Cisco Intrusion Prevention System Signature Update S651 June 13, 2012 Copyright (C) 1999-2012 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S651 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - SUPPORTED SENSOR SOFTWARE VERSIONS - CISCO SERVICE FOR IPS NEW LOCATION - AVAILABILITY OF 7.0(8)E4 SERVICE PACK - AVAILABILITY OF CISCO SECURITY MANAGER(CSM) 4.2 SERVICE PACK 1 - CISCO IPS INDUSTRIAL CONTROL PROTECTION - E4 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S481 AND LATER IPS 6.X and 7.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM/ IPSMC SIGNATURE UPDATE INSTRUCTIONS - CSM VERSION 3.2 AND ABOVE - INSTALLATION - UNINSTALLATION - CAVEATS S479-S650 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== ================================================================================================= S651 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1279.0 Microsoft Internet string-tcp high true Explorer and Lync HTML Sanitization Cross-Site Scripting 1281.0 Microsoft XML Core multi-string high true Services Remote Code Execution 1281.1 Microsoft XML Core string-xl-tcp high true Services Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1274.0 Microsoft .NET Framework string-tcp high true Memory Access Vulnerability CAVEATS None. Modified signature(s) detail: Sig 1274-0 has modified sig name. ================================================================================================= IMPORTANT NOTES SUPPORTED SENSOR SOFTWARE VERSIONS Signature updates are currently tested and supported on the following sensor software releases according to the terms defined in the End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80358daa.html) 6.0(6) (Released: 29/MAR/2010) 6.2(4) (Released: 27/JUN/2011) 7.0(6) (Released: 13/SEP/2011) (support ending soon!) 7.0(7) (Released: 31/JAN/2012) 7.0(8) (Released: 29/MAY/2012) (new!) 7.1(3) (Released: 06/DEC/2011) (support ending soon!) 7.1(4) (Released: 05/MAR/2012) Please upgrade to one of these sensor software versions to ensure correct sensor operation and effective signature coverage. CISCO SERVICE FOR IPS NEW LOCATION The new Cisco Services for IPS page brings all of SIO's IPS Signature content to one location, including signature search capabilities, Threat Defense Bulletins, documentation and training, links to software downloads, and access to support communities. This new IPS page is available here: http://tools.cisco.com/security/center/ipshome.x. AVAILABILITY OF 7.0(8)E4 SERVICE PACK This service pack is being used as a release vehicle to repair critical sensor failures. It includes the S615 signature level, but preserves any more recent signature levels installed on your sensor. WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION The 7.0(8)E4 service pack changes the default value of Cisco server IP address from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. Firewall rules may need to be updated to allow sensor connectivity to this new IP Address if the Cisco.com Auto Updates have been configured on your sensor. For further information please read the full release notes here: http://www.cisco.com/cisco/software/release.html?mdfid=282671829&flowid=4417&softwareid=282549758&release=7.0%288%29E4&relind=AVAILABLE&rellifecycle=&reltype=latest AVAILABILITY OF CISCO SECURITY MANAGER(CSM) 4.2 SERVICE PACK 1 This release delivers various features and several new enhancements and features. Cisco suggests that you deploythis service pack at the earliest opportunity. For further information please read the full Release Notes. http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.2/release/notes/csmrn42.html CISCO IPS INDUSTRIAL CONTROL PROTECTION Cisco is now shipping a specialized set of Intrusion Prevention System signatures that protect Industrial Control Systems. These specially licensed signatures are uniquely crafted and tested for the exacting task of properly identifying and protecting critical industrial infrastructure. Note: These signatures are specially licensed and should only be un-retired/enabled if you have purchased the Cisco IPS SCADA Signatures. Please reference the Cisco IPS Industrial Control Protection document for details. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ips_industrial_control_protection.pdf E4 ENGINE UPDATE REQUIRED FOR SIGNATURE UPDATES S481 AND LATER Beginning with S481, all signature updates will require that your sensors be updated with the E4 engine update. Engine and Signature Updates can be downloaded automatically using Cisco Security Manager (CSM) or by sensors running IPS Version 6.1(1) or later. Sensors running IPS Version 6.1(1) or later that have been configured for automatic updates from cisco.com will automatically be updated with E4. The updates can also be downloaded manually from the following locations: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162 You can navigate to the appropriate version by clicking on Intrusion Prevention System (IPS) -> IPS Appliances -> Cisco Intrusion Prevention System. NOTE: You must have an active Cisco Service for IPS contract to download this software. Please consult the table below for recommendations on upgrade paths: Installed Release Recommended Update --------------------------------------------- 6.0(6)E3 or earlier 6.0(6)E4 6.2(2)E3 or earlier 6.2(4)E4 6.1(3)E3 or earlier 6.2(4)E4 7.0(2)E3 or earlier 7.0(8)E4 Warning: Beginning with S366, signature updates will only be released for E4-level sensor software releases. These include: 6.0(6)E4, 6.2(2)E4 and 7.0(2)E4. Your sensors MUST be on one of these releases to receive further signature updates. For more details regarding the E4 engine update, please refer to the readme files available at the download links listed above. Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release. After 60 days, only the current release will receive an engine update. Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80365daa.html ======================================================================== IPS 6.X AND 7.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S481, signature updates have a minimum required Engine update level of E4. You must be running the E4 engine update to install signature update S481 or later. The E4 engine update is supported on sensors running IPS versions 6.0(6), 6.1(3), 6.2(2), or 7.0(2). ------------------------------------------------------------------------ Note2: The S480 signature update has been packaged into the E4 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ Note3: All signature updates are cumulative. The S651 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S651-req-E4.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - AIM-IPS Cisco Advanced Integration Module for ISR Routers The sensor must running engine update version E4 before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: Signature updates may take a while to install depending on the sensors upgrade history, configuration, and amount of traffic the sensor is processing. The AIM-IPS, for example, has taken up to 40 minutes to update during testing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 7.0: http://www.cisco.com/en/US/docs/security/ips/7.0/command/reference/crCmds.html#wp458440 IPS Version 6.2: http://www.cisco.com/en/US/docs/security/ips/6.2/command/reference/crCmds.html#wp458440 IPS Version 6.1: http://www.cisco.com/en/US/docs/security/ips/6.1/command/reference/crCmds.html#wp458440 IPS Version 6.0: http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S651 signature update: 1. Download the binary file IPS-sig-S651-req-E4.pkg to an ftp, scp, http, or https server on your network from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162 CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S651-req-E4.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S651-req-E4.