heap string-tcp high true Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5477.2 Possible Heap Payload string-tcp informational true Construction 5585.0 SMB Suspicious Password service-smb-ad medium false Usage vanced 5597.0 SMB MSRPC Messenger service-smb-ad high true Overflow vanced 5602.0 Windows System32 service-smb-ad medium true Directory File Access vanced 5603.0 MSRPC Protocol violation service-smb-ad medium false vanced 5888.0 TLBINF32.DLL COM Object string-tcp high true Instantiation 5892.0 Motive Communications string-tcp high true ActiveUtils Buffer Overflow 6187.0 CallManager TCP atomic-ip medium true Connection DoS 6981.0 Microsoft PowerPoint meta high true Memory Allocation Exploit 6981.1 Microsoft PowerPoint string-tcp informational true Memory Allocation Exploit CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S358 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5930.7 Generic SQL Injection service-http high false 6989.0 IOSFW HTTP Inspection service-http high true Vulnerability 6999.0 Cisco PIM Multicast atomic-ip medium true Denial of Service Attack 7269.0 Trend Micro OfficeScan service-http high true Server Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5126.0 WWW IIS .ida Indexing service-http high true Service Overflow 5732.0 Web Client Remote Code meta high false Execution Vulnerability 5732.1 Web Client Remote Code string-tcp informational false Execution Vulnerability 5732.2 Web Client Remote Code string-tcp medium false Execution Vulnerability 6994.0 Cisco Secure ACS EAP service-generi high true Overflow c CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S357 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6789.0 Winamp Ultravox Stream string-tcp high true Title Stack Overflow 7277.0 Microsoft Windows SMB multi-string high true WRITE_ANDX Memory Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5440.0 IRC Bot Activity string-tcp low true 5561.0 Windows SMTP Overflow meta high false 5561.1 Windows SMTP Overflow service-dns informational false 5561.2 Windows SMTP Overflow string-tcp medium false 5915.0 Microsoft FoxPro ActiveX string-tcp high true Vulnerability 6235.0 Apple Quicktime SMIL string-tcp high true Overflow 6249.0 Visual Studio 6 ActiveX string-tcp high true Exploit 6785.2 Microsoft Visual Basic string-tcp informational true VBP File Processing Buffer Overflow 6935.0 CVE-2008-1086 ActiveX string-tcp high true Killbit Update 7217.0 Yahoo Toolbar ActiveX meta high true Buffer Overflow 7217.1 Yahoo Toolbar ActiveX string-tcp low true Buffer Overflow 7217.2 Yahoo Toolbar ActiveX string-tcp informational true Buffer Overflow 7273.0 Ipswitch FTP Client string-tcp high true Format String CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S356 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7217.0 Yahoo Toolbar ActiveX meta high true Buffer Overflow 7217.1 Yahoo Toolbar ActiveX string-tcp low true Buffer Overflow 7217.2 Yahoo Toolbar ActiveX string-tcp informational true Buffer Overflow 7234.0 CitectSCADA ODBC Service string-tcp high true Buffer Overflow 7273.0 Ipswitch FTP Client string-tcp high true Format String TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3651.0 SSH CRC32 Overflow service-ssh high false 3651.0 SSH CRC32 Overflow service-ssh high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S355 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5986.0 Microsoft GDI+ GIF string-tcp high true Parsing Vulnerability 6972.0 Rosoft Media Player string-tcp high true Overflow 6990.0 Visual Studio meta high true Msmask32.ocx ActiveX Buffer Overflow 6990.1 Visual Studio string-tcp informational true Msmask32.ocx ActiveX Buffer Overflow 6990.2 Visual Studio string-tcp informational true Msmask32.ocx ActiveX Buffer Overflow 6991.0 Symantec Veritas Storage multi-string high true Foundation Null Session 6994.0 Cisco Secure ACS EAP service-generi high true Overflow c 6995.0 GDI EMF Memory Corruption string-tcp high true Vulnerability 6996.0 GDI+ BMP Integer Overflow string-tcp high true 6997.0 OneNote Uniform Resource string-tcp high true Locator Validation Error Vulnerability 6998.0 Microsoft GDI+ WMF Buffer string-tcp high true Overrun Exploit 7231.0 Windows Media Encoder 9 meta high