Cisco Intrusion Prevention System Signature Update S387 March 19, 2009 Copyright (C) 1999-2009 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S387 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - E3 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S366 AND LATER IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPSMC SIGNATURE UPDATE INSTRUCTIONS - CSM VERSION 3.1 AND ABOVE - INSTALLATION - UNINSTALLATION - CAVEATS - CSM VERSION 3.0/ IPS MC - INSTALLATION - UNINSTALLATION - CAVEATS S339-S386 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== ================================================================================================= S387 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6147.0 RealPlayer RealMedia Security Bypass string-tcp high false 6733.0 CA BrightStor ARCServe Backup LGServer string-tcp high false Arbitrary File Upload 6297.0 RealPlayer ActiveX Import Method Buffer meta high true Overflow 6080.0 Adobe Products PNG Parsing string-tcp high false 6081.0 Microsoft Excel BIFF Parsing string-tcp high false 6082.0 Microsoft Excel Column Record Handling string-tcp high false 6083.0 Microsoft Excel SetFont string-tcp high false 6084.0 IE 7 HTML Object Memory Corruption string-tcp high false 6770.0 OpenOffice PRTDATA Heap Overflow string-tcp high false 7292.0 Apple QuickTime Crafted HTTP Error string-tcp high false Response Buffer Overflow 6759.0 Apple Safari Regular Expression Overflow string-tcp high true 6119.0 MySQL Authentication Vulnerability string-tcp high false 6107.0 CVS File Existence Information string-tcp medium false Disclosure 6132.0 Mod SSL- Mod Proxy Hook Format String string-tcp high false 6149.0 MySQL Arbitrary Library Injection string-tcp high false 6146.0 Squid WCCP Message Receive Buffer string-udp high false Overflow 6156.0 MIT Kerberos kadmind RPC Library Unix string-tcp high false Authentication 6158.0 MIT Kerberos Kadmind Rename Buffer string-tcp high false Overflow 6143.0 Borland Interbase Database Service string-tcp high false Create-Request Buffer Overflow 6731.0 CA BrightStor ARCServe Backup LGServer string-tcp high false Username Buffer Overflow 6730.0 IBM Tivoli Storage Manager Express string-tcp high false Buffer Overflow 6145.0 Trend Micro ServerProtect TMregChange string-tcp high false Buffer Overflow 6144.0 X.Org X Font Server Buffer Overflow string-tcp high false 7256.0 ActSoft DVD-Tools ActiveX control Buffer meta high true Overflow 7256.1 ActSoft DVD-Tools ActiveX control Buffer string-tcp informational true Overflow 7256.2 ActSoft DVD-Tools ActiveX control Buffer string-tcp informational true Overflow 7285.0 Samba Unauthorized Root File System service-smb-advanced medium true Access 15009.0 Microsoft Office MSODataSourceControl string-tcp high false Denial Of Service 15017.0 Oracle Secure Backup Login.php Command service-http high true Injection 15115.0 Sun Java System Web Proxy sockd Daemon string-tcp high false Overflow 7244.1 Microsoft Excel Buffer Overflow string-tcp high false 5908.3 NNTP Overflow string-tcp high false 15274.0 IBM Lotus Domino LDAP Server Memory string-tcp high false Exception 15275.0 SpamAssassin Spamd Remote Command string-tcp high false Execution 15294.0 Chrome URI Handler Remote Command string-tcp high true Execution 15314.0 Symantec Firewall DNS Response Denial Of atomic-ip high false Service 15374.0 Microsoft Windows Media Player Skin string-tcp high false Decompression Vulnerability 15375.0 Microsoft Windows Media Player Skin string-tcp high false Parsing Vulnerability 15376.0 Trend Micro ServerProtect RPC Overflow service-msrpc high false 15393.0 Asterisk T.38 Buffer Overflow atomic-ip high false 7291.0 VideoLAN VLC Media Player WAV Processing meta high true Integer Overflow 7291.1 VideoLAN VLC Media Player WAV Processing string-tcp informational true Integer Overflow 7291.2 VideoLAN VLC Media Player WAV Processing string-tcp informational true Integer Overflow 15454.0 LogMeIn Hamachi Activity atomic-ip informational false 15455.0 LogMeIn Product Activity atomic-ip low false 15513.0 Apple Mac OS X iChat AIM URL Format string-tcp high false String Vulnerability 15573.0 Apple Mac OS X FinderMemory Corruption string-tcp high false 15753.0 CVS Line Entry Heap Overflow string-tcp high false TUNED SIGNATURES This signature update does not contain any tuned signatures. CAVEATS None. ================================================================================================= IMPORTANT NOTES E3 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S366 AND LATER Beginning with S366, all signature updates will require that your sensors be updated with the E3 engine update. Engine and Signature Updates can be downloaded automatically using Cisco Security Manager (CSM) or by sensors running IPS Version 6.1(1) or later. Sensors running IPS Version 6.1(1) or later that have been configured for automatic updates from cisco.com will automatically be updated with E3. The updates can also be downloaded manually from the following locations: IPS Version 6.x: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6 IPS Version 5.1: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5 NOTE: You must have an active Cisco Service for IPS contract to download this software. Please consult the table below for recommendations on upgrade paths: Installed Release Recommended Update --------------------------------------------- 5.1(8)E2 or earlier 5.1(8)E3 6.0(5)E2 or earlier 6.0(5)E3 6.1(1)E2 or earlier 6.1(1)E3 or 6.2(1)E3 Warning: Beginning with S366, signature updates will only be released for E3-level sensor software releases. These include: 5.1(8)E3, 6.0(5)E3, 6.1(1)E3, and 6.2(1)E3. Your sensors MUST be on one of these releases to receive further signature updates. For more details regarding the E3 engine update, please refer to the readme files available at the download links listed above. Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release. After 60 days, only the current release will receive an engine update. Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80365daa.html ======================================================================== IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S366, signature updates have a minimum required Engine update level of E3. You must be running the E3 engine update to install signature update S368 or later. The E3 engine update is supported on sensors running IPS versions 5.1(8), 6.0(5), 6.0(5), 6.1(1) or 6.2(1). ------------------------------------------------------------------------ Note2: The S365 signature update has been packaged into the E3 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ Note3: All signature updates are cumulative. The S386 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S386-req-E3.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - AIM-IPS Cisco Advanced Integration Module for ISR Routers The sensor must running engine update version E3 before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: Signature updates may take a while to install depending on the sensors upgrade history, configuration, and amount of traffic the sensor is processing. The AIM-IPS, for example, has taken up to 40 minutes to update during testing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.1: http://www.cisco.com/en/US/docs/security/ips/6.1/command/reference/crCmds.html#wp458440 IPS Version 6.0: http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp458440 IPS Version 5.1: http://www.cisco.com/en/US/docs/security/ips/5.1/command/reference/crCmds.html#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S386 signature update: 1. Download the binary file IPS-sig-S386-req-E3.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S386-req-E3.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S386-req-E3.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S386 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS The IPS-CS-MGR-sig-S340-req-E2.zip and later signature update files which require the E2 update have been tested for all platforms with CSM 3.2 SP2 or later. For pushing E2 based signature update files to the AIM IPS platform, CSM 3.2 SP2 is required at a minimum since it has E2 specific fixes for AIM IPS. The E3 Engine Update packages for sensors are deployed automatically the first time a signature set that requires E3 is deployed by CSM. If the target sensor is already running E3, the signature Update will be applied directly without deploying the E3 package. E3 updates are not listed or available for selection in the Apply Update Wizard and cannot be applied independently by CSM. To ensure that the E3 update is applied to your sensors, please ensure that you push signature update S365 or later to your sensors. ------------------------------------------------------------------------ Note: Beginning with S366, signature updates have a minimum required Engine update level of E3. You must be running the E3 engine update to install signature update S366 or later. The E3 engine update is supported on sensors running IPS versions 5.1(8), 6.0(5), 6.1(1) or 6.2(1). ------------------------------------------------------------------------ Note2: The S365 signature update has been packaged into the E2 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ ------------------------- CSM VERSION 3.1 AND ABOVE INSTALLATION For Automating IPS Update Tasks, please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wpxref37046 For setting up the Updates Server in CSM 3.1 and above please refer to the following: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html#wp1333602 To manually install the version S386 signature update on CSM3.1 and above, follow these steps: 1. Start the Cisco Security Manager client. 