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S651 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS The IPS-CS-MGR-sig-S481-req-E4.zip and later signature update files which require the E4 update have been tested for IPS versions as follows: IPS Versions CSM Versions Validated ======================================== IPS 6.0(6)E4 CSM 3.2.2 and later IPS 6.2(2)E4 CSM 3.3 and later IPS 7.0(2)E4 CSM 3.3 and later For pushing E4 based signature update files to the AIM IPS platform, CSM 3.2 SP2 is required at a minimum since it has E2 specific fixes for AIM IPS. Please note that upgrading to 6.2(2)E3 fails for SSC-5 devices using CSC 3.3 and CSM 3.3.1. This issue is being tracked using bug id CSCtc18941. The E4 Engine Update packages for sensors are deployed automatically the first time a signature set that requires E4 is deployed by CSM. If the target sensor is already running E4, the signature Update will be applied directly without deploying the E3 package. E4 updates are not listed or available for selection in the Apply Update Wizard and cannot be applied independently by CSM. To ensure that the E4 update is applied to your sensors, please ensure that you push signature update S481 or later to your sensors. ------------------------------------------------------------------------ Note: Beginning with S481, signature updates have a minimum required Engine update level of E4. You must be running the E4 engine update to install signature update S481 or later. The E4 engine update is supported on sensors running IPS versions 6.0(6), 6.2(3) or 7.0(2). ------------------------------------------------------------------------ Note2: The S480 signature update has been packaged into the E4 engine update and will not be released as a separate signature update. ------------------------------------------------------------------------ ------------------------- CSM VERSION 3.2.2 AND ABOVE INSTALLATION For Automating IPS Update Tasks, please refer to the following: CSM 3.2.2: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.2.2/user/guide/adman.html#wp801836 CSM 3.3: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/user/guide/adman.html#wp869770 For setting up the Updates Server in CSM 3.1 and above please refer to the following: CSM 3.2.2: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.2.2/user/guide/syspage.html#wp73769 CSM 3.3: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/user/guide/syspage.html#wp929969 To manually install the version S651 signature update on CSM3.2.2 and above, follow these steps: 1. Start the Cisco Security Manager client. 2. Click Tools > Apply IPS Update to open the Apply IPS Update wizard. 3. Click Download Latest Updates. 4. Close the popup when download is complete. 5. On the first page of the wizard, select the update that you want to apply > Click Next to continue. 6. On the second page of the wizard, select the devices (local policies) and/or shared policies you want to update 7. Click Finish to apply your update to the policies. 8. Submit & Deploy your changes to the devices. UNINSTALLATION To uninstall a signature update , follow the instructions listed in the Understanding Rollback for IPS and IOS IPS User Guide documentation: CSM 3.2.2: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.2.2/user/guide/dpman.html#wp833628 CSM 3.3: http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/user/guide/dpman.html#wp829885 CAVEATS None. ================================================================================================= S650 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1258.0 Microsoft Internet multi-string high true Explorer Remote Code Execution Vulnerability 1258.1 Microsoft Internet string-xl-tcp high true Explorer Remote Code Execution Vulnerability 1261.0 MS Internet Explorer 9 string-tcp high true Use After Free 1265.0 Microsoft Internet string-tcp high true Explorer Memory Leak 1268.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution 1270.0 Microsoft Internet string-tcp high true Explorer Title Element Change Remote Code Execution 1271.0 Microsoft string-tcp high true insertAdjacentText Remote Code Execution 1272.0 Microsoft Internet string-tcp high true Explorer Developer Toolbar Vulnerability 1273.0 Microsoft Internet string-tcp high true Explorer 8 Memory Corruption Vulnerability 1274.0 Microsoft .NET Framework string-tcp high true Clipboard Unsafe Memory Access Remote Code Execution 1275.0 Microsoft Dynamics AX string-tcp medium true Enterprise Portal Elevation of Privilege 1276.0 Microsoft Internet multi-string high true Explorer OnBeforeDeactivate Event Remote Code Execution 1276.1 Microsoft Internet string-xl-tcp high true Explorer OnBeforeDeactivate Event Remote Code Execution 1277.0 Microsoft Internet multi-string high true Explorer Remote Code Execution Vulnerability 1277.1 Microsoft Internet string-xl-tcp high true Explorer Remote Code Execution Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16977.0 Microsoft Powerpoint File string-tcp high false Parsing Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S649 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1256.0 Flame Malware service-http high true 1263.0 Microsoft Unauthorized string-tcp medium true Digital Certificates 1263.1 Microsoft Unauthorized string-tcp medium true Digital Certificates TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S648 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2155.0 Modem DoS string-icmp low false 2156.0 Nachi Worm ICMP Echo string-icmp medium false Request 2158.0 Nachi Worm ICMP Echo atomic-ip high false Request 5541.0 Modem DoS atomic-ip low false 5543.0 PingTunnel ICMP Tunneling atomic-ip high true 6303.0 PingTunnel ICMP Tunneling string-icmp high false 41786.0 Microsoft .NET Framework multi-string high false Heap Corruption 41847.0 Microsoft Internet multi-string high false Explorer HtmlLayout Remote Code Execution 41866.0 Microsoft Internet multi-string low false Explorer Null Byte Information Disclosure CAVEATS None. Modified signature(s) detail: the following signatures were modified: 2155-0 Modem DoS 2156-0 Nachi Worm ICMP Echo Request 2158-0 Nachi Worm ICMP Echo Request 5541-0 Modem DoS 5543-0 PingTunnel ICMP Tunneling 6303-0 PingTunnel ICMP Tunneling 41847-0 Microsoft Internet Explorer HtmlLayout Remote Code Execution 41866-0 Microsoft Internet Explorer Null Byte Information Disclosure 41786-0 Microsoft .NET Framework Heap Corruption ================================================================================================= S647 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1018.0 Lurk Malware Communication string-tcp medium true 1019.0 XShellC601 Malware string-tcp medium true Communication 1020.0 BB Malware Communication string-tcp medium true 1021.0 Murcy Malware service-http medium true Communication 1022.0 QDigit Malware string-tcp medium true Communication 1030.0 Symantic IM Manager service-http high true Administrator Console Code Injection 1032.0 Microsoft Windows MPEG string-tcp high true Layer-3 Audio Decoder Stack Buffer Overflow 1197.0 Microsoft Excel File string-tcp high true Format Memory Corruption Vulnerability 41526.0 HP Data Protector service-http high false RequestCopy SQL Injection TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15313.0 MS SQL string-tcp high true sp_replwritetovarbin Limited Memory Overwrite 23179.0 IIS Semi-colon Filename service-http high true Vulnerability 40366.0 Microsoft OLE Handling string-tcp high false Code Injection 40386.0 Microsoft Publisher string-tcp high false Invalid Pointer Vulnerability 40406.0 Microsoft Publisher string-tcp high false Out-Bounds Array Index Vulnerability 40546.0 Microsoft Excel Record string-tcp high false Parsing Use After Free Vulnerability 40546.1 Microsoft Excel Record string-tcp high false Parsing Use After Free Vulnerability 40566.0 Microsoft Excel Out of string-tcp high false Bounds Array Indexing Vulnerability 41766.0 Microsoft .NET Framework multi-string high false Unmanaged Objects Vulnerability CAVEATS None. Modified signature(s) detail: Signatures 15313-0 and 23179-0 have modified regexes. All other modified sigs in this release have been retired. ================================================================================================= S646 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1138.0 Microsoft Internet string-tcp high true Explorer VML Use After Free 1182.0 Visio Viewer Remote Code string-tcp high true Execution 1183.0 Microsoft Word RTF Heap string-tcp high true Overrun 1185.0 Microsoft .NET Framework multi-string high true Serialization Vulnerability 1186.0 Microsoft Excel Memory string-tcp high true Corruption 1187.0 Microsoft GDI Plus Heap string-tcp high true Overflow Vulnerability 1187.1 Microsoft GDI Plus Heap string-tcp high true Overflow Vulnerability 1188.0 Microsoft .NET Framework string-tcp high true Vulnerability 1189.0 Microsoft Excel string-tcp high true MergeCells Record Heap Overflow 1191.0 Excel Memory Corruption string-tcp high true Vulnerability 1192.0 Microsoft Excel Remote multi-string high