true Remote Code Execution 7231.1 Windows Media Encoder 9 string-tcp informational true Remote Code Execution 7231.2 Windows Media Encoder 9 string-tcp informational true Remote Code Execution 7271.0 GDI+ VML Buffer Overrun string-tcp high true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5114.0 WWW IIS Unicode Attack service-http high true 5114.1 WWW IIS Unicode Attack service-http high true 5114.2 WWW IIS Unicode Attack service-http high true 5114.3 WWW IIS Unicode Attack service-http high true 5114.4 WWW IIS Unicode Attack service-http high true 5114.5 WWW IIS Unicode Attack service-http high true 5114.6 WWW IIS Unicode Attack service-http high true 5114.7 WWW IIS Unicode Attack service-http high true 5114.8 WWW IIS Unicode Attack service-http high true 5126.0 WWW IIS .ida Indexing service-http high true Service Overflow 5726.0 Active Directory Failed multi-string medium false Login 5726.1 Active Directory Failed multi-string medium false Login CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S354 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7212.0 Web Application Security service-http high true Test/Attack 7212.1 Web Application Security service-http high true Test/Attack 7220.0 Pidgin MSN Overflow string-tcp high true 7222.0 Joomla 1.5 Password Token service-http high true Bypass 7275.0 Linux Kernel DCCP service-generi high true dccp_setsockopt_change c Integer Overflow 7415.0 OpenLDAP BER Decoding DoS string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2152.0 ICMP Flood flood-host medium false 2157.1 ICMP Hard Error DoS atomic-ip medium false 3102.0 Sendmail Invalid Sender state medium false 3109.0 Long SMTP Command state medium false 3109.1 Long SMTP Command state medium false 4055.2 B02K-UDP trojan-udp high false 5477.2 Possible Heap Payload string-tcp high true Construction 5726.0 Active Directory Failed multi-string medium false Login 5726.1 Active Directory Failed multi-string medium false Login 5807.0 Indexing Service Cross service-http high true Site Scripting Vulnerability 6066.0 DNS Tunneling service-dns medium false 6408.0 IE DHTML Memory Corruption meta high false 6408.1 IE DHTML Memory Corruption string-tcp informational false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S353 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5930.6 Generic SQL Injection service-http high true 7213.0 Poppler Uninitialized string-tcp high true Pointer 7216.0 Skype Skype4COM: Heap string-tcp high true Corruption 7218.0 Lotus Notes Applix state high true Graphics Overflow 7225.0 Adobe Flash Clipboard string-tcp high true Hijack 7226.0 Version Agnostic IOS fixed-tcp high true Shellcode 7226.1 Version Agnostic IOS fixed-udp high true Shellcode TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5905.1 Microsoft Internet string-tcp low true Explorer Address Bar Spoof CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S352 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6988.0 WebEx Meeting Manager meta high true ActiveX Overflow 6988.1 WebEx Meeting Manager string-tcp informational true ActiveX Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S351 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5940.0 HTML Objects Memory string-tcp high true Corruption Vulnerability 6280.0 Messenger Information string-tcp low false Disclosure Vulnerability 6281.0 Malformed EPS Filter string-tcp high true Vulnerability 6282.0 Malformed PICT Filter string-tcp high true Vulnerability 6283.0 Malformed BMP Filter string-tcp high true Vulnerability 6932.0 HTML Objects string-tcp high true Uninitialized Memory Corruption Vulnerability 6938.0 Microsoft IE Argument string-tcp high true Handling Memory Corruption Exploit 6976.0 Microsoft Powerpoint 2003 string-tcp high true Viewer Buffer Overflow 6978.0 PowerPoint Parsing string-tcp high true Overflow 6981.0 Microsoft PowerPoint meta high true Memory Allocation Exploit 6981.1 Microsoft PowerPoint string-tcp informational true Memory Allocation Exploit 6983.0 Microsoft PICT Filter string-tcp high true Parsing Exploit 6984.0 Windows Image Color meta high true Management System RCE 6984.1 Windows Image Color string-tcp informational true Management System RCE 6984.2 Windows Image Color