2. Click Tools > Apply IPS Update to open the Apply IPS Update wizard. 3. Click Download Latest Updates. 4. (pre-CSM3.2 only) Click on the Start button to start downloading the latest updates. 5. Close the popup when download is complete. 6. On the first page of the wizard, select the update that you want to apply > Click Next to continue. 5. On the second page of the wizard, select the devices (local policies) and/or shared policies you want to update 6. Click Finish to apply your update to the policies. 7. Submit & Deploy your changes to the devices. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.1 and above, follow the IPS rollback instructions listed in the Configuration Archive section of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1075918 Please also refer to the section Understanding Rollback for IPS and IOS IPS of the CSM 3.1 User Guide documentation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/adman.html#wp1098793. CAVEATS None. CSM VERSION 3.0/ IPS MC INSTALLATION To install the version S386 signature update on CSM 3.0 or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using CSM 3.0 or IPS MC, follow the uninstallation instructions listed in the IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ================================================================================================= S386 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15816.0 WPAD Registration Vulnerab atomic-ip medium false ility 15833.0 Windows Kernel Input Valid string-tcp high true ation Vulnerability 15593.0 Windows System32 Directory service-smb informational false Write Access -advanced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3113.1 Email Attachment with Mali string-tcp medium false cious Payload 3128.1 Exchange xexch50 overflow string-tcp high false 3130.0 Mimail Virus I Variant Fil string-tcp medium false e Attachment 3133.0 Novarg / Mydoom Virus Mail string-tcp high false Attachment Variant B 3137.6 Sober Virus Activity string-tcp high false 3328.2 Windows SMB/RPC NoOp Sled string-tcp medium false 5416.1 IE object data remote exec meta informational false ution 5499.0 HTML Link in Object Tag in string-tcp informational false IE 5503.0 Object Creation In IE Loca string-tcp informational false l Zone 5520.0 XEXCH50 Command Usage string-tcp informational false 5635.0 Plug and Play Overflow string-tcp informational false 5635.1 Plug and Play Overflow string-tcp informational false 5635.2 Plug and Play Overflow meta high false 5644.0 Client Service for NetWare string-tcp informational false Overflow 5644.1 Client Service for NetWare string-tcp informational false Overflow 5644.2 Client Service for NetWare string-tcp medium false Overflow 5644.3 Client Service for NetWare meta high false Overflow 5706.0 Persistent Content in a Dy string-tcp medium false namic Webpage 5731.0 Windows Media Player BMP P meta high false rocessing Vulnerability 5731.1 Windows Media Player BMP P string-tcp informational false rocessing Vulnerability 5731.2 Windows Media Player BMP P string-tcp medium false rocessing Vulnerability 5737.0 Internet Explorer Action H string-tcp high false andlers Overflow 5747.0 MDAC Function Remote Code meta high false Execution 5747.1 MDAC Function Remote Code string-tcp informational false Execution 5747.2 MDAC Function Remote Code string-tcp medium false Execution 5748.0 Non-SMTP Session Start meta low false 5748.1 Non-SMTP Session Start string-tcp informational false 5748.2 Non-SMTP Session Start string-tcp informational false 5748.3 Non-SMTP Session Start string-tcp informational false 5748.4 Non-SMTP Session Start string-tcp informational false 5748.5 Non-SMTP Session Start string-tcp informational false 5749.0 Internet Explorer Double B string-tcp high false yte Character Parsing 5775.0 MHTML Redirection string-tcp low false 5799.1 Server Service Code Execut string-tcp informational false ion 5799.2 Server Service Code Execut string-tcp informational false ion 5799.3 Server Service Code Execut string-tcp informational false ion 5799.4 Server Service Code Execut meta high false ion 5799.5 Server Service Code Execut string-tcp informational false ion 5799.6 Server Service Code Execut string-tcp informational false ion 5799.7 Server Service Code Execut meta high false ion 5800.0 HTTP Large Content-Type string-tcp medium false 5814.0 Step-by-Step Interactive T meta high false raining Remote Code Execut ion 5814.1 Step-by-Step Interactive T string-tcp informational false raining Remote Code Execut ion 5814.2 Step-by-Step Interactive T string-tcp informational false raining Remote Code Execut ion 5815.0 WebViewFolderIcon setSlice meta high false () Overflow 5815.1 WebViewFolderIcon setSlice string-tcp informational false () Overflow 5815.2 WebViewFolderIcon setSlice string-tcp informational false () Overflow 5827.1 Internet Explorer ActiveX string-tcp informational false Control Arbitrary Code Exe cution 5827.2 Internet Explorer ActiveX string-tcp informational false Control Arbitrary Code Exe cution 5840.0 Internet Explorer CLSID Co string-tcp high false de Execution 5856.0 Agent URL Parsing Remote C meta high false ode Execution 5856.1 Agent URL Parsing Remote C string-tcp informational false ode Execution 5856.2 Agent URL Parsing Remote C string-tcp informational false ode Execution 5863.0 Internet Explorer CAPICOM. meta high false Certificates Remote Code E xecution 5863.1 Internet Explorer CAPICOM. string-tcp informational false Certificates Remote Code E xecution 5863.2 Internet Explorer CAPICOM. string-tcp informational false Certificates Remote Code E xecution 5865.0 Microsoft WMS Arbitrary Fi meta high false le Rewrite Vulnerability 5865.1 Microsoft WMS Arbitrary Fi string-tcp informational false le Rewrite Vulnerability 5865.2 Microsoft WMS Arbitrary Fi string-tcp informational false le Rewrite Vulnerability 5870.0 Win32 API Vulnerability string-tcp high false 5880.0 Sun Java Web Start JNLP Fi string-tcp high false le Stack Overflow 5909.0 Browser Address Bar Spoofi string-tcp medium false ng Attack 6228.0 Mac OSX Software Update Re meta high false mote Code Execution 6228.1 Mac OSX Software Update Re string-tcp informational false mote Code Execution 6228.2 Mac OSX Software Update Re string-tcp informational false mote Code Execution 6228.3 Mac OSX Software Update Re string-tcp informational false mote Code Execution 6229.0 MS SQL Server sqldmo.dll O meta high false verflow 6229.1 MS SQL Server sqldmo.dll O string-tcp informational false verflow 6229.2 MS SQL Server sqldmo.dll O string-tcp informational false verflow 6513.0 Macrovision FlexNet Downlo meta medium false adManager Insecure Methods 6513.1 Macrovision FlexNet Downlo string-tcp informational false adManager Insecure Methods 6513.2 Macrovision FlexNet Downlo string-tcp informational false adManager Insecure Methods 6777.0 Windows OLE Automation Re meta high false mote Code Execution 6777.1 Windows OLE Automation Re string-tcp informational false mote Code Execution 6777.2 Windows OLE Automation Re string-tcp informational false mote Code Execution 6778.0 Microsoft Works Converter string-tcp high false Index Table Vulnerability 6924.0 MS Publisher Remote Code E string-tcp high false xecution 6925.0 IE Property Memory Corrupt meta high false ion 6925.1 IE Property Memory Corrupt string-tcp informational false ion 6925.2 IE Property Memory Corrupt string-tcp informational false ion 6925.3 IE Property Memory Corrupt string-tcp informational false ion 12022.0 Perfect Keylogger Activity string-tcp low false 12022.1 Perfect Keylogger Activity string-tcp low false CAVEATS Please note that the S386 signature update includes a change in the active state of a number of signatures. Installing the update may result in an out-of-memory condition on devices with high memory usage. Cisco recommends that users with these devices plan for a system reset after the signature update is installed to restore normal memory conditions. Modified signature(s) detail: The following signatures were set disabled and retired by default: 12022-0; 12022-1; 3113-1; 3128-1; 3130-0; 3133-0; 3137-6; 3328-2; 5416-1; 5499-0; 5503-0; 5520-0; 5635-0; 5635-1; 5635-2; 5644-0; 5644-1; 5644-2; 5644-3; 5706-0; 5731-0; 5731-1; 5731-2; 5737-0; 5747-0; 5747-1; 5747-2; 5748-0; 5748-1; 5748-2; 5748-3; 5748-4; 5748-5; 5749-0; 5775-0; 5799-0; 5799-1; 5799-2; 5799-3; 5799-4; 5799-5; 5799-6; 5799-7; 5800-0; 5814-0; 5814-1; 5814-2; 5815-0; 5815-1; 5815-2; 5827-1; 5827-2; 5840-0; 5856-0; 5856-1; 5856-2; 5863-0; 5863-1; 5863-2; 5865-0; 5865-1; 5865-2; 5870-0; 5880-0; 5909-0; 6228-0; 6228-1; 6228-2; 6228-3; 6229-0; 6229-1; 6229-2; 6513-0; 6513-1; 6513-2; 6777-0; 6777-1; 6777-2; 6778-0; 6924-0; 6925-0; 6925-1; 6925-2; 6925-3. The sig-type parameter missing from a number of signatures was populated in this release; however, the signatures in question were not re-released as no this change has no effect on functionality. The changes are visible in the386. edc.inc xml file. ================================================================================================= S385 