true Code Execution 1193.0 Microsoft .NET Remote multi-string high true Code Execution 1194.0 Microsoft GDI Remote Code string-tcp high true Execution Vulnerability 1195.0 Microsoft TrueType Font string-tcp high true Parsing Vulnerability 1196.0 Microsoft Excel File multi-string high true Format Memory Corruption Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6984.1 Windows Image Color string-tcp informational false Management System RCE 6984.2 Windows Image Color string-tcp informational false Management System RCE 6984.3 Windows Image Color meta informational false Management System RCE 40446.0 Microsoft Windows multi-string high false Publisher Memory Corruption 41046.0 Microsoft Anti-Cross Site string-tcp high false Scripting Library Vulnerability 41086.0 Windows Media Component multi-string high false MIDI Remote Code Execution Vulnerability CAVEATS None. Modified signature(s) detail: the following signatures were modified: 1138-0 Microsoft Internet Explorer VML Use After Free 6984-1 Windows Image Color Management System RCE 6984-2 Windows Image Color Management System RCE 6984-3 Windows Image Color Management System RCE 40446-0 Microsoft Windows Publisher Memory Corruption 41046-0 Microsoft Anti-Cross Site Scripting Library Vulnerability 41086-0 Windows Media Component MIDI Remote Code Execution Vulnerability ================================================================================================= S645 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3335.0 Anig Worm File Transfer service-smb high false 3338.0 Windows LSASS RPC Overflow service-smb high false 5035.0 HTTP cgi HylaFAX Faxsurvey service-http high false 5684.1 Malformed SIP Packet string-tcp medium false 5832.3 IOS Crafted IP Option service-generi high false Vulnerability c 16474.0 IE Uninitialized Memory string-tcp high false Corruption 21359.1 Internet Explorer string-tcp high false Uninitialized Memory Corruption Vulnerability 31119.0 Squid Proxy NULL Pointer string-tcp medium true Denial Of Service 31919.0 Microsoft Office Graphic string-tcp high false Filter RCE CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S644 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1044.0 Metasploit Shellcode string-xl-tcp high true Encoder 1044.1 Metasploit Shellcode string-xl-tcp high true Encoder 1044.2 Metasploit Shellcode string-xl-tcp high true Encoder 1044.3 Metasploit Shellcode string-xl-tcp high true Encoder 1044.4 Metasploit Shellcode string-xl-tcp high true Encoder 1044.5 Metasploit Shellcode string-xl-tcp high true Encoder 1044.6 Metasploit Shellcode string-xl-tcp high true Encoder 1044.7 Metasploit Shellcode string-xl-tcp high true Encoder 1044.8 Metasploit Shellcode string-xl-tcp high true Encoder 1044.9 Metasploit Shellcode string-xl-tcp high true Encoder 1044.10 Metasploit Shellcode string-xl-tcp high true Encoder 1128.0 Microsoft RRAS Service service-smb-ad high false Overflow vanced 1142.0 Javascript Obfuscation string-tcp medium false Code Fragment 1144.0 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1144.1 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1144.2 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1144.3 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1144.4 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1144.5 Microsoft Office string-tcp high false Publisher 2007 Remote Code Execution 1152.0 Microsoft Office service-http high false PowerPoint Remote Code Execution Vulnerability 1152.1 Microsoft Office string-tcp high false PowerPoint Remote Code Execution Vulnerability 1152.2 Microsoft Office string-tcp high false PowerPoint Remote Code Execution Vulnerability 1155.0 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1155.1 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1155.2 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1155.3 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1155.4 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1155.5 Microsoft Excel 2003 string-tcp medium false Denial of Service Vulnerability 1157.0 Microsoft Outlook Remote string-tcp low false Code Execution 1166.0 Apache 2.0 Encoded service-http medium false Backslash Directory Traversal Vulnerability 1169.0 Generic Alphanumeric string-xl-tcp informational false Generated Email Address 1169.1 Generic Alphanumeric string-xl-tcp informational false Generated Email Address 1173.0 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.1 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.2 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.3 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.4 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.5 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.6 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.7 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.8 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.9 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.10 Metasploit Shellcode string-xl-tcp medium false Encoder 1173.11 Metasploit Shellcode string-xl-tcp medium false Encoder 4322.0 Generic File Transfer string-tcp informational false Signatures 4322.1 Generic File Transfer string-tcp informational false Signatures 4322.2 Generic File Transfer string-tcp informational false Signatures 4322.3 Generic File Transfer string-tcp informational false Signatures 4322.4 Generic File Transfer string-tcp informational false Signatures 4322.5 Generic File Transfer string-tcp informational false Signatures 4322.6 Generic File Transfer string-tcp informational false Signatures 4322.7 Generic File Transfer string-tcp informational false Signatures 5776.5 Routing and Remote Access string-tcp high false Service Code Execution 41106.0 RFC 2397 Encoder string-tcp informational false TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1090.0 NTP MODE_PRIVATE Denial atomic-ip medium false of Service 1124.0 Microsoft RPC DCOM string-tcp high false ISystemActivator Buffer Overflow 3703.0 Squid FTP URL Buffer string-tcp high false Overflow 5367.0 Apache CR LF DoS string-tcp medium false 5375.0 Apache mod_dav Overflow string-tcp high false 5378.0 Vignette TCL Injection string-tcp high false Command Exec 5391.0 FrontPage Server string-tcp high false Extensions Buffer Overflow 5528.0 IIS5 SEARCH overflow string-tcp high false 5818.0 Metasploit Shellcode string-tcp medium false Encoder 5818.1 Metasploit Shellcode string-tcp medium false Encoder 5818.2 Metasploit Shellcode string-tcp medium false Encoder 5818.3 Metasploit Shellcode string-tcp medium false Encoder 5818.4 Metasploit Shellcode string-tcp medium false Encoder 5818.5 Metasploit Shellcode string-tcp medium false Encoder 5818.9 Metasploit Shellcode string-tcp medium false Encoder 5818.10 Metasploit Shellcode string-tcp medium false Encoder 5818.11 Metasploit Shellcode string-tcp medium false Encoder 5832.0 IOS Crafted IP Option service-generi high false Vulnerability c 5935.0 Quicktime string-tcp high false FlipFileTypeAtom_BtoN Underflow 6148.0 OpenSSL string-tcp high false SSL_get_shared_ciphers Off-by-one 6208.0 NetBackup Volume Manager string-tcp high false Buffer Overflow 9435.0 Back Door Wow32 string-tcp high false 9565.0 Back Door Executor string-tcp high false 17237.0 CA BrightStor ARCserve string-tcp high false Backup Media Server Buffer Overflow 17238.0 CA BrightStor ARCserve string-tcp high false Backup Media Server Buffer Overflow 19239.0 CA BrightStor ARCserve string-tcp high false Backup XDR Parsing Buffer Overflow 20179.0 WINS Heap Overflow string-tcp high false 27100.0 JBoss JMX Console string-tcp high true Authentication Bypass CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S643 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5256.0 Dot Dot Slash in URI service-http low false CAVEATS None. Modified signature(s) detail: The signature 5256-0 was modified for some engine parameters. ================================================================================================= S642 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1122.0 OpenOffice Remote Code string-tcp high false Execution 1140.0 Samba Marshalling Code service-smb-ad high true Remote Code Execution vanced Vulnerability 1143.0 DirectX NULL Byte string-tcp high false Overwrite Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1330.0 TCP Drop - Bad Checksum normalizer informational true 1330.1 TCP Drop - Bad Flags normalizer informational true 1330.2 TCP Drop - Urgent Pointer normalizer informational false