string-tcp informational true Management System RCE 6984.3 Windows Image Color meta informational true Management System RCE 6985.0 Microsoft Office WPG string-tcp high true Image File Heap Corruption Exploit 6986.0 Microsoft IE HTML Objects string-tcp high true Memory Corruption Exploit 6986.1 Microsoft IE HTML Objects string-tcp high true Memory Corruption Exploit 7210.0 Microsoft Excel Remote string-tcp high true Code Execution 7210.1 Microsoft Excel Remote string-tcp high true Code Execution 7210.2 Microsoft Excel Remote string-tcp high true Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S350 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6279.0 Citrix Presentation meta high true Server Client ActiveX Overflow 6279.1 Citrix Presentation string-tcp informational true Server Client ActiveX Overflow 6974.0 Motorola Timbuktu Pro string-tcp high true Arbitrary File Deletion/Creation 6979.0 BEA WebLogic Server string-tcp high true Apache Connector HTTP Version String BO 7209.0 Trend Micro OfficeScan BO meta high true Exploit 7209.1 Trend Micro OfficeScan BO string-tcp informational true Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5833.0 Quicktime RTSP URL string-tcp high true Vulnerability 5906.0 Microsoft Malformed Word string-tcp high true Document Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S349 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5879.0 Apple QuickTime Java string-tcp high true QTPointer Vulnerability 5930.0 Generic SQL Injection service-http high true 5930.1 Generic SQL Injection service-http high true 5930.2 Generic SQL Injection service-http high true 5930.3 Generic SQL Injection service-http high true 5930.4 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5931.0 Google Ratproxy service-http informational true 5931.1 Google Ratproxy service-http high true 6267.0 IMAP Long FETCH Command string-tcp high true 6268.0 HP Openview Network Node string-tcp high true Manager Buffer Overflow 6798.0 HP StorageWorks Buffer string-tcp high true Overflow 6946.0 Web Client Remote Code service-smb-ad high true Execution Vulnerability vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S348 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6973.0 IOS FTPd MKD Command string-tcp high true Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S347 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6945.0 HP OpenView OVAS.EXE service-http high true Stack Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4004.0 DNS Flood Attack flood-host medium true 5583.0 SMB Remote SAM Service service-smb-ad informational true Access Attempt vanced 5589.0 SMB: ADMIN$ Hidden Share service-smb-ad low true Access Attempt vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S346 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6298.0 Creative Software meta high true AutoUpdate Engine ActiveX Stack-Overflow 6298.1 Creative Software string-tcp informational true AutoUpdate Engine ActiveX Stack-Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S345 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6524.0 Yahoo! Assistant meta high true yNotifier.dll ActiveX Control Code Execution 6524.1 Yahoo! Assistant string-tcp informational true yNotifier.dll ActiveX Control Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5590.0 SMB: User Enumeration service-smb-ad informational true vanced 6184.0 Large SIP Message atomic-ip medium false 6518.1 SIP Long Header Field atomic-ip medium true 6520.0 Long SIP Message atomic-ip medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S344 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6969.0 Microsoft Word Smart Tag string-tcp high true Corruption Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6967.0 Microsoft SQL Server multi-string high true Privilege Elevation CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S343 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4004.0 DNS Flood Attack flood-host medium true 6790.0 Outlook Web Access state high true Privilege Escalation 6790.1 Outlook Web Access state high true Privilege Escalation 6792.0 SQL Memory Corruption service-http high true Vulnerability 6966.0 Malformed Search File meta high true Code Execution 6966.1 Malformed