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15733.0 MS Excel Invalid Object Ar string-tcp high true bitrary Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S384 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15493.0 Cisco ANM Java Agent Privi service-http medium true lege Escalation 15634.0 Cisco ACE Crafted SSH Pack string-tcp high true et Vulnerability 15653.0 Crafted SNMPv3 packet may atomic-ip medium true crash ACE appliance 15673.0 Cisco Unified MeetingPlace service-http high true Stored XSS TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S383 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15613.0 Malicious Adobe Reader PDF string-tcp high true File 15613.1 Malicious Adobe Reader PDF string-tcp high true File TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S382 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15233.1 Internet Explorer Uninital string-tcp high true ized Memory Corruption 15233.2 Internet Explorer Uninital string-tcp high true ized Memory Corruption TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S381 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15233.0 Internet Explorer Uninital string-tcp high true ized Memory Corruption 15234.0 Internet Explorer CSS Memo string-tcp high true ry Corruption Vulnerabilit y 15235.0 Exchange Server Memory Cor state high true ruption Vulnerability 15293.0 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.1 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.2 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.3 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.4 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.5 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.6 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.7 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15293.8 Microsoft Internet Explore string-tcp informational false r ActiveX Kill Bit CLSID 15313.0 MS SQL sp_replwritetovarbi string-tcp high true n Limited Memory Overwrite TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S380 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6402.0 Samba SPOOLSS Notify Optio service-smb-ad high false ns Heap overflow vanced 15113.0 Long IMAP CREATE Command string-tcp high true 15116.0 MySQL Server Date_format F string-tcp medium false unction Format String Vuln erability 15253.0 Novell GroupWise Internet state high true Agent RCPT Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3408.0 Telnet Client LINEMODE SLC string-tcp high true Option Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S379 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7289.0 SAP MaxDB Remote Arbitrary string-tcp high true Commands Execution 7293.0 Trend Micro OfficeScan Pas service-http high true sword Decryption Function Buffer Overflow 15153.0 libspf2 DNS TXT Record Par atomic-ip high true sing Buffer Overflow 15175.0 Microsoft Internet Explore string-tcp high true r 7 Input Tag Denial of Se rvice 15175.1 Microsoft Internet Explore string-tcp high true r 7 Input Tag Denial of Se rvice 15193.0 Waledac Trojan Activity service-http high true 15193.1 Waledac Trojan Activity service-http high true 15193.2 Waledac Trojan Activity string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3347.1 Windows ASN.1 Library Bit string-tcp high true String Heap Corruption 5505.0 RIP Trace atomic-ip high true 5505.1 RIP Trace atomic-ip high true 7295.0 libspf2 DNS TXT Record Par service-dns high false sing Buffer Overflow CAVEATS None. Modified signature(s) detail: 3347-1 has been unretired and enabled, 139 added to service-ports. 5505-[01] - Source port has been added to the signatures to reduce false positives. 7295-0 has been retired/disabled and obsoleted by 15153-0. ================================================================================================= S378 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7249.0 Microsoft Help Project Fil string-tcp high false es (HPJ) Buffer Overflow 7284.0 Borland InterBase Service string-tcp high true Attach Request Overflow 7295.0 libspf2 DNS TXT Record Par service-dns high true sing Buffer Overflow 11203.1 IRC Channel Join fixed-tcp medium true 15001.0 AtTheOffice Activity string-tcp medium true 15016.0 DNS Query For ROOT atomic-ip high false TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S377 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 13491.0 Worm Activity - Brute Forc meta high true e 13492.0 Worm Activity - Brute Forc meta high true e TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S376 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15005.0 Microsoft Windows SMB Remo string-tcp high true te Code Execution 15006.0 Microsoft Windows SMB Remo service-smb-ad high true te Code Execution vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S375 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5991.0 MaxDB WebDBM Buffer Overfl service-http high true ow 7286.0 Citrix IMA Service Buffer string-tcp high true Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S374 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6282.1 Malformed PICT Filter Vuln string-tcp high true erability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S373 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5859.0 uTorrent File Handling Buf string-tcp high true fer Overflow 7306.2 Microsoft Internet Explore string-tcp high true r XML Code Execution 7306.3 Microsoft Internet Explore string-tcp high true r XML Code Execution 7307.0 MS SQL Server sp_replwrite meta high true tovarbin memory overwrite 7307.1 MS SQL Server sp_replwrite string-tcp informational true tovarbin memory overwrite 7307.2 MS SQL Server sp_replwrite string-tcp informational true tovarbin memory overwrite 7308.0 DLL Memory Protection Bypa string-tcp high true ss TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7296.0 Word RTF Object Parsing Vu string-tcp high true lnerability 7430.0 Microsoft Internet Explore string-tcp high true r Embedded Object Code Exe cution CAVEATS None. Modified signature(s) detail: 7296-0: The regex has been modified to improve fidelity. 7430-0 : The title of this signature has been changed to improve its accuracy. ================================================================================================= S372 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7306.1 Microsoft Internet Explore string-tcp high true r XML Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7428.0 Microsoft Word RTF File Co string-tcp high true de Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S371 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7306.0 Microsoft Internet Explore string-tcp high true r XML Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S370 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5082.0 IE HTML Objects Memory Cor string-tcp high true ruption 6226.0 Trojan.Srizbi Bot atomic-ip high true 6227.0 Visual Basic Charts Contro string-tcp high true l Memory Corruption 6295.0 LANDesk Intel QIP Service multi-string high true Heal Packet Buffer Overflo w 6977.0 Wonderware Suitlink Denial string-tcp high true Of Service 6977.1 Wonderware Suitlink Denial string-tcp high true Of Service 7221.0 Hierarchical FlexGrid Cont meta high true rol Memory Corruption 7221.1 Hierarchical FlexGrid Cont string-tcp informational true rol Memory Corruption 7221.2 Hierarchical FlexGrid Cont string-tcp informational true rol Memory Corruption 7253.0 Novell ZENworks Desktop Ma meta high true nagement CanUninstall Acti veX Overflow 7253.1 Novell ZENworks Desktop Ma string-tcp informational true nagement CanUninstall Acti veX Overflow 7265.0 GDI Integer Overflow string-tcp high true 7296.0 Word RTF Object Parsing Vu string-tcp high true lnerability 7297.0 MS Word Memory Corruption string-tcp high true Vulnerability 7298.0 MS Visual Basic Flexgrid C meta high true ontrol Buffer Overflow 7298.1 MS Visual Basic Flexgrid C string-tcp informational true ontrol Buffer Overflow 7299.0 Microsoft Word RTF RCE string-tcp high true 7300.0 Sharepoint Access Control service-http high true Vulnerability 7301.0 Excel Global Array Memory string-tcp high true Corruption 7302.0 Microsoft Windows Search R string-tcp high true emote Code Execution 7303.0 Microsoft Excel File Parsi string-tcp high true ng Overflow 7304.0 Microsoft Word File Parsin string-tcp high true g Overflow 7422.1 Oracle WebLogic Apache Con string-tcp high true nector Buffer Overflow 7425.0 Visual Basic 6 ActiveX Run meta high true time Overflow 7425.1 Visual Basic 6 ActiveX Run string-tcp informational true time Overflow 7426.0 Shell32 ActiveX Vulnerabil meta high true ity 7426.1 Shell32 ActiveX Vulnerabil string-tcp informational true ity 7427.0 Shell32 ActiveX Vulnerabil meta high true ity 7427.1 Shell32 ActiveX Vulnerabil string-tcp informational true ity 7428.0 Microsoft Word RTF File Co string-tcp high true de Execution 7429.0 Microsoft Windows Search-m string-tcp high true s Protocol Handler Code Ex ecution 7430.0 Microsoft Internet Explore string-tcp high true r Embeded Object Code Exec ution 7432.0 Word RTF Object Parsing Re meta high true mote Code Execution 7432.1 Word RTF Object Parsing Re string-tcp informational true mote Code Execution 7432.2 Word RTF Object Parsing Re string-tcp informational true mote Code Execution 7434.0 Microsoft Word Memory Corr string-tcp high true uption Vulnerability 7436.0 