Without Flag 1330.3 TCP Drop - Bad Option List normalizer informational false 1330.4 TCP Drop - Bad Option normalizer informational true Length 1330.5 TCP Drop - MSS Option in normalizer informational true Non-SYN 1330.6 TCP Drop - WinScale normalizer informational true Option in Non-SYN 1330.7 TCP Drop - Bad WinScale normalizer informational true Option Value 1330.8 TCP Drop - Bad SACK Allow normalizer informational true 1330.9 TCP Drop - Data in SYNACK normalizer informational true 1330.10 TCP Drop - Data past FIN normalizer informational true 1330.11 TCP Drop - Timestamp Not normalizer informational false Allowed 1330.12 TCP Drop - Segment Out Of normalizer informational true Order 1330.13 TCP Drop - Invalid TCP normalizer informational false Packet 1330.14 TCP Drop - RST or SYN in normalizer informational true Window 1330.15 TCP Drop - Segment normalizer informational false Already ACKed by Peer 1330.16 TCP Drop - PAWS check normalizer informational true failed 1330.17 TCP Drop - Segment out normalizer informational true state order 1330.18 TCP Drop - Segment out of normalizer informational true window 1330.19 TCP timestamp option normalizer informational true detected when not expected 1330.20 TCP winscale option normalizer informational true detected when not expected 1330.21 TCP option SACK data normalizer informational true detected when not expected. 1607.0 IPv6 multi-crafted atomic-ip-v6 medium false fragments 5401.0 Outlook mailto Quote string-tcp high false Malformed URI 5456.0 Internet Explorer 5 string-tcp medium false ie5filex Exploit 41926.0 Oracle Database Server string-tcp high false Warehouse Builder Remote Code Execution CAVEATS None. Modified signature(s) detail: the following signatures were modified: 1330-0?? TCP Drop - Bad Checksum 1330-1?? TCP Drop - Bad Flags 1330-2?? TCP Drop - Urgent Pointer Without Flag 1330-3?? TCP Drop - Bad Option List 1330-4?? TCP Drop - Bad Option Length 1330-5?? TCP Drop - MSS Option in Non-SYN 1330-6?? TCP Drop - WinScale Option in Non-SYN 1330-7?? TCP Drop - Bad WinScale Option Value 1330-8?? TCP Drop - Bad SACK Allow 1330-9?? TCP Drop - Data in SYNACK 1330-10?? TCP Drop - Data past FIN 1330-11?? TCP Drop - Timestamp Not Allowed 1330-12?? TCP Drop - Segment Out Of Order 1330-13?? TCP Drop - Invalid TCP Packet 1330-14?? TCP Drop - RST or SYN in Window 1330-15?? TCP Drop - Segment Already ACKed by Peer 1330-16?? TCP Drop - PAWS check failed 1330-17?? TCP Drop - Segment out state order 1330-18?? TCP Drop - Segment out of window 1330-19?? TCP timestamp option detected when not expected 1330-20?? TCP winscale option detected when not expected 1330-21?? TCP option SACK data detected when not expected 1607-0 IPv6 multi-crafted fragments 5401-0 Outlook mailto Quote Malformed URI 5456-0 Internet Explorer 5 ie5filex Exploit 41926-0 Oracle Database Server Warehouse Builder Remote Code Execution ================================================================================================= S641 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3255.1 Apache Long HTTP Header string-tcp high false DoS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3255.0 Apache Long HTTP Header service-http medium false DoS 34165.0 Permanently Obsoleted string-tcp informational false Signatures CAVEATS None. Modified signature(s) detail: The modified signatures have been retired, or have modified sig descriptions. ================================================================================================= S640 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1129.0 Microsoft Internet string-tcp high true Explorer VML Remote Code Execution 1130.0 Microsoft Windows multi-string high true Malicous Signed Portable Executable File 1131.0 Microsoft MSCOMCTL multi-string high true ActiveX Control Remote Code Execution Vulnerability 1132.0 Microsoft IE multi-string high true OnReadyStateChange Remote Code Execution 1134.0 Microsoft IE SelectAll multi-string high true Remote Code Execution 1135.0 Microsoft .NET Framework multi-string high true Parameter Validation Vulnerability 1136.0 Microsoft Works Remote string-tcp high true Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1038.0 Microsoft DNS server atomic-ip medium false Denial of Service Vulnerability CAVEATS None. Modified signature(s) detail: Sig 1038-0 was modified to fix a sig name typo. ================================================================================================= S639 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1052.0 Adobe PDF Remote Code string-tcp high true Execution 1056.0 Corehttp Httpd Buffer service-http high false Overflow 1059.0 IIS Hit-Highlighting service-http medium false Authentication Bypass 1060.0 Apache auth_ldap Format service-http high false String 1062.0 Windows Active Directory string-tcp high false LDAP Remote Code Execution 1063.0 BIND 8 TSIG Remote Code atomic-ip high false Execution 1067.0 CA BrightStor Backup meta high false Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability 1067.1 CA BrightStor Backup string-tcp informational false Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability 1067.2 CA BrightStor Backup string-tcp informational false Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability 1069.0 Microsoft Windows PPTP string-tcp medium false Denial of Service 1076.0 IBM Tivoli Directory string-tcp medium false Server 6.0 Denial Of Service 1077.0 PHP File Upload GLOBAL service-http medium false Variable Overwrite 1079.0 Helix RTSP SETUP Request string-tcp medium false Denial Of Service 1080.0 IBM Informix Long string-tcp high true Username Buffer Overflow 1081.0 Libevent DNS Parsing string-tcp medium false Denial Of Service 1082.0 Libevent DNS Parsing atomic-ip medium false Denial Of Service 1083.0 Microsoft Plug and Play string-tcp high false Overflow 1085.0 Cisco IOS HTTP Server string-tcp medium false Vulnerability 1086.0 Oracle OPMN daemon Format service-http medium false String Denial Of Service 1088.0 Oracle XDB FTP Buffer string-tcp high true Overflow 1089.0 SAP Message Server Group service-http high false Parameter Remote Buffer Overflow 1090.0 NTP MODE_PRIVATE Denial atomic-ip medium true of Service 1091.0 OpenSwan and StrongSwan atomic-ip high false DPD Packet Remote DoS 1124.0 Microsoft RPC DCOM string-tcp high false ISystemActivator Buffer Overflow 4704.1 MSSQL Resolution Service atomic-ip high false Heap Overflow 6973.1 IOS FTPd MKD Command string-tcp high false Buffer Overflow 16814.1 Novell NetMail WebAdmin string-tcp high false Username Stack Buffer Overflow 17238.1 CA BrightStor ARCserve atomic-ip high false Backup Media Server Buffer Overflow 19199.2 Computer Associates string-tcp high false BrightStor ARCServe Backup LGServer Buffer Overflow 19199.3 Computer Associates string-tcp high false BrightStor ARCServe Backup LGServer Buffer Overflow 27160.1 SAP Business One 2005 string-tcp high false License Manager Buffer Overflow 31199.1 Symantec Alert Management multi-string high true System Command Execution 31839.0 NetWin SurgeMail Format service-http high true String Exploit 31839.2 NetWin SurgeMail Format service-http high true String Exploit 31839.3 NetWin SurgeMail Format service-http high true String Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3255.0 Apache Long HTTP Header string-tcp high false DoS 3736.0 Subversion get-dated-rev string-tcp high false overflow 4617.0 PoPToP PPtP Short Length string-tcp high false Overflow 5256.0 Dot Dot Slash in URI service-http low false 5573.0 Novell eDirectory Server service-http high false iMonitor Buffer Overflow 5638.0 PHP Command Injection service-http high false 5743.0 PeerCast Buffer Overflow string-tcp high false 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 6210.0 LPR Format String Overflow state high false 21379.0 Oracle TimesTen Remote service-http high false Format String 27160.0 SAP Business One 2005 string-tcp high false License Manager Buffer Overflow 31199.0 Symantec Alert Management string-tcp high false System Command Execution CAVEATS None. Modified signature(s) detail: the following signatures were modified: 3255-0 Helix RTSP SETUP Request Denial Of Service 3736-0 IBM Informix Long Username Buffer Overflow 4617-0 Microsoft RPC DCOM ISystemActivator Buffer Overflow 5638-0 Cisco IOS HTTP Server Vulnerability 5743-0 Dot Dot Slash in URI 5858-5 CA BrightStor Backup Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability 6210-0 Libevent DNS Parsing Denial Of Service 21379-0 NTP