Search File string-tcp informational true Code Execution 6966.2 Malformed Search File string-tcp informational true Code Execution 6967.0 Microsoft SQL Server multi-string high true Privilege Elevation 6968.0 Microsoft Access Snapshot meta high true Viewer ActiveX Remote Code Execution 6968.1 Microsoft Access Snapshot meta informational true Viewer ActiveX Remote Code Execution 6968.2 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution 6968.3 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution 6968.4 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S342 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6964.0 Asprox Injection Attempt service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5565.4 Print Spooler Service service-smb-ad high true Overflow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 6769.0 Netware LSASS CIFS.NLM service-smb-ad high true Driver Overflow vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S341 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6799.0 CUCM CTI DoS service-generi medium true c TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5913.1 PIX/ASA/FWSM MGCP DoS multi-string medium true 7202.0 UDP eDonkey Activity service-p2p low false 11018.1 eDonkey Activity service-p2p low false 11022.1 Overnet Client Scan service-p2p low false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S340 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6234.0 VideoLAN VLC Subtitle string-tcp high true Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S339 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6177.0 Malformed SIP Invite atomic-ip medium true Packet 6178.0 SIP Message DoS atomic-ip medium true 6179.0 Malformed MGCP Packet atomic-ip medium true 6181.0 SIP DoS service-generi medium true c 6184.0 Large SIP Message atomic-ip medium true 6186.0 RIS Data Collector Heap string-tcp high true Overflow 6187.0 CallManager TCP atomic-ip medium true Connection DoS 6515.0 Invalid SIP Response Code atomic-ip medium true 6517.0 Malformed Via Header atomic-ip high true 6518.0 SIP Long Header Field atomic-ip high true 6518.1 SIP Long Header Field atomic-ip medium true 6520.0 Long SIP Message atomic-ip medium true 6521.0 Call Manager Overflow string-tcp medium true 6522.0 Failed HTTP Login / HTTP atomic-ip medium true 401 6523.0 Non-Printable in SIP atomic-ip high false Header 6761.0 Cisco Unified string-tcp high true Communications Manager CTL Provider Heap Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1306.6 TCP option data after EOL normalizer informational true option 1315.0 ACK w/o TCP Stream normalizer informational false 1330.19 TCP timestamp option normalizer informational true detected when not expected 1330.20 TCP winscale option normalizer informational true detected when not expected 1330.21 TCP option SACK data normalizer informational true detected when not expected. 2200.0 Invalid IGMP Header DoS service-generi high false c 3307.0 Red Button meta informational false 3327.11 Windows RPC DCOM Overflow meta high true 3334.3 Windows Workstation meta high true Service Overflow 3334.4 Windows Workstation meta high true Service Overflow 3334.5 Windows Workstation service-msrpc high true Service Overflow 3334.6 Windows Workstation service-msrpc high true Service Overflow 3334.8 Windows Workstation meta high true Service Overflow 3338.1 Windows LSASS RPC Overflow meta high true 3338.3 Windows LSASS RPC Overflow service-msrpc high true 3347.1 Windows ASN.1 Library Bit string-tcp high false String Heap Corruption 3353.1 SMB Request Overflow meta high false 3353.2 SMB Request Overflow meta high false 3409.3 Telnet Over Non-standard fixed-tcp medium false Ports 3530.0 Cisco Secure ACS service-generi medium false Oversized TACACS+ Attack c 3531.0 Cisco IOS Telnet DoS service-generi high true c 3532.0 Malformed BGP Open Message service-generi medium true c 5416.1 IE object data remote meta informational true execution 5496.0 License Logging Service meta high true Overflow 5498.0 Media Player IE Zone meta medium true Bypass 5556.1 Javaprxy.dll Heap Overflow meta high true 5556.3 Javaprxy.dll Heap Overflow meta high true 5556.4 Javaprxy.dll Heap Overflow meta high true 5557.2 Windows ICC Color