File Format Parsing Remote string-tcp high true Code Execution 7438.0 MS DataGrid Control Memory string-tcp high true Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7422.0 Oracle WebLogic Apache Con service-http high false nector Buffer Overflow CAVEATS None. Modified signature(s) detail: 7422-0: This signature has been obsoleted by signature 7422-1 to increase its fidelity. ================================================================================================= S369 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6975.0 Arbitrary File Upload In C string-tcp high true A ARCserve TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S368 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5640.3 XML Race Condition in Inte string-tcp informational true rnet Explorer 7232.0 CA ARCserve Backup Authent string-tcp high true ication Username Overflow 7235.0 CoolPlayer m3u Playlist St string-tcp high true ack Overflow 7239.0 ChilkatHttp ActiveX Arbitr meta high true ary File Overwrite 7239.1 ChilkatHttp ActiveX Arbitr string-tcp informational true ary File Overwrite 7239.2 ChilkatHttp ActiveX Arbitr string-tcp informational true ary File Overwrite 7241.0 Akamai Download Manager Ac meta high true tiveX Control Remote Code Execution 7241.1 Akamai Download Manager Ac string-tcp informational true tiveX Control Remote Code Execution 7241.2 Akamai Download Manager Ac string-tcp informational true tiveX Control Remote Code Execution 7251.0 Iseemedia LPViewer ActiveX meta high true Buffer Overflows 7251.1 Iseemedia LPViewer ActiveX string-tcp informational true Buffer Overflows 7264.0 Adobe util.printf JavaScri meta high true pt Stack Buffer Overflow 7264.1 Adobe util.printf JavaScri string-tcp informational true pt Stack Buffer Overflow 7264.2 Adobe util.printf JavaScri string-tcp informational true pt Stack Buffer Overflow 7264.3 Adobe util.printf JavaScri string-tcp high true pt Stack Buffer Overflow 7264.4 Adobe util.printf JavaScri string-tcp high true pt Stack Buffer Overflow 7282.0 SecurityGateway Username B service-http high true uffer Overflow 7422.0 Oracle WebLogic Apache Con service-http high true nector Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5474.0 SQL Query in HTTP Request service-http low true 5575.0 NBT NetBIOS Session Servic service-smb-ad informational true e Failed Login vanced 5640.0 XML Race Condition in Inte meta high true rnet Explorer 5916.0 URL Handler Vulnerability string-tcp high true 6522.0 Failed HTTP Login / HTTP 4 atomic-ip medium false 01 7231.0 Windows Media Encoder 9 Re meta high true mote Code Execution 7231.1 Windows Media Encoder 9 Re string-tcp informational true mote Code Execution 7231.2 Windows Media Encoder 9 Re string-tcp informational true mote Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S367 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5640.0 XML Race Condition in Inte meta high true rnet Explorer 5640.1 XML Race Condition in Inte string-tcp informational true rnet Explorer 5640.2 XML Race Condition in Inte string-tcp informational true rnet Explorer 6795.0 Panda ActiveScan ActiveX O meta high true verflow 6795.1 Panda ActiveScan ActiveX O string-tcp informational true verflow 6990.3 Visual Studio Msmask32.ocx meta informational true ActiveX Buffer Overflow 6990.4 Visual Studio Msmask32.ocx string-tcp informational true ActiveX Buffer Overflow 6990.5 Visual Studio Msmask32.ocx string-tcp informational true ActiveX Buffer Overflow 7245.2 Microsoft Excel Integer Ov string-tcp high true erflow 7248.0 Microsoft SQL Server 2000 meta high true Client Components ActiveX Buffer Overflow 7248.1 Microsoft SQL Server 2000 string-tcp informational true Client Components ActiveX Buffer Overflow 7255.0 MSXML Chunked Request Vuln meta high true erability 7255.1 MSXML Chunked Request Vuln string-tcp informational true erability 7255.2 MSXML Chunked Request Vuln string-tcp informational true erability 7283.0 Microsoft XML Core Service string-tcp high true s RCE 7283.1 Microsoft XML Core Service string-tcp high true s RCE 7287.0 KernelBot service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3337.0 Windows RPC Race Condition service-msrpc high false Exploitation 3550.0 POP Buffer Overflow string-tcp high false 3735.0 CVS Flag Insertion Overflo string-tcp high false w 3737.0 Squid Proxy NTLM Authentic string-tcp high false ate Overflow 4703.0 MSSQL Resolution Service S atomic-ip high true tack Overflow 5055.0 HTTP Basic Authentication service-http high false Overflow 5565.4 Print Spooler Service Over service-smb-ad high true flow vanced 5579.0 SMB Remote Registry Access service-smb-ad informational true Attempt vanced 5586.0 Windows Locator Service Ov service-smb-ad high true erflow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 5591.0 SMB: Windows Share Enumera service-smb-ad informational true tion vanced 5592.0 SMB: RFPoison Attack service-smb-ad high true vanced 5598.0 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5598.1 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5637.0 Internet Explorer FTP Down string-tcp high false load Path Traversal 5717.0 Ipswitch SMTP Format Stri string-tcp high false ng 5846.0 FTP 230 Reply Code string-tcp informational false 5847.0 FTP Successful Privileged meta low false Login 5847.1 FTP Successful Privileged meta low false Login 5858.5 DNS Server RPC Interface B service-smb-ad high true uffer Overflow vanced 5860.0 IOS FTPd Successful Login meta low false 6005.0 Unencrypted SSL Traffic service-http low false 6055.0 DNS Inverse Query Buffer O service-dns high false verflow 6131.10 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6131.11 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6253.0 POP3 Authorization Failure string-tcp informational false 6769.0 Netware LSASS CIFS.NLM Dri service-smb-ad high true ver Overflow vanced 6946.0 Web Client Remote Code Exe service-smb-ad high true cution Vulnerability vanced 6990.0 Visual Studio Msmask32.ocx meta high true ActiveX Buffer Overflow 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 7280.1 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 11020.1 BitTorrent Client Activity service-p2p low true 11245.3 IRC Server Connection fixed-tcp medium true CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S366 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4500.0 Cisco IOS Embedded SNMP Co service-snmp high false mmunity Names 4500.1 Cisco IOS Embedded SNMP Co service-snmp high false mmunity Names 5123.2 WWW IIS Internet Printing service-http high false Overflow 5442.0 Cursor/Icon File Format Bu string-tcp high false ffer Overflow 6250.0 FTP Authorization Failure string-tcp informational false 6979.0 BEA WebLogic Server Apache string-tcp high false Connector HTTP Version St ring BO 6996.0 GDI+ BMP Integer Overflow string-tcp high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S365 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1317.0 Zero Window Probe normalizer informational true 1400.0 GRE Over IPv6 Encapsulatio atomic-ip-adva informational false n nced 1401.0 IPIP Encapsulation atomic-ip-adva informational false nced 1402.0 MPLS Over IPv6 Encapsulati atomic-ip-adva informational false on nced 1403.0 IPv4 Over IPv6 Encapsulati atomic-ip-adva informational false on nced 1405.0 Teredo Destination IP Addr atomic-ip-adva informational false ess nced 1406.0 Teredo Source Port atomic-ip-adva medium false nced 1407.0 Teredo Destination Port atomic-ip-adva informational false nced 1408.0 Teredo Data Packet atomic-ip-adva informational false nced 1409.0 GRE Tunnel Detected atomic-ip-adva informational false nced 1410.0 IPv6 Over MPLS Tunnel atomic-ip-adva informational false nced 1610.0 ICMPv6 Echo Request atomic-ip-adva informational false nced 1611.0 ICMPv6 Echo Reply atomic-ip-adva informational false nced 1612.0 ICMPv6 Destination Unreach atomic-ip-adva informational false able nced 1613.0 ICMPv6 Packet Too Big Mess atomic-ip-adva informational false age nced 1614.0 ICMPv6 Time Exceeded Messa atomic-ip-adva informational false ge nced 1615.0 ICMPv6 Parameter Problem M atomic-ip-adva informational false essage nced 1616.0 ICMPv6 Group Membership Qu atomic-ip-adva informational false ery nced 1617.0 ICMPv6 Group Membership Re atomic-ip-adva informational false port nced 1618.0 ICMPv6 Membership Reductio atomic-ip-adva informational true n nced 1619.0 ICMPv6 Router Solicitation atomic-ip-adva informational false nced 1620.0 ICMPv6 Router Advertisemen atomic-ip-adva informational false t nced 1621.0 ICMPv6 Neighbor Solicitati atomic-ip-adva informational false on nced 1622.0 ICMPv6 Neighbor Advertisem atomic-ip-adva informational false ent nced 1623.0 ICMPv6 Redirect atomic-ip-adva informational false nced 1624.0 ICMPv6 Router Renumbering atomic-ip-adva informational false nced 1625.0 ICMPv6 Membership Report V atomic-ip-adva informational false 2 nced 1626.0 Large ICMPV6 Traffic atomic-ip-adva informational false nced 1627.0 Fragmented ICMPv6 Traffic atomic-ip-adva informational false nced 1628.0 ICMPv6 Traffic over IPv4 atomic-ip-adva medium true nced 1629.0 ICMP Traffic over IPv6 atomic-ip-adva medium true nced 1630.0 ICMPv6 Packet Too Big atomic-ip-adva medium true nced 1700.0 IPv6 Hop-by-Hop Options Pr atomic-ip-adva informational false esent nced 1701.0 IPv6 Destination Options H atomic-ip-adva informational false eader Present nced 1702.0 IPv6 Routing