MODE_PRIVATE Denial of Service 31199-0 Subversion get-dated-rev overflow ================================================================================================= S638 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1055.0 Cisco WebEx WRF File multi-string high true Buffer Overflow 1057.0 Cisco WebEx Player WRF string-tcp high true File Buffer Overflow 1058.0 Cisco Webex WRF File multi-string high true Buffer Overflow 1127.0 Cisco IOS ISAKMP atomic-ip high true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 40986.0 Cisco IOS ISAKMP string-udp high false Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S637 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1300.0 TCP Segment Overwrite normalizer high true 1304.0 TCP Session Packet Queue normalizer informational true Overflow 1305.0 TCP URG flag set normalizer informational true 5903.1 MS SharePoint XSS service-http informational false 5903.2 MS SharePoint XSS string-tcp informational false 5931.0 Google Ratproxy service-http informational false 6100.0 RPC Port Registration service-rpc high false 6101.0 RPC Port Unregistration service-rpc high false 6104.0 RPC Port Reg Spoof service-rpc high false 6105.0 RPC Port UnReg Spoof service-rpc high false 6110.0 RPC RSTATD Sweep meta high false 6110.1 RPC RSTATD Sweep meta high false 6111.0 RPC RUSESRD Sweep meta medium false 6112.0 RPC NFS Sweep meta high false 6112.1 RPC NFS Sweep meta high false 6113.0 RPC MOUNTD Sweep meta high false 6113.1 RPC MOUNTD Sweep meta high false 6114.0 RPC YPASSWDD Sweep meta high false 6115.0 RPC SELECTION SVC Sweep meta high false 6116.0 RPC REXD Sweep meta high false 6117.0 RPC STATUS Sweep meta high false 6118.0 RPC TTDB Sweep meta high false 6120.1 RPC RSTATD Request service-rpc informational false 6122.0 RPC NFS Request service-rpc informational false 6122.1 RPC NFS Request service-rpc informational false 6123.0 RPC MOUNTD Request service-rpc informational false 6123.1 RPC MOUNTD Request service-rpc informational false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 5903-1 MS SharePoint XSS 5903-2 MS SharePoint XSS 5931-0 Google Ratproxy 6100-0 RPC Port Registration 6101-0 RPC Port Unregistration 6104-0 RPC Port Reg Spoof 6105-0 RPC Port UnReg Spoof 6110-0 RPC RSTATD Sweep 6110-1 RPC RSTATD Sweep 6111-0 RPC RUSESRD Sweep 6112-0 RPC NFS Sweep 6112-1 RPC NFS Sweep 6113-0 RPC MOUNTD Sweep 6113-1 RPC MOUNTD Sweep 6114-0 RPC YPASSWDD Sweep 6115-0 RPC SELECTION SVC Sweep 6116-0 RPC REXD Sweep 6117-0 RPC STATUS Sweep 6118-0 RPC TTDB Sweep 6120-1 RPC RSTATD Request 6122-0 RPC NFS Request 6122-1 RPC NFS Request 6123-0 RPC MOUNTD Request 6123-1 RPC MOUNTD Request The following signatures have been activated and enabled: 1300-0 TCP Segment Overwrite 1305-0 TCP URG flag set 1304-0 Session Packet Queue Overflow ================================================================================================= S636 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1027.0 Cisco IOS Software Smart string-tcp medium true Install Denial of Service 40986.0 Cisco IOS ISAKMP string-udp high true Vulnerability 41406.0 Cisco IOS URL DoS service-http medium true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3050.0 Half-open SYN Attack normalizer high true CAVEATS None. Modified signature(s) detail: the following signatures were modified: 3050-0 Half-open SYN Attack ================================================================================================= S635 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1039.1 Microsoft Windows Remote multi-string high true Desktop Protocol Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1039.0 Microsoft Windows Remote multi-string high true Desktop Protocol Vulnerability 6263.0 XSS in Cisco ACS Server service-http medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S634 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1051.0 Novell GroupWise Internet string-tcp high true Agent HTTP Request Remote Code Execution 5822.3 Workstation Service service-smb-ad high false Memory Corruption vanced Vulnerability 34885.0 Axis2 Default Credentials service-http high true Remote Code Execution Vulnerability 39448.0 7T IGSS Buffer Overflow service-generi high false c 39449.0 7T IGSS Buffer Overflow service-generi high false c 39450.0 7T IGSS Buffer Overflow service-generi high false c 39726.1 Microsoft Internet multi-string high true Explorer Memory Corruption Vulnerability 40147.0 Sybase M-Business string-tcp high true Anywhere agSoap.exe Arbitrary Code Execution Vulnerability 40306.0 Oracle Java meta high true Applet2ClassLoader Remote Code Execution 41566.0 Mozilla Firefox OBJECT multi-string high false mChannel Use After Free Vulnerability 41926.0 Oracle Database Server string-tcp high false Warehouse Builder Remote Code Execution 41926.1 Oracle Database Server string-tcp high false Warehouse Builder Remote Code Execution 42066.0 Oracle Outside In string-tcp high false CorelDRAW File Parser Integer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5188.0 HTTP Tunneling service-http high false 5194.0 Apache Server .ht File service-http low false Access 5452.0 Office XP URL Processing service-http high false Buffer Overflow 5454.0 Exim SPA Authentication string-tcp high false Buffer Overflow 5457.0 WU-FTPD DoS string-tcp medium false 34285.0 Free Download Manager string-tcp high false Torrent Parsing Buffer Overflow 39006.0 Sybase Open Server Null meta high false Byte Stack Overflow 39006.1 Sybase Open Server Null string-tcp informational false Byte Stack Overflow 39006.2 Sybase Open Server Null string-tcp informational false Byte Stack Overflow CAVEATS None. Modified signature(s) detail: the following signatures were retired: 5188-0 HTTP Tunneling 5194-0 Apache Server .ht File Access 5452-0 Office XP URL Processing Buffer Overflow 5454-0 Exim SPA Authentication Buffer Overflow 5457-0 WU-FTPD DoS 34285-0 Free Download Manager Torrent Parsing Buffer Overflow 39006-0 Sybase Open Server Null Byte Stack Overflow 39006-1 Sybase Open Server Null Byte Stack Overflow 39006-2 Sybase Open Server Null Byte Stack Overflow ================================================================================================= S633 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1618.0 ICMPv6 Membership atomic-ip-adva informational false Reduction nced 1717.0 Back To Back Padding atomic-ip-adva low false Options nced 1740.0 Small IPv6 Fragments atomic-ip-adva informational false nced 3156.0 FTP STOR Pipe Filename string-tcp medium false Command Execution 3158.0 FTP SITE EXEC Format string-tcp high false String 3169.0 FTP SITE EXEC tar string-tcp high false 3253.0 HTTP Request Smuggling service-http medium false 3406.0 Solaris TTYPROMPT Overflow string-tcp high false 3529.0 IMAP Long EXAMINE Command string-tcp high false 3532.0 Malformed BGP Open Message service-generi high false c 3534.0 IMAP Long AUTHENTICATE string-tcp high false Command 3604.0 Cisco Catalyst CR DoS string-tcp high false 3704.0 IIS FTP STAT Denial of string-tcp low false Service 4058.1 UPnP LOCATION Overflow string-tcp high false 4508.0 Non SNMP Traffic service-snmp informational false 4620.0 DNS Limited Broadcast atomic-ip informational false Query 5039.0 WWW finger attempt service-http low false 5051.0 IIS Double Byte Code Page service-http low false 5051.1 IIS Double Byte Code Page service-http low false 5501.0 IE ActiveX ADODB Stream string-tcp informational false 5505.1 RIP Trace atomic-ip high false 5568.0 Veritas Backup Exec Agent string-tcp medium false Remote File Access 5576.0 SMB Login successful with service-smb-ad informational false Guest Privileges vanced 5578.0 SMB 95 98 Password File service-smb-ad informational false Access vanced 5579.0 SMB Remote Registry service-smb-ad informational false Access Attempt vanced 5581.0 SMB Remote Srvsvc Service service-smb-ad informational false Access Attempt vanced 5583.0 SMB Remote SAM Service service-smb-ad informational false Access Attempt vanced 5584.0 SMB .eml email file service-smb-ad informational false remote access vanced 5589.0 SMB ADMIN Hidden Share service-smb-ad low false Access Attempt vanced 5590.0 SMB User Enumeration service-smb-ad informational false vanced 5591.0 SMB Windows Share service-smb-ad informational false Enumeration vanced 5595.0 Windows Startup Folder service-smb-ad high false Remote Access vanced 5602.0 Windows System32 service-smb-ad medium false Directory File Access vanced 5605.0 Windows Account Locked service-smb-ad