meta high true Management Module Vulnerability 5561.0 Windows SMTP Overflow meta high true 5565.2 Print Spooler Service meta high true Overflow 5565.4 Print Spooler Service service-smb-ad high true Overflow vanced 5567.5 Veritas Backup Exec meta high true Remote Registry Access 5567.6 Veritas Backup Exec meta high true Remote Registry Access 5567.7 Veritas Backup Exec meta high true Remote Registry Access 5567.8 Veritas Backup Exec meta medium true Remote Registry Access 5572.1 Design Tools Diagram meta high true Surface ActiveX Control 5572.2 Design Tools Diagram meta high true Surface ActiveX Control 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5598.0 Windows Workstation service-smb-ad high true Service Overflow vanced 5598.1 Windows Workstation service-smb-ad high true Service Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5609.1 IE COM Object Memory meta high true Corruption Vulnerability 5609.2 IE COM Object Memory meta high true Corruption Vulnerability 5635.2 Plug and Play Overflow meta high true 5641.2 MS DTC DoS meta medium true 5642.3 DirectShow Overflow meta high false 5644.3 Client Service for meta high true NetWare Overflow 5683.0 Vista Feed Headlines meta high true Gadget Remote Code Execution 5728.0 Windows IGMP DoS service-generi medium true c 5731.0 Windows Media Player BMP meta high true Processing Vulnerability 5732.0 Web Client Remote Code meta high true Execution Vulnerability 5738.3 Windows ACS Registry meta medium true Access 5738.4 Windows ACS Registry meta medium true Access 5747.0 MDAC Function Remote Code meta high true Execution 5748.0 Non-SMTP Session Start meta low true 5759.1 VNC Authentication Bypass string-tcp informational false 5759.2 VNC Authentication Bypass service-generi informational true c 5759.3 VNC Authentication Bypass meta high true 5776.0 Routing and Remote Access meta high true Service Code Execution 5776.4 Routing and Remote Access meta high true Service Code Execution 5794.0 Routing and Remote Access meta high true Service RASMAN Registry Stack Overflow 5797.0 Exchange Calendar DoS meta medium true 5799.0 Server Service Code meta high false Execution 5799.4 Server Service Code meta high true Execution 5799.7 Server Service Code meta high true Execution 5804.0 VPN3000 Concentrator meta high true Unauthenticated FTP Access 5805.0 VPN3000 Concentrator FTP meta high true RMD Execution 5806.0 Winny P2P Connection meta low false Activity 5806.1 Winny P2P Connection service-generi informational false Activity c 5806.2 Winny P2P Connection service-generi informational false Activity c 5806.3 Winny P2P Connection service-generi informational false Activity c 5806.4 Winny P2P Connection service-p2p medium true Activity 5809.0 DCERPC Authentication DoS meta medium true 5812.0 Cisco IPS SSL DOS service-generi medium true Vulnerability c 5812.1 Cisco IPS SSL DOS service-generi medium true Vulnerability c 5813.0 Microsoft Internet meta high true Explorer Vector Markup Language Vulnerability 5814.0 Step-by-Step Interactive meta high true Training Remote Code Execution 5815.0 WebViewFolderIcon meta high true setSlice() Overflow 5821.0 DirectAnimation ActiveX meta high true Memory Corruption 5822.0 Workstation Service meta high true Memory Corruption Vulnerability 5827.0 Internet Explorer ActiveX meta high true Control Arbitrary Code Execution 5829.0 Invalid SSL Packet service-generi medium true c 5832.0 IOS Crafted IP Option service-generi high true Vulnerability c 5832.1 IOS Crafted IP Option service-generi high true Vulnerability c 5832.2 IOS Crafted IP Option service-generi high true Vulnerability c 5832.3 IOS Crafted IP Option service-generi high true Vulnerability c 5835.2 Cisco IOS SIP DoS meta medium true Vulnerability 5835.5 Cisco IOS SIP DoS meta medium true Vulnerability 5837.0 Malformed TCP packet service-generi medium true c 5837.1 Malformed TCP packet normalizer informational true 5847.0 FTP Successful Privileged meta low true Login 5847.1 FTP Successful Privileged meta low true Login 5854.0 Cisco CUCM/CUPS Denial service-generi medium true of Service Vulnerability c 5856.0 Agent URL Parsing Remote meta high true Code Execution 5857.0 UPnP Memory Corruption meta high true Vulnerability 5858.1 DNS