Header Presen atomic-ip-adva informational false t nced 1703.0 IPv6 Fragmented Traffic atomic-ip-adva informational false nced 1704.0 IPv6 Authentication Header atomic-ip-adva informational false Present nced 1705.0 IPv6 ESP Header Present atomic-ip-adva informational false nced 1706.0 Invalid IPv6 Header Traffi atomic-ip-adva informational false c Class Field nced 1707.0 Invalid IPv6 Header Flow L atomic-ip-adva informational false abel Field nced 1708.0 IPv6 Header Contains An In atomic-ip-adva informational false valid Address nced 1710.0 IPv6 Extensions Headers Ou atomic-ip-adva low true t Of Order nced 1711.0 Duplicate IPv6 Extension H atomic-ip-adva low true eaders nced 1712.0 IPv6 Packet Contains Dupli atomic-ip-adva high true cate Src And Dst Address nced 1713.0 IPv6 Header Contains Multi atomic-ip-adva high true cast Source Address nced 1714.0 IPv6 Address Set To localh atomic-ip-adva high true ost nced 1716.0 IPv6 Options Padding Too L atomic-ip-adva low true ong nced 1717.0 Back To Back Padding Optio atomic-ip-adva low true ns nced 1718.0 IPv6 Option Data Too Short atomic-ip-adva low true nced 1719.0 IPv6 Endpoint Identificati atomic-ip-adva informational false on Option Set nced 1720.0 IPv6 Jumbo Payload Option atomic-ip-adva informational true Set nced 1721.0 IPv6 Router Alert Option S atomic-ip-adva informational false et nced 1722.0 IPv6 Tunnel Encapsulation atomic-ip-adva medium true Limit Option Set nced 1723.0 IPv6 Packet Contains Unass atomic-ip-adva medium true igned Options nced 1724.0 IPv6 Endpoint Identificati atomic-ip-adva informational false on Option Set nced 1725.0 IPv6 Tunnel Encapsulation atomic-ip-adva informational false Limit Option Set nced 1726.0 IPv6 Invalid Option Set atomic-ip-adva medium true nced 1727.0 IPv6 Router Alert Option S atomic-ip-adva medium true et nced 1728.0 IPv6 Routing Header Type 0 atomic-ip-adva informational true nced 1730.0 IPv6 Type 1 Routing Header atomic-ip-adva informational true nced 1731.0 IPv6 Type 2 Routing Header atomic-ip-adva informational false nced 1732.0 IPv6 Routing Header Type U atomic-ip-adva medium true nknown Type nced 1733.0 Invalid IPv6 Routing Heade atomic-ip-adva high true r Length nced 1734.0 IPv6 Routing Header Incomp atomic-ip-adva high true lete nced 1735.0 IPv6 Routing Header Contai atomic-ip-adva high true ns Invalid IP Address nced 1736.0 IPv6 Routing Header Contai atomic-ip-adva high true ns A Loop nced 1737.0 IPv6 Routing Header Reserv atomic-ip-adva medium false ed Bits Set nced 1738.0 IPv6 Unnecessary Fragment atomic-ip-adva informational true Header nced 1739.0 IPv6 Illegal Fragmentation atomic-ip-adva high true nced 1740.0 Small IPv6 Fragments atomic-ip-adva informational true nced 1741.0 IPv6 Fragment Header Reser atomic-ip-adva low false ved Bits Set nced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1007.0 IPv6 over IPv4 or IPv6 atomic-ip informational false 1304.0 TCP Session Packet Queue O normalizer informational true verflow 5565.4 Print Spooler Service Over service-smb-ad high true flow vanced 5579.0 SMB Remote Registry Access service-smb-ad informational true Attempt vanced 5579.1 SMB Remote Registry Access service-smb-ad medium true Attempt vanced 5583.0 SMB Remote SAM Service Acc service-smb-ad informational true ess Attempt vanced 5586.0 Windows Locator Service Ov service-smb-ad high true erflow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 5590.0 SMB: User Enumeration service-smb-ad informational true vanced 5590.1 SMB: User Enumeration service-smb-ad informational true vanced 5591.0 SMB: Windows Share Enumera service-smb-ad informational true tion vanced 5591.1 SMB: Windows Share Enumera service-smb-ad informational true tion vanced 5592.0 SMB: RFPoison Attack service-smb-ad high true vanced 5598.0 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5598.1 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5600.0 Windows ASN.1 Bit String N service-smb-ad high true TLMv2 Integer Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5858.5 DNS Server RPC Interface B service-smb-ad high true uffer Overflow vanced 6131.10 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6131.11 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6769.0 Netware LSASS CIFS.NLM Dri service-smb-ad high true ver Overflow vanced 6946.0 Web Client Remote Code Exe service-smb-ad high true cution Vulnerability vanced 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 7280.1 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S364 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.1 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 7280.1 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S363 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced 7280.0 Windows Server Service Rem service-smb-ad high true ote Code Execution vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S362 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7261.0 IPP Service Integer Overfl string-tcp high true ow Exploit 7261.0 IPP Service Integer Overfl string-tcp high true ow Exploit 7262.0 Active Directory Overflow string-tcp high true Exploit 7262.0 Active Directory Overflow string-tcp high true Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5683.0 Vista Feed Headlines Gadge meta high false t Remote Code Execution 5683.0 Vista Feed Headlines Gadge meta high false t Remote Code Execution 5683.1 Vista Feed Headlines Gadge string-tcp informational false t Remote Code Execution 5683.1 Vista Feed Headlines Gadge string-tcp informational false t Remote Code Execution 5683.2 Vista Feed Headlines Gadge string-tcp informational false t Remote Code Execution 5683.2 Vista Feed Headlines Gadge string-tcp informational false t Remote Code Execution 5930.5 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 6962.0 Cisco Unity DOS atomic-ip medium false 6962.0 Cisco Unity DOS atomic-ip medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S361 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5404.0 Internet Explorer Uninitia string-tcp high true lized Memory Corruption 5925.0 Internet Explorer HTML Obj string-tcp high true ect Memory Corruption 5930.8 Generic SQL Injection service-http high true 5930.9 Generic SQL Injection service-http high true 5930.10 Generic SQL Injection service-http high true 5930.11 Generic SQL Injection service-http high false 5930.12 Generic SQL Injection service-http high true 5930.13 Generic SQL Injection service-http high true 5930.14 Generic SQL Injection service-http high true 5930.15 Generic SQL Injection service-http high true 5930.16 Generic SQL Injection service-http high true 5930.17 Generic SQL Injection service-http high true 5930.18 Generic SQL Injection service-http high true 5930.19 Generic SQL Injection service-http high true 5930.20 Generic SQL Injection service-http high true 7244.0 Microsoft Excel Buffer Ove string-tcp high true rflow 7245.0 Microsoft Excel Integer Ov string-tcp high true erflow 7245.1 Microsoft Excel Integer Ov string-tcp high true erflow 7246.0 Microsoft Excel Spreadshee string-tcp high true t Buffer Overflow 7247.0 Window Location Property C string-tcp high true ross Domain Information Di sclosure 7257.0 Microsoft Internet Explore string-tcp high true r Cross Domain Information Disclosure 7258.0 SMB Remote Code Execution string-tcp high true 7259.0 Microsoft Message Queing R service-msrpc high true emote Code Execution 7270.0 Host Integration Server Re service-msrpc informational true mote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6930.2 Office Web Components URL string-tcp informational true Parsing Vulnerability 6981.0 Microsoft PowerPoint Memor meta high false y Allocation Exploit 6981.1 Microsoft PowerPoint Memor string-tcp informational false y Allocation Exploit 6981.2 Microsoft PowerPoint Memor string-tcp informational false y Allocation Exploit 6981.3 Microsoft PowerPoint Memor meta informational false y Allocation Exploit CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S360 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5886.0 Sun Java Socks Proxy Overf string-tcp high true low 5894.2 Storm Worm fixed-udp high true 6070.0 Windows Media Format Remot meta high true e Code Execution 6070.1 Windows Media Format Remot string-tcp informational true e Code Execution 6070.2 Windows Media Format Remot string-tcp informational true e Code Execution 6070.3 Windows Media Format Remot string-tcp informational true e Code Execution 6070.4 Windows Media Format Remot meta high true e Code Execution 6070.5 Windows Media Format Remot string-tcp informational true e Code Execution 6070.6 Windows Media Format Remot meta high true e Code Execution 6070.7 Windows Media Format Remot string-tcp informational true e Code Execution 6962.0 Cisco Unity DOS atomic-ip medium true 6970.0 DirectShow SAMI Parsing Re meta high true mote Code Execution 6970.1 DirectShow SAMI Parsing Re string-tcp informational true mote Code Execution 6970.2 DirectShow SAMI Parsing Re meta high true mote Code Execution 6970.3 DirectShow SAMI Parsing Re string-tcp informational true mote Code Execution 6970.4 DirectShow SAMI Parsing Re string-tcp informational true mote Code Execution 6971.0 Generic Exploit Component string-tcp informational true 9584.0 Backdoor Stumbler atomic-ip high false TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5894.1 Storm Worm atomic-ip high false 5899.0 MSN Messenger Webcam