informational false vanced 5606.0 SMB Authorization Failure service-smb-ad informational false vanced 5668.0 Unauthenticated FTP string-tcp medium false Connection 5728.0 Windows IGMP DoS service-generi medium false c 5790.0 CS-MARS JBoss service-http high false Vulnerability 5792.0 Excel Hyperlink Object string-tcp high false Library Buffer Overflow 5812.0 Cisco IPS SSL DOS service-generi medium false Vulnerability c 5829.0 Invalid SSL Packet service-generi medium false c 5885.0 EnjoySAP string-tcp high false kweditcontrol.kwedit Stack Overflow 5889.0 NeoTrace ActiveX Buffer string-tcp high false Overflow 5903.0 MS SharePoint XSS meta medium false 6189.0 statd automount attack service-rpc high false 6197.1 rpc yppaswdd overflow service-rpc high false 6211.0 LPD NoOp Sled string-tcp high false 6232.0 Distributed Transaction service-msrpc high false Coordinator Overflow 6930.1 Office Web Components URL string-tcp informational false Parsing Vulnerability 6930.2 Office Web Components URL string-tcp informational false Parsing Vulnerability 7102.0 ARP Reply-to-Broadcast atomic-arp informational false 7241.1 Akamai Download Manager string-tcp informational false ActiveX Control Remote Code Execution 7264.1 Adobe util.printf string-tcp informational false JavaScript Stack Buffer Overflow 16553.0 MailEnable SMTP Service string-tcp low false VRFY EXPN Command DoS 30419.0 Internet Explorer 8 XSS string-tcp low false Attack CAVEATS None. Modified signature(s) detail: The following signatures were retired: 6189-0 statd automount attack 6197-1 rpc yppaswdd overflow 1618-0 ICMPv6 Membership Reduction 1717-0 Back To Back Padding Options 1740-0 Small IPv6 Fragments 3156-0 FTP STOR Pipe Filename Command Execution 3158-0 FTP SITE EXEC Format String 3169-0 FTP SITE EXEC tar 3253-0 HTTP Request Smuggling 6232-0 Distributed Transaction Coordinator Overflow 3406-0 Solaris TTYPROMPT Overflow 6930-1 Office Web Components URL Parsing Vulnerability 6930-2 Office Web Components URL Parsing Vulnerability 3529-0 IMAP Long EXAMINE Command 3532-0 Malformed BGP Open Message 3534-0 IMAP Long AUTHENTICATE Command 3604-0 Cisco Catalyst CR DoS 3704-0 IIS FTP STAT Denial of Service 4058-1 UPnP LOCATION Overflow 4508-0 Non SNMP Traffic 4620-0 DNS Limited Broadcast Query 7102-0 ARP Reply-to-Broadcast 7241-1 Akamai Download Manager ActiveX Control Remote Code Execution 7264-1 Adobe util.printf JavaScript Stack Buffer Overflow 5039-0 WWW finger attempt 5051-0 IIS Double Byte Code Page 5501-0 IE ActiveX ADODB Stream 5505-1 RIP Trace 5568-0 Veritas Backup Exec Agent Remote File Access 5576-0 SMB Login successful with Guest Privileges 5578-0 SMB 95 98 Password File Access 5579-0 SMB Remote Registry Access Attempt 5581-0 SMB Remote Srvsvc Service Access Attempt 5583-0 SMB Remote SAM Service Access Attempt 5584-0 SMB .eml email file remote access 5589-0 SMB ADMIN Hidden Share Access Attempt 5590-0 SMB User Enumeration 5591-0 SMB Windows Share Enumeration 5595-0 Windows Startup Folder Remote Access 5602-0 Windows System32 Directory File Access 5605-0 Windows Account Locked 5051-1 IIS Double Byte Code Page 5668-0 Unauthenticated FTP Connection 5728-0 Windows IGMP DoS 5790-0 CS-MARS JBoss Vulnerability 5792-0 Excel Hyperlink Object Library Buffer Overflow 5812-0 Cisco IPS SSL DOS Vulnerability 5829-0 Invalid SSL Packet 5885-0 EnjoySAP kweditcontrol.kwedit Stack Overflow 5889-0 NeoTrace ActiveX Buffer Overflow 5903-0 MS SharePoint XSS 6211-0 LPD NoOp Sled 5606-0 SMB Authorization Failure 16553-0 MailEnable SMTP Service VRFY EXPN Command DoS 30419-0 Internet Explorer 8 XSS Attack ================================================================================================= S632 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1040.0 DNSChanger Malware atomic-ip high true 41026.0 Cisco ASA Port Forwarder string-tcp high true ActiveX Control Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S631 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1038.0 Microsoft DNS server atomic-ip medium false Denial of Service Vulnerabillity 1039.0 Microsoft Windows Remote multi-string high true Desktop Protocol Vulnerability 31560.1 IDEAL Administration IPJ string-xl-tcp high false File Processing Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5577.0 SMB NULL login attempt service-smb-ad informational false vanced 5580.0 SMB Remote Lsarpc Service service-smb-ad informational false Access Attempt vanced 5664.0 Apache Tomcat Null Byte service-http low false File Disclosure 5746.0 FTP ALLO command string-tcp low false 5756.0 Embedded TCP Connection service-http low false Relay 5772.0 ASP.NET Information service-http low false Disclosure Vulnerability 5816.0 TOR Client Activity service-http low false 5839.0 Internet Explorer FTP string-tcp high false Server Response Code Execution 5861.0 Cisco CNS Netflow service-http high false Collection Engine Default Password CAVEATS None. Modified signature(s) detail: the following signatures were retired: 5577-0 SMB NULL login attempt 5580-0 SMB Remote Lsarpc Service Access Attempt 5664-0 Apache Tomcat Null Byte File Disclosure 5746-0 FTP ALLO command 5756-0 Embedded TCP Connection Relay 5772-0 ASP.NET Information Disclosure Vulnerability 5816-0 TOR Client Activity 5839-0 Internet Explorer FTP Server Response Code Execution 5861-0 Cisco CNS Netflow Collection Engine Default Password ================================================================================================= S630 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39289.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3002.0 TCP SYN Port Sweep sweep low false 3052.0 UPNP Service Host Sweep sweep low false 3300.0 NetBIOS OOB Data atomic-ip high false 3329.0 Windows RPCSS Overflow service-msrpc high false 3330.0 Windows RPCSS Overflow 2 service-msrpc high false 3331.2 UDP MSRPC Messenger service-msrpc high false Overflow 3700.0 CDE dtspcd Overflow string-tcp high true 3733.0 Real Server Format string-tcp high false Overflow 4503.0 Windows NT SNMP System service-snmp low false Info Retrieve 6054.0 DNS Version Request service-dns low false 6054.1 DNS Version Request service-dns low false 6062.0 DNS Authors Request service-dns low false 6062.1 DNS Authors Request service-dns low false 6063.0 DNS Incremental Zone service-dns informational false Transfer 6063.1 DNS Incremental Zone service-dns informational false Transfer 6186.0 RIS Data Collector Heap string-tcp high false Overflow 6188.0 statd dot dot service-rpc high false 6191.1 RPC.tooltalk Buffer service-rpc high false Overflow 6192.1 RPC mountd Buffer Overflow service-rpc high false 6196.1 snmpXdmid Buffer Overflow service-rpc high false 6198.1 Long rwalld Message service-rpc high false 6199.0 Cachefsd Overflow service-rpc high false 6545.0 WINS Local Privilege atomic-ip low false Escalation 7000.0 Data Base TNS Connection service-tns informational false 7001.0 TNS Redirect Request service-tns informational false 7242.0 Windows GDI plus Denial string-tcp medium false of Service 7270.0 Host Integration Server service-msrpc informational false Remote Code Execution 7274.0 FlashGet FTP PWD Buffer string-tcp high false Overflow 7284.0 Borland InterBase Service string-tcp high false Attach Request Overflow 12500.6 H225 ASN signature 1 service-h225 low false 12500.9 H225 ASN signature 1 service-h225 low false 12500.10H225 ASN signature 1 service-h225 low false 12501.0 H225 Q931 signature 1 service-h225 low false 12501.1 H225 Q931 signature 1 service-h225 low false 12501.3 H225 Q931 signature 1 service-h225 low false 12501.4 H225 Q931 signature 1 service-h225 low false 12501.6 H225 Q931 signature 1 service-h225 low false 12501.10H225 Q931 signature 1 service-h225 low false 12501.18H225 Q931 signature 1 service-h225 low false 12501.36H225 Q931 signature 1 service-h225 low false 12501.38H225 Q931 signature 1 service-h225 low false 12502.0 H225 TPKT signature 1 service-h225 low false 12502.2 H225 TPKT signature 1 service-h225 low false 12502.3 H225 TPKT signature 1 service-h225 low false 12502.4 H225 TPKT signature 1 service-h225 low false 12502.6 H225 TPKT signature 1 service-h225 low false 12503.1 H225 SETUP signature 1 service-h225 low false 12505.1 H225 SETUP fixed service-h225 low false signature 1 12505.3 H225 SETUP fixed service-h225 low false signature 1 12505.5 H225 SETUP fixed service-h225 low false signature 1 19339.0 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.2 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.3 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.4 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.5 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.6 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.7 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.8 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 19339.9 Microsoft DirectShow string-tcp high false msvidctl.dll Code Execution 20361.0 KuGoo P2P Activity atomic-ip low false 27559.0 GaduGadu Client Activity service-http informational false 27560.0 UTorrent Client Activity service-http informational false 30680.0 Foxy P2P Application fixed-tcp informational false 35185.0 MODBUS Illegal Read File service-generi medium false Record Response Parameters c 39246.