Server RPC Interface meta high true Buffer Overflow 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 5860.0 IOS FTPd Successful Login meta low true 5863.0 Internet Explorer meta high true CAPICOM.Certificates Remote Code Execution 5865.0 Microsoft WMS Arbitrary meta high true File Rewrite Vulnerability 5884.0 IOS NHRP Buffer Overflow service-generi high true c 5884.1 IOS NHRP Buffer Overflow service-generi high true c 5893.0 Cisco IP Phone Remote meta medium true Denial of Service 5898.0 Microsoft Agent HTTP Code meta high true Execution 5903.0 MS SharePoint XSS meta medium true 5908.0 NNTP Overflow meta high true 6017.0 DirectShow SAMI Parsing meta high true Remote Code Execution 6017.3 DirectShow SAMI Parsing meta high true Remote Code Execution 6069.0 Windows Media Format meta high true Remote Code Execution 6069.4 Windows Media Format meta high true Remote Code Execution 6069.6 Windows Media Format meta high true Remote Code Execution 6110.0 RPC RSTATD Sweep meta high true 6110.1 RPC RSTATD Sweep meta high true 6111.0 RPC RUSESRD Sweep meta high true 6111.1 RPC RUSESRD Sweep meta high true 6112.0 RPC NFS Sweep meta high true 6112.1 RPC NFS Sweep meta high true 6113.0 RPC MOUNTD Sweep meta high true 6113.1 RPC MOUNTD Sweep meta high true 6114.0 RPC YPASSWDD Sweep meta high true 6114.1 RPC YPASSWDD Sweep meta high true 6115.0 RPC SELECTION SVC Sweep meta high true 6115.1 RPC SELECTION SVC Sweep meta high true 6116.0 RPC REXD Sweep meta high true 6116.1 RPC REXD Sweep meta high true 6117.0 RPC STATUS Sweep meta high true 6117.1 RPC STATUS Sweep meta high true 6118.0 RPC TTDB Sweep meta high true 6118.1 RPC TTDB Sweep meta high true 6130.3 Microsoft Message Queuing meta high true Overflow 6130.5 Microsoft Message Queuing meta high true Overflow 6130.9 Microsoft Message Queuing meta high true Overflow 6130.11 Microsoft Message Queuing meta high true Overflow 6131.2 Microsoft Plug and Play meta high true Overflow 6131.5 Microsoft Plug and Play meta high true Overflow 6131.7 Microsoft Plug and Play meta high true Overflow 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6228.0 Mac OSX Software Update meta high true Remote Code Execution 6229.0 MS SQL Server sqldmo.dll meta high true Overflow 6403.0 IE Uninitialized Memory meta high true Corruption 6408.0 IE DHTML Memory Corruption meta high true 6409.0 IE Invalid Object Memory meta high true Corruption 6410.0 IE Unsafe Memory meta high true Operation 6510.0 GOM Player ActiveX meta high true Control Buffer Overflow 6768.0 Samba WINS Remote Code meta high true Execution Vulnerability 6926.0 Cisco IOS DLSw DoS service-generi medium true c 6926.1 Cisco IOS DLSw DoS service-generi medium true c 7201.0 Gnutella Upload/Download service-p2p low true Stream 7202.0 UDP eDonkey Activity service-p2p low true 7203.0 ARES P2P activity service-p2p medium true 11000.3 KaZaA v2 UDP Client Probe service-p2p low true 11001.1 Gnutella Client Request service-p2p low true 11002.1 Gnutella Server Reply service-p2p low true 11003.1 Qtella File Request service-p2p low true 11004.1 Bearshare File Request service-p2p low true 11005.2 KaZaA Client Activity service-p2p low true 11006.1 Gnucleus File Request service-p2p low true 11007.1 Limewire File Request service-p2p medium true 11008.1 Morpheus File Request service-p2p low true 11009.1 Phex File Request service-p2p medium true 11010.1 Swapper File Request service-p2p low true 11011.1 XoloX File Request service-p2p low true 11012.1 GTK-Gnutella File Request service-p2p low true 11013.1 Mutella File Request service-p2p low true 11017.1 Direct Connect Server service-p2p medium true Reply 11018.1 eDonkey Activity service-p2p low true 11019.1 WinMx Server Response service-p2p low false 11020.1 BitTorrent Client Activity service-p2p low true 11022.1 Overnet Client Scan service-p2p low true 11027.1 Gnutella File Search service-p2p low true 11233.3 SSH Over Non-standard fixed-tcp informational false Ports 11245.0 IRC Server Connection string-tcp informational true 11245.1 IRC Server Connection string-tcp informational true 11245.2 IRC Server Connection fixed-tcp informational true 11245.3 IRC Server Connection fixed-tcp informational true CAVEATS None. Modified signature(s) detail: None.