Buffe atomic-ip high false r Overflow 5930.0 Generic SQL Injection service-http high true 5930.1 Generic SQL Injection service-http high true 5930.2 Generic SQL Injection service-http high true 5930.3 Generic SQL Injection service-http high true 5930.4 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5930.6 Generic SQL Injection service-http high true 5930.7 Generic SQL Injection service-http high false 6017.0 DirectShow SAMI Parsing Re meta high false mote Code Execution 6017.1 DirectShow SAMI Parsing Re string-tcp informational false mote Code Execution 6017.2 DirectShow SAMI Parsing Re string-tcp informational false mote Code Execution 6017.3 DirectShow SAMI Parsing Re meta high false mote Code Execution 6017.4 DirectShow SAMI Parsing Re string-tcp informational false mote Code Execution 6017.5 DirectShow SAMI Parsing Re string-tcp informational false mote Code Execution 6069.0 Windows Media Format Remot meta high false e Code Execution 6069.1 Windows Media Format Remot string-tcp informational false e Code Execution 6069.2 Windows Media Format Remot string-tcp informational false e Code Execution 6069.3 Windows Media Format Remot string-tcp informational false e Code Execution 6069.4 Windows Media Format Remot meta high false e Code Execution 6069.5 Windows Media Format Remot string-tcp informational false e Code Execution 6069.6 Windows Media Format Remot meta high false e Code Execution 6069.7 Windows Media Format Remot string-tcp informational false e Code Execution 6069.8 Windows Media Format Remot string-tcp informational false e Code Execution 6545.0 WINS Local Privilege Escal atomic-ip low true ation 7212.0 Web Application Security T service-http high true est/Attack CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S359 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6296.0 IBM Lotus Sametime Server service-http high true Multiplexer Stack Buffer O verflow 6981.2 Microsoft PowerPoint Memor string-tcp informational true y Allocation Exploit 6981.3 Microsoft PowerPoint Memor meta informational true y Allocation Exploit 7266.0 TWiki Remote Command Execu service-http high true tion 7274.0 FlashGet FTP PWD Buffer Ov string-tcp high true erflow 7278.0 Quicktime/Itunes Heap Over string-tcp high true flow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5477.2 Possible Heap Payload Cons string-tcp informational true truction 5585.0 SMB Suspicious Password Us service-smb-ad medium false age vanced 5597.0 SMB MSRPC Messenger Overfl service-smb-ad high true ow vanced 5602.0 Windows System32 Directory service-smb-ad medium true File Access vanced 5603.0 MSRPC Protocol violation service-smb-ad medium false vanced 5888.0 TLBINF32.DLL COM Object In string-tcp high true stantiation 5892.0 Motive Communications Acti string-tcp high true veUtils Buffer Overflow 6187.0 CallManager TCP Connection atomic-ip medium true DoS 6981.0 Microsoft PowerPoint Memor meta high true y Allocation Exploit 6981.1 Microsoft PowerPoint Memor string-tcp informational true y Allocation Exploit CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S358 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5930.7 Generic SQL Injection service-http high false 6989.0 IOSFW HTTP Inspection Vuln service-http high true erability 6999.0 Cisco PIM Multicast Denial atomic-ip medium true of Service Attack 7269.0 Trend Micro OfficeScan Ser service-http high true ver Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5126.0 WWW IIS .ida Indexing Serv service-http high true ice Overflow 5732.0 Web Client Remote Code Exe meta high false cution Vulnerability 5732.1 Web Client Remote Code Exe string-tcp informational false cution Vulnerability 5732.2 Web Client Remote Code Exe string-tcp medium false cution Vulnerability 6994.0 Cisco Secure ACS EAP Overf service-generi high true low c CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S357 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6789.0 Winamp Ultravox Stream Tit string-tcp high true le Stack Overflow 7277.0 Microsoft Windows SMB WRIT multi-string high true E_ANDX Memory Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5440.0 IRC Bot Activity string-tcp low true 5561.0 Windows SMTP Overflow meta high false 5561.1 Windows SMTP Overflow service-dns informational false 5561.2 Windows SMTP Overflow string-tcp medium false 5915.0 Microsoft FoxPro ActiveX V string-tcp high true ulnerability 6235.0 Apple Quicktime SMIL Overf string-tcp high true low 6249.0 Visual Studio 6 ActiveX Ex string-tcp high true ploit 6785.2 Microsoft Visual Basic VBP string-tcp informational true File Processing Buffer Ov erflow 6935.0 CVE-2008-1086 ActiveX Kill string-tcp high true bit Update 7217.0 Yahoo Toolbar ActiveX Buff meta high true er Overflow 7217.1 Yahoo Toolbar ActiveX Buff string-tcp low true er Overflow 7217.2 Yahoo Toolbar ActiveX Buff string-tcp informational true er Overflow 7273.0 Ipswitch FTP Client Format string-tcp high true String CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S356 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7217.0 Yahoo Toolbar ActiveX Buff meta high true er Overflow 7217.1 Yahoo Toolbar ActiveX Buff string-tcp low true er Overflow 7217.2 Yahoo Toolbar ActiveX Buff string-tcp informational true er Overflow 7234.0 CitectSCADA ODBC Service B string-tcp high true uffer Overflow 7273.0 Ipswitch FTP Client Format string-tcp high true String TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3651.0 SSH CRC32 Overflow service-ssh high false 3651.0 SSH CRC32 Overflow service-ssh high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S355 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5986.0 Microsoft GDI+ GIF Parsing string-tcp high true Vulnerability 6972.0 Rosoft Media Player Overfl string-tcp high true ow 6990.0 Visual Studio Msmask32.ocx meta high true ActiveX Buffer Overflow 6990.1 Visual Studio Msmask32.ocx string-tcp informational true ActiveX Buffer Overflow 6990.2 Visual Studio Msmask32.ocx string-tcp informational true ActiveX Buffer Overflow 6991.0 Symantec Veritas Storage F multi-string high true oundation Null Session 6994.0 Cisco Secure ACS EAP Overf service-generi high true low c 6995.0 GDI EMF Memory Corruption string-tcp high true Vulnerability 6996.0 GDI+ BMP Integer Overflow string-tcp high true 6997.0 OneNote Uniform Resource L string-tcp high true ocator Validation Error Vu lnerability 6998.0 Microsoft GDI+ WMF Buffer string-tcp high true Overrun Exploit 7231.0 Windows Media Encoder 9 Re meta high true mote Code Execution 7231.1 Windows Media Encoder 9 Re string-tcp informational true mote Code Execution 7231.2 Windows Media Encoder 9 Re string-tcp informational true mote Code Execution 7271.0 GDI+ VML Buffer Overrun Vu string-tcp high true lnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5114.0 WWW IIS Unicode Attack service-http high true 5114.1 WWW IIS Unicode Attack service-http high true 5114.2 WWW IIS Unicode Attack service-http high true 5114.3 WWW IIS Unicode Attack service-http high true 5114.4 WWW IIS Unicode Attack service-http high true 5114.5 WWW IIS Unicode Attack service-http high true 5114.6 WWW IIS Unicode Attack service-http high true 5114.7 WWW IIS Unicode Attack service-http high true 5114.8 WWW IIS Unicode Attack service-http high true 5126.0 WWW IIS .ida Indexing Serv service-http high true ice Overflow 5726.0 Active Directory Failed Lo multi-string medium false gin 5726.1 Active Directory Failed Lo multi-string medium false gin CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S354 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 7212.0 Web Application Security T service-http high true est/Attack 7212.1 Web Application Security T service-http high true est/Attack 7220.0 Pidgin MSN Overflow string-tcp high true 7222.0 Joomla 1.5 Password Token service-http high true Bypass 7275.0 Linux Kernel DCCP dccp_set service-generi high true sockopt_change Integer Ovec rflow 7415.0 OpenLDAP BER Decoding DoS string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2152.0 ICMP Flood flood-host medium false 2157.1 ICMP Hard Error DoS atomic-ip medium false 3102.0 Sendmail Invalid Sender state medium false 3109.0 Long SMTP Command state medium false 3109.1 Long SMTP Command state medium false 4055.2 B02K-UDP trojan-udp high false 5477.2 Possible Heap Payload Cons string-tcp high true truction 5726.0 Active Directory Failed Lo multi-string medium false gin 5726.1 Active Directory Failed Lo multi-string medium false gin 5807.0 Indexing Service Cross Sit service-http high true e Scripting Vulnerability 6066.0 DNS Tunneling service-dns medium false 6408.0 IE DHTML Memory Corruption meta high false 6408.1 IE DHTML Memory Corruption string-tcp informational false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S353 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5930.6 Generic SQL Injection service-http high true 7213.0 Poppler Uninitialized Poin string-tcp high true ter 7216.0 Skype Skype4COM: Heap Corr string-tcp high true uption 7218.0 Lotus Notes Applix Graphic state high true s Overflow 7225.0 Adobe Flash Clipboard Hija string-tcp high true ck 7226.0 Version Agnostic IOS Shell fixed-tcp high true code 7226.1 Version Agnostic IOS Shell fixed-udp high true code TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5905.1 Microsoft Internet Explore string-tcp low true r Address Bar Spoof CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S352 