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39266.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39286.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39287.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39288.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c CAVEATS None. Modified signature(s) detail: The following signatures were retired: 12500-6 H225 ASN signature 1 12500-9 H225 ASN signature 1 12500-10 H225 ASN signature 1 12501-0 H225 Q931 signature 1 12501-1 H225 Q931 signature 1 12501-3 H225 Q931 signature 1 12501-4 H225 Q931 signature 1 12501-6 H225 Q931 signature 1 12501-10 H225 Q931 signature 1 12501-18 H225 Q931 signature 1 12501-36 H225 Q931 signature 1 12501-38 H225 Q931 signature 1 12502-0 H225 TPKT signature 1 12502-2 H225 TPKT signature 1 12502-3 H225 TPKT signature 1 12502-4 H225 TPKT signature 1 12502-6 H225 TPKT signature 1 12503-1 H225 SETUP signature 1 12505-1 H225 SETUP fixed signature 1 12505-3 H225 SETUP fixed signature 1 12505-5 H225 SETUP fixed signature 1 3002-0 TCP SYN Port Sweep 3052-0 UPNP Service Host Sweep 3300-0 NetBIOS OOB Data 3329-0 Windows RPCSS Overflow 3330-0 Windows RPCSS Overflow 2 3331-2 UDP MSRPC Messenger Overflow 3700-0 CDE dtspcd Overflow 4503-0 Windows NT SNMP System Info Retrieve 19339-0 Microsoft DirectShow msvidctl.dll Code Execution 19339-2 Microsoft DirectShow msvidctl.dll Code Execution 19339-3 Microsoft DirectShow msvidctl.dll Code Execution 19339-4 Microsoft DirectShow msvidctl.dll Code Execution 19339-5 Microsoft DirectShow msvidctl.dll Code Execution 19339-6 Microsoft DirectShow msvidctl.dll Code Execution 19339-7 Microsoft DirectShow msvidctl.dll Code Execution 19339-8 Microsoft DirectShow msvidctl.dll Code Execution 19339-9 Microsoft DirectShow msvidctl.dll Code Execution 30680-0 Foxy P2P Application 27560-0 UTorrent Client Activity 27559-0 GaduGadu Client Activity 3733-0 Real Server Format Overflow 6054-0 DNS Version Request 6054-1 DNS Version Request 6062-0 DNS Authors Request 6062-1 DNS Authors Request 6063-0 DNS Incremental Zone Transfer 6063-1 DNS Incremental Zone Transfer 6186-0 RIS Data Collector Heap Overflow 6188-0 statd dot dot 6191-1 RPC.tooltalk Buffer Overflow 6192-1 RPC mountd Buffer Overflow 6196-1 snmpXdmid Buffer Overflow 6198-1 Long rwalld Message 6199-0 Cachefsd Overflow 6545-0 WINS Local Privilege Escalation 7000-0 Data Base TNS Connection 7001-0 TNS Redirect Request 7270-0 Host Integration Server Remote Code Execution 7274-0 FlashGet FTP PWD Buffer Overflow 7284-0 Borland InterBase Service Attach Request Overflow 7242-0 Windows GDI plus Denial of Service 20361-0 KuGoo P2P Activity ================================================================================================= S629 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 41446.0 Cisco Wireless LAN string-tcp medium false Controller DoS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6187.0 CallManager TCP atomic-ip medium true Connection DoS 11014.0 Hotline Client Login string-tcp low false 32919.0 CA BrightStor HSM Buffer string-tcp high false Overflow CAVEATS None. Modified signature(s) detail: Following sigs are retired in this release: 32919-0 CA BrightStor HSM Buffer Overflow 11014-0 Hotline Client Login ================================================================================================= S628 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 23782.3 HP OpenView Network Node meta high true Manager Buffer Overflow 23782.4 HP OpenView Network Node string-tcp informational true Manager Buffer Overflow 41706.0 Blackhole Exploit Kit service-http high true Propagation TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15017.0 Oracle Secure Backup service-http high false Login.php Command Injection 15153.0 libspf2 DNS TXT Record atomic-ip high false Parsing Buffer Overflow 15294.0 Chrome URI Handler Remote string-tcp high false Command Execution 15994.0 BitDefender Adobe PDF string-tcp high false Memory Corruption Vulnerability 16013.0 Borland Interbase Integer string-tcp high false Overflow Vulnerability 16175.0 Oracle Database Server string-tcp high false DBMS_AQELM Package Buffer Overflow 16514.0 WordPad Word 97 Text string-tcp high false Converter Vulnerability 17256.0 HPISDataManager.dll string-tcp high false Arbitrary File Download 17957.0 IBM Websphere Application string-tcp high false Server XSS 17997.0 Multiple Vendor rdesktop string-tcp high false Process_redirect_pdu() BSS Overflow Vulnerability 17998.0 JRE Deserialization string-tcp high false Vulnerability 18457.0 Microsoft Internet string-tcp high false Explorer Cross Domain Information Leak 19699.0 Firefox location.hostname string-tcp high false Null Byte Vulnerability 21019.0 Microsoft SQL Server 2000 string-tcp high false Client Components ActiveX Control Buffer Overflow 21379.0 Oracle TimesTen Remote service-http high false Format String 22899.0 Redhat Directory Server service-http high false HTTP Header Parsing Overflow 23782.2 HP OpenView Network Node string-tcp informational true Manager Buffer Overflow CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 22899-0 Redhat Directory Server HTTP Header Parsing Overflow 21379-0 Oracle TimesTen Remote Format String 21019-0 Microsoft SQL Server 2000 Client Components ActiveX Control Buffer Overflow 19699-0 Firefox location.hostname Null Byte Vulnerability 18457-0 Microsoft Internet Explorer Cross Domain Information Leak 17998-0 JRE Deserialization Vulnerability 17997-0 Multiple Vendor rdesktop Process_redirect_pdu() BSS Overflow Vulnerability 17957-0 IBM Websphere Application Server XSS 17256-0 HPISDataManager.dll Arbitrary File Download 16514-0 WordPad Word 97 Text Converter Vulnerability 16175-0 Oracle Database Server DBMS_AQELM Package Buffer Overflow 16013-0 Borland Interbase Integer Overflow Vulnerability 15994-0 BitDefender Adobe PDF Memory Corruption Vulnerability 15294-0 Chrome URI Handler Remote Command Execution 15153-0 libspf2 DNS TXT Record Parsing Buffer Overflow 15017-0 Oracle Secure Backup Login.php Command Injection The following signature has modified regex: 23782-2 HP OpenView Network Node Manager Buffer Overflow ================================================================================================= S627 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32689.0 Cisco SRP 500 Series Web service-http high true Interface Command Injection Vulnerability 42106.0 Cisco Unauthenticated service-http medium true Configuration Upload Vulnerability 42126.0 Cisco SRP 500 Series service-http high true Directory Traversal Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S626 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3793.1 ZENworks 6.5 string-xl-tcp high true Authentication Overflow 41846.1 Generic Cross Site service-http high false Scripting Attack CAVEATS None. Modified signature(s) detail: Sig 41846-1 have been retired. Sig 3793-1 was Activated/Enabled in this release. ================================================================================================= S625 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 41766.0 Microsoft .NET Framework multi-string high true Unmanaged Objects Vulnerability 41786.0 Microsoft .NET Framework multi-string high true Heap Corruption 41806.0 Windows Kernel-Mode string-tcp high true Drivers GDI Access Violation Vulnerability 41846.0 Generic Cross Site service-http high true Scripting Attack 41846.1 Generic Cross Site service-http high true Scripting Attack 41847.0 Microsoft Internet multi-string high true Explorer HtmlLayout Remote Code Execution 41866.0 Microsoft Internet multi-string low true Explorer Null Byte Information Disclosure 41906.0 Windows Msvcrt.dll Buffer string-tcp high true Overflow 41946.0 Microsoft