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6988.0 WebEx Meeting Manager Acti meta high true veX Overflow 6988.1 WebEx Meeting Manager Acti string-tcp informational true veX Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S351 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5940.0 HTML Objects Memory Corrup string-tcp high true tion Vulnerability 6280.0 Messenger Information Disc string-tcp low false losure Vulnerability 6281.0 Malformed EPS Filter Vulne string-tcp high true rability 6282.0 Malformed PICT Filter Vuln string-tcp high true erability 6283.0 Malformed BMP Filter Vulne string-tcp high true rability 6932.0 HTML Objects Uninitialized string-tcp high true Memory Corruption Vulnera bility 6938.0 Microsoft IE Argument Hand string-tcp high true ling Memory Corruption Exp loit 6976.0 Microsoft Powerpoint 2003 string-tcp high true Viewer Buffer Overflow 6978.0 PowerPoint Parsing Overflo string-tcp high true w 6981.0 Microsoft PowerPoint Memor meta high true y Allocation Exploit 6981.1 Microsoft PowerPoint Memor string-tcp informational true y Allocation Exploit 6983.0 Microsoft PICT Filter Pars string-tcp high true ing Exploit 6984.0 Windows Image Color Manage meta high true ment System RCE 6984.1 Windows Image Color Manage string-tcp informational true ment System RCE 6984.2 Windows Image Color Manage string-tcp informational true ment System RCE 6984.3 Windows Image Color Manage meta informational true ment System RCE 6985.0 Microsoft Office WPG Image string-tcp high true File Heap Corruption Expl oit 6986.0 Microsoft IE HTML Objects string-tcp high true Memory Corruption Exploit 6986.1 Microsoft IE HTML Objects string-tcp high true Memory Corruption Exploit 7210.0 Microsoft Excel Remote Cod string-tcp high true e Execution 7210.1 Microsoft Excel Remote Cod string-tcp high true e Execution 7210.2 Microsoft Excel Remote Cod string-tcp high true e Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S350 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6279.0 Citrix Presentation Server meta high true Client ActiveX Overflow 6279.1 Citrix Presentation Server string-tcp informational true Client ActiveX Overflow 6974.0 Motorola Timbuktu Pro Arbi string-tcp high true trary File Deletion/Creati on 6979.0 BEA WebLogic Server Apache string-tcp high true Connector HTTP Version St ring BO 7209.0 Trend Micro OfficeScan BO meta high true Exploit 7209.1 Trend Micro OfficeScan BO string-tcp informational true Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5833.0 Quicktime RTSP URL Vulnera string-tcp high true bility 5906.0 Microsoft Malformed Word D string-tcp high true ocument Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S349 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5879.0 Apple QuickTime Java QTPoi string-tcp high true nter Vulnerability 5930.0 Generic SQL Injection service-http high true 5930.1 Generic SQL Injection service-http high true 5930.2 Generic SQL Injection service-http high true 5930.3 Generic SQL Injection service-http high true 5930.4 Generic SQL Injection service-http high true 5930.5 Generic SQL Injection service-http high true 5931.0 Google Ratproxy service-http informational true 5931.1 Google Ratproxy service-http high true 6267.0 IMAP Long FETCH Command string-tcp high true 6268.0 HP Openview Network Node M string-tcp high true anager Buffer Overflow 6798.0 HP StorageWorks Buffer Ove string-tcp high true rflow 6946.0 Web Client Remote Code Exe service-smb-ad high true cution Vulnerability vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S348 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6973.0 IOS FTPd MKD Command Buffe string-tcp high true r Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S347 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6945.0 HP OpenView OVAS.EXE Stack service-http high true Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4004.0 DNS Flood Attack flood-host medium true 5583.0 SMB Remote SAM Service Acc service-smb-ad informational true ess Attempt vanced 5589.0 SMB: ADMIN$ Hidden Share A service-smb-ad low true ccess Attempt vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5858.5 DNS Server RPC Interface B service-smb-ad high true uffer Overflow vanced 6131.10 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6131.11 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S346 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6298.0 Creative Software AutoUpda meta high true te Engine ActiveX Stack-Ov erflow 6298.1 Creative Software AutoUpda string-tcp informational true te Engine ActiveX Stack-Ov erflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S345 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6524.0 Yahoo! Assistant yNotifier meta high true .dll ActiveX Control Code Execution 6524.1 Yahoo! Assistant yNotifier string-tcp informational true .dll ActiveX Control Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5590.0 SMB: User Enumeration service-smb-ad informational true vanced 6184.0 Large SIP Message atomic-ip medium false 6518.1 SIP Long Header Field atomic-ip medium true 6520.0 Long SIP Message atomic-ip medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S344 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6969.0 Microsoft Word Smart Tag C string-tcp high true orruption Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6967.0 Microsoft SQL Server Privi multi-string high true lege Elevation CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S343 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4004.0 DNS Flood Attack flood-host medium true 6790.0 Outlook Web Access Privile state high true ge Escalation 6790.1 Outlook Web Access Privile state high true ge Escalation 6792.0 SQL Memory Corruption Vuln service-http high true erability 6966.0 Malformed Search File Code meta high true Execution 6966.1 Malformed Search File Code string-tcp informational true Execution 6966.2 Malformed Search File Code string-tcp informational true Execution 6967.0 Microsoft SQL Server Privi multi-string high true lege Elevation 6968.0 Microsoft Access Snapshot meta high true Viewer ActiveX Remote Code Execution 6968.1 Microsoft Access Snapshot meta informational true Viewer ActiveX Remote Code Execution 6968.2 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution 6968.3 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution 6968.4 Microsoft Access Snapshot string-tcp informational true Viewer ActiveX Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S342 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6964.0 Asprox Injection Attempt service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5565.4 Print Spooler Service Over service-smb-ad high true flow vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 6769.0 Netware LSASS CIFS.NLM Dri service-smb-ad high true ver Overflow vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S341 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6799.0 CUCM CTI DoS service-generi medium true c TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5913.1 PIX/ASA/FWSM MGCP DoS multi-string medium true 7202.0 UDP eDonkey Activity service-p2p low false 11018.1 eDonkey Activity service-p2p low false 11022.1 Overnet Client Scan service-p2p low false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S340 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6234.0 VideoLAN VLC Subtitle Over string-tcp high true flow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S339 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6177.0 Malformed SIP Invite Packe atomic-ip medium true t 6178.0 SIP Message DoS atomic-ip medium true 6179.0 Malformed MGCP Packet atomic-ip medium true 6181.0 SIP DoS service-generi medium true c 6184.0 Large SIP Message atomic-ip medium true 6186.0 RIS Data Collector Heap Ov string-tcp high true erflow 6187.0 CallManager TCP Connection atomic-ip medium true DoS 6515.0 Invalid SIP Response Code atomic-ip medium true 6517.0 Malformed Via Header atomic-ip high true 6518.0 SIP Long Header Field atomic-ip high true 6518.1 SIP Long Header Field atomic-ip medium true 6520.0 Long SIP Message atomic-ip medium true 6521.0 Call Manager Overflow string-tcp medium true 6522.0 Failed HTTP Login / HTTP 4 atomic-ip medium true 01 6523.0 Non-Printable in SIP Heade atomic-ip high false r 6761.0 Cisco Unified Communicatio string-tcp high true ns Manager CTL Provider He ap Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1306.6 TCP option data after EOL normalizer informational true option 1315.0 ACK w/o TCP Stream normalizer informational false 1330.19 TCP timestamp option detec normalizer informational true ted when not expected 1330.20 TCP winscale option detec normalizer informational true ted when not expected 1330.21 TCP option SACK data detec normalizer informational true ted when not expected. 2200.0 Invalid IGMP Header DoS service-generi high false c 3307.0 Red Button meta informational false 3327.11 Windows RPC DCOM Overflow meta high true 3334.3 Windows Workstation Servic meta high true e Overflow 3334.4 Windows Workstation Servic meta high true e Overflow 3334.5 Windows Workstation Servic service-msrpc high true e Overflow 3334.6 Windows Workstation Servic service-msrpc high true e Overflow 3334.8 Windows Workstation Servic meta high true e Overflow 3338.1 Windows LSASS RPC Overflow meta high true 3338.3 Windows LSASS RPC Overflow service-msrpc high true 3347.1 Windows ASN.1 Library Bit string-tcp high false String Heap Corruption 3353.1 SMB Request Overflow meta high false 3353.2 SMB Request Overflow meta high false 3409.3 Telnet Over Non-standard P fixed-tcp medium false orts 3530.0 Cisco Secure ACS Oversized service-generi medium false TACACS+ Attack c 3531.0 Cisco IOS Telnet DoS service-generi high true c 3532.0 Malformed BGP Open Message service-generi medium true c 5416.1 IE object data remote exec meta informational true ution 5496.0 License Logging Service Ov meta high true erflow 5498.0 Media Player IE Zone Bypas meta medium true s 5556.1 Javaprxy.dll Heap Overflow meta high true 5556.3 Javaprxy.dll Heap Overflow meta high true 5556.4 Javaprxy.dll Heap Overflow meta high true 5557.2 Windows ICC Color Manageme meta high true nt Module Vulnerability 5561.0 Windows SMTP Overflow meta high true 5565.2 Print Spooler Service Over meta high true flow 5565.4 Print Spooler Service Over service-smb-ad high true flow vanced 5567.5 Veritas Backup Exec Remote meta high true Registry Access 5567.6 Veritas Backup Exec Remote meta high true Registry Access 5567.7 Veritas Backup Exec Remote meta high true Registry Access 5567.8 Veritas Backup Exec Remote meta medium true Registry Access 5572.1 Design Tools Diagram Surfa meta high true ce ActiveX Control 5572.2 Design Tools Diagram Surfa meta high true ce ActiveX Control 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5598.0 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5598.1 Windows Workstation Servic service-smb-ad high true e Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5609.1 IE COM Object Memory Corru meta high true ption Vulnerability 5609.2 IE COM Object Memory Corru meta high true ption Vulnerability 5635.2 Plug and Play Overflow meta high true 5641.2 MS DTC DoS meta medium true 5642.3 DirectShow Overflow meta high false 5644.3 Client Service for NetWare meta high true Overflow 5683.0 Vista Feed Headlines Gadge meta high true t Remote Code Execution 5728.0 Windows IGMP DoS service-generi medium true c 5731.0 Windows Media Player BMP P meta high true rocessing Vulnerability 5732.0 Web Client Remote Code Exe meta high true cution Vulnerability 5738.3 Windows ACS Registry Acces meta medium true s 5738.4 Windows ACS Registry Acces meta medium true s 5747.0 MDAC Function Remote Code meta high true Execution 5748.0 Non-SMTP Session Start meta low true 5759.1 VNC Authentication Bypass string-tcp informational false 5759.2 VNC Authentication Bypass service-generi informational true c 5759.3 VNC Authentication Bypass meta high true 5776.0 Routing and Remote Access meta high true Service Code Execution 5776.4 Routing and Remote Access meta high true Service Code Execution 5794.0 Routing and Remote Access meta high true Service RASMAN Registry St ack Overflow 5797.0 Exchange Calendar DoS meta medium true 5799.0 Server Service Code Execut meta high false ion 5799.4 Server Service Code Execut meta high true ion 5799.7 Server Service Code Execut meta high true ion 5804.0 VPN3000 Concentrator Unaut meta high true henticated FTP Access 5805.0 VPN3000 Concentrator FTP R meta high true MD Execution 5806.0 Winny P2P Connection Activ meta low false ity 5806.1 Winny P2P Connection Activ service-generi informational false ity c 5806.2 Winny P2P Connection Activ service-generi informational false ity c 5806.3 Winny P2P Connection Activ service-generi informational false ity c 5806.4 Winny P2P Connection Activ service-p2p medium true ity 5809.0 DCERPC Authentication DoS meta medium true 5812.0 Cisco IPS SSL DOS Vulnerab service-generi medium true ility c 5812.1 Cisco IPS SSL DOS Vulnerab service-generi medium true ility c 5813.0 Microsoft Internet Explore meta high true r Vector Markup Language V ulnerability 5814.0 Step-by-Step Interactive T meta high true raining Remote Code Execut ion 5815.0 WebViewFolderIcon setSlice meta high true () Overflow 5821.0 DirectAnimation ActiveX Me meta high true mory Corruption 5822.0 Workstation Service Memory meta high true Corruption Vulnerability 5827.0 Internet Explorer ActiveX meta high true Control Arbitrary Code Exe cution 5829.0 Invalid SSL Packet service-generi medium true c 5832.0 IOS Crafted IP Option Vuln service-generi high true erability c 5832.1 IOS Crafted IP Option Vuln service-generi high true erability c 5832.2 IOS Crafted IP Option Vuln service-generi high true erability c 5832.3 IOS Crafted IP Option Vuln service-generi high true erability c 5835.2 Cisco IOS SIP DoS Vulnerab meta medium true ility 5835.5 Cisco IOS SIP DoS Vulnerab meta medium true ility 5837.0 Malformed TCP packet service-generi medium true c 5837.1 Malformed TCP packet normalizer informational true 5847.0 FTP Successful Privileged meta low true Login 5847.1 FTP Successful Privileged meta low true Login 5854.0 Cisco CUCM/CUPS Denial of service-generi medium true Service Vulnerability c 5856.0 Agent URL Parsing Remote C meta high true ode Execution 5857.0 UPnP Memory Corruption Vul meta high true nerability 5858.1 DNS Server RPC Interface B meta high true uffer Overflow 5858.5 DNS Server RPC Interface B service-smb-ad high true uffer Overflow vanced 5860.0 IOS FTPd Successful Login meta low true 5863.0 Internet Explorer CAPICOM. meta high true Certificates Remote Code E xecution 5865.0 Microsoft WMS Arbitrary Fi meta high true le Rewrite Vulnerability 5884.0 IOS NHRP Buffer Overflow service-generi high true c 5884.1 IOS NHRP Buffer Overflow service-generi high true c 5893.0 Cisco IP Phone Remote Deni meta medium true al of Service 5898.0 Microsoft Agent HTTP Code meta high true Execution 5903.0 MS SharePoint XSS meta medium true 5908.0 NNTP Overflow meta high true 6017.0 DirectShow SAMI Parsing Re meta high true mote Code Execution 6017.3 DirectShow SAMI Parsing Re meta high true mote Code Execution 6069.0 Windows Media Format Remot meta high true e Code Execution 6069.4 Windows Media Format Remot meta high true e Code Execution 6069.6 Windows Media Format Remot meta high true e Code Execution 6110.0 RPC RSTATD Sweep meta high true 6110.1 RPC RSTATD Sweep meta high true 6111.0 RPC RUSESRD Sweep meta high true 6111.1 RPC RUSESRD Sweep meta high true 6112.0 RPC NFS Sweep meta high true 6112.1 RPC NFS Sweep meta high true 6113.0 RPC MOUNTD Sweep meta high true 6113.1 RPC MOUNTD Sweep meta high true 6114.0 RPC YPASSWDD Sweep meta high true 6114.1 RPC YPASSWDD Sweep meta high true 6115.0 RPC SELECTION SVC Sweep meta high true 6115.1 RPC SELECTION SVC Sweep meta high true 6116.0 RPC REXD Sweep meta high true 6116.1 RPC REXD Sweep meta high true 6117.0 RPC STATUS Sweep meta high true 6117.1 RPC STATUS Sweep meta high true 6118.0 RPC TTDB Sweep meta high true 6118.1 RPC TTDB Sweep meta high true 6130.3 Microsoft Message Queuing meta high true Overflow 6130.5 Microsoft Message Queuing meta high true Overflow 6130.9 Microsoft Message Queuing meta high true Overflow 6130.11 Microsoft Message Queuing meta high true Overflow 6131.2 Microsoft Plug and Play Ov meta high true erflow 6131.5 Microsoft Plug and Play Ov meta high true erflow 6131.7 Microsoft Plug and Play Ov meta high true erflow 6131.10 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6131.11 Microsoft Plug and Play Ov service-smb-ad high true erflow vanced 6228.0 Mac OSX Software Update Re meta high true mote Code Execution 6229.0 MS SQL Server sqldmo.dll O meta high true verflow 6403.0 IE Uninitialized Memory Co meta high true rruption 6408.0 IE DHTML Memory Corruption meta high true 6409.0 IE Invalid Object Memory C meta high true orruption 6410.0 IE Unsafe Memory Operation meta high true 6510.0 GOM Player ActiveX Control meta high true Buffer Overflow 6768.0 Samba WINS Remote Code Exe meta high true cution Vulnerability 6926.0 Cisco IOS DLSw DoS service-generi medium true c 6926.1 Cisco IOS DLSw DoS service-generi medium true c 7201.0 Gnutella Upload/Download S service-p2p low true tream 7202.0 UDP eDonkey Activity service-p2p low true 7203.0 ARES P2P activity service-p2p medium true 11000.3 KaZaA v2 UDP Client Probe service-p2p low true 11001.1 Gnutella Client Request service-p2p low true 11002.1 Gnutella Server Reply service-p2p low true 11003.1 Qtella File Request service-p2p low true 11004.1 Bearshare File Request service-p2p low true 11005.2 KaZaA Client Activity service-p2p low true 11006.1 Gnucleus File Request service-p2p low true 11007.1 Limewire File Request service-p2p medium true 11008.1 Morpheus File Request service-p2p low true 11009.1 Phex File Request service-p2p medium true 11010.1 Swapper File Request service-p2p low true 11011.1 XoloX File Request service-p2p low true 11012.1 GTK-Gnutella File Request service-p2p low true 11013.1 Mutella File Request service-p2p low true 11017.1 Direct Connect Server Repl service-p2p medium true y 11018.1 eDonkey Activity service-p2p low true 11019.1 WinMx Server Response service-p2p low false 11020.1 BitTorrent Client Activity service-p2p low true 11022.1 Overnet Client Scan service-p2p low true 11027.1 Gnutella File Search service-p2p low true 11233.3 SSH Over Non-standard Port fixed-tcp informational false s 11245.0 IRC Server Connection string-tcp informational true 11245.1 IRC Server Connection string-tcp informational true 11245.2 IRC Server Connection fixed-tcp informational true 11245.3 IRC Server Connection fixed-tcp informational true CAVEATS None. Modified signature(s) detail: None.