Sharepoint XSS service-http high true Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S624 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5395.0 Cisco ACNS Authentication string-tcp medium false Library Buffer Overflow 5403.0 OpenSSL SSL OR TLS string-tcp medium true Malformed Handshake DoS 5414.0 Microsoft NNTP Heap string-tcp high false Overflow Vulnerability 5436.1 RXBot Activity string-tcp high false 5466.0 Computer Associates string-tcp high false License Suite PUTOLF Buffer Overflow 5468.0 Computer Associates string-tcp high false License Suite Invalid Command Overflow 5478.1 Microsoft Exchange SMTP string-tcp high false Overflow 5508.0 Malformed IKE Packet DoS atomic-ip medium false 5536.0 Gnutella File Search atomic-ip low false 5656.0 Oracle TNS Listener DoS string-tcp medium false 5661.0 Long HTTP Request service-http high false 5718.1 VERITAS NetBackup Volume string-tcp high false Manager Daemon Buffer Overflow 5725.0 Novell NMAP Agent Buffer string-tcp high false Overflow 5763.0 Wireless Control System service-http high false Cross Server Site Scripting 6178.0 SIP Message DoS atomic-ip high false 6259.0 HP Linux Printing And string-tcp high false Imaging hpssd Command Injection 6775.1 Microsoft Office Works string-tcp high false Converter Remote Code Execution 6928.0 Microsoft Outlook mailto string-tcp high false URI Remote Code Execution 6964.0 Asprox Injection Attempt service-http high false 6998.0 Microsoft GDI-Plus WMF string-tcp high false Buffer Overrun Exploit 11002.1 Gnutella Server Reply service-p2p low false 11005.0 KaZaA Client Activity string-tcp low false 11005.1 KaZaA Client Activity service-http low false 11008.1 Morpheus File Request service-p2p low false 11020.1 BitTorrent Client Activity service-p2p low false 11021.0 MP2P Client Scan atomic-ip low false 11023.1 Soulseek Client Login service-p2p low false 11026.0 Napster Activity service-http low false 11027.1 Gnutella File Search service-p2p low false 11029.0 WinMx Download string-tcp low false 11030.0 Bittorrent Tracker Query service-http low false 11031.0 Bittorrent Tracker Scrape service-http low false 11032.0 Share TCP Detected service-p2p low false 11033.0 Share UDP Detected service-p2p low false 11245.0 IRC Server Connection string-tcp medium false 11245.1 IRC Server Connection string-tcp informational false 11245.2 IRC Server Connection fixed-tcp informational false CAVEATS None. Modified signature(s) detail: Following signatures have been retired in this release. 11245-2 IRC Server Connection 11245-1 IRC Server Connection 11245-0 IRC Server Connection 11033-0 Share UDP Detected 11032-0 Share TCP Detected 11031-0 Bittorrent Tracker Scrape 11030-0 Bittorrent Tracker Query 11029-0 WinMx Download 11027-1 Gnutella File Search 11026-0 Napster Activity 11023-1 Soulseek Client Login 11021-0 MP2P Client Scan 11020-1 BitTorrent Client Activity 11014-0 Hotline Client Login 11008-1 Morpheus File Request 11005-1 KaZaA Client Activity 11005-0 KaZaA Client Activity 11002-1 Gnutella Server Reply 6998-0 Microsoft GDI-Plus WMF Buffer Overrun Exploit 6964-0 Asprox Injection Attempt 6928-0 Microsoft Outlook mailto URI Remote Code Execution 6775-1 Microsoft Office Works Converter Remote Code Execution 6259-0 HP Linux Printing And Imaging hpssd Command Injection 6178-0 SIP Message DoS 5763-0 Wireless Control System Cross Server Site Scripting 5725-0 Novell NMAP Agent Buffer Overflow 5718-1 VERITAS NetBackup Volume Manager Daemon Buffer Overflow 5661-0 Long HTTP Request 5656-0 Oracle TNS Listener DoS 5536-0 Gnutella File Search 5508-0 Malformed IKE Packet DoS 5478-1 Microsoft Exchange SMTP Overflow 5468-0 Computer Associates License Suite Invalid Command Overflow 5466-0 Computer Associates License Suite PUTOLF Buffer Overflow 5436-1 RXBot Activity 5414-0 Microsoft NNTP Heap Overflow Vulnerability 5395-0 Cisco ACNS Authentication Library Buffer Overflow ================================================================================================= S623 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 41466.0 Apache Tomcat Hash Table service-http high true Denial of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2100.0 ICMP Network Sweep With sweep low false Echo 3030.0 TCP SYN Host Sweep sweep informational false 3407.0 Telnet Client NEW ENVIRON string-tcp high false Option Overflow 3785.0 Oracle 9i XDB FTP UNLOCK string-tcp high false Buffer Overflow 3786.0 Oracle 9i XDB FTP PASS string-tcp high false Buffer Overflow 3790.0 HP Openview Omniback II string-tcp high false Command Execution 3791.0 Solaris Printd Unlink string-tcp high false File Deletion 3793.0 ZENworks 6.5 string-tcp high false Authentication Overflow 3793.1 ZENworks 6.5 string-xl-tcp high false Authentication Overflow 3884.0 Cfengine Authentication string-tcp high false Heap Based Buffer Overflow 5803.0 Sygate Login Servlet SQL service-http high false Injection 5809.1 DCERPC Authentication DoS string-tcp informational false 5809.2 DCERPC Authentication DoS string-tcp informational false 5809.3 DCERPC Authentication DoS string-tcp informational false 5819.0 Long FTP XCRC XSHA1 XMD5 string-tcp high false Command 5826.0 EIQ ESA Topology Delete string-tcp high false Device Overflow 5830.0 Cisco Secure Access service-http high false Control Server HTTP Request Overflow 5845.0 Word Memory Corruption string-tcp high false Exploit 5855.0 Helix Remote Code string-tcp high false Execution 5859.0 uTorrent File Handling string-tcp high false Buffer Overflow 5866.0 IBM Lotus Domino IMAP string-tcp high false CRAM-MD5 Overflow 5871.0 Urlmon.dll COM Object string-tcp high false Instantiation 5884.0 IOS NHRP Buffer Overflow service-generi high false c 5884.1 IOS NHRP Buffer Overflow service-generi high false c 5888.0 TLBINF32.DLL COM Object string-tcp high false Instantiation 5919.0 Microsoft Kodak Image string-tcp high false Viewer Overflow 5931.1 Google Ratproxy service-http high false 6030.0 Microsoft Windows Message service-msrpc high false Queuing Service Code Execution 6057.0 DNS SIG Buffer Overflow service-dns high false 6061.1 DNS Infoleak service-dns medium false 7201.0 Gnutella Upload and service-p2p low false Download Stream 7203.0 ARES P2P activity service-p2p medium false 7245.0 Microsoft Excel Integer string-tcp high false Overflow 7247.0 Window Location Property string-tcp high false Cross Domain Information Disclosure 7259.0 Microsoft Message Queing service-msrpc high false Remote Code Execution 11000.3 KaZaA v2 UDP Client Probe service-p2p low false 11001.1 Gnutella Client Request service-p2p low false CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S622 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 41506.0 krb5-telnet Encryption string-tcp high true Key ID Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S621 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6968.0 Microsoft Access Snapshot meta high false Viewer ActiveX Remote Code Execution 6968.3 Microsoft Access Snapshot string-tcp informational false Viewer ActiveX Remote Code Execution 7282.0 SecurityGateway Username service-http high false Buffer Overflow 7283.0 Microsoft XML Core string-tcp high false Services RCE 7283.1 Microsoft XML Core string-tcp high false Services RCE 7283.2 Microsoft XML Core string-tcp high false Services RCE 7287.0 KernelBot service-http high false 7289.0 SAP MaxDB Remote string-tcp high false Arbitrary Commands Execution 7299.0 Microsoft Word RTF RCE string-tcp high false 7302.0 Microsoft Windows Search string-tcp high false Remote Code Execution 7303.0 Microsoft Excel File string-tcp high false Parsing Overflow 7304.0 Microsoft Word File string-tcp high false Parsing Overflow 7428.0 Microsoft Word RTF File string-tcp high false Code Execution 7429.0 Microsoft Windows string-tcp high false Search-ms Protocol Handler Code Execution 7434.0 Microsoft Word Memory string-tcp high false Corruption Vulnerability 11001.0 Gnutella Client Request string-tcp low false 11003.0 Qtella File Request string-tcp low false 11003.1 Qtella File Request service-p2p low false 11004.1 Bearshare File Request service-p2p low false 11005.2 KaZaA Client Activity service-p2p low false 11006.1 Gnucleus File Request service-p2p low false 11007.0 Limewire File Request string-tcp low false 11008.0 Morpheus File Request string-tcp low false 11009.0 Phex File Request string-tcp low false 11010.0 Swapper File Request string-tcp low false 11010.1 Swapper File Request service-p2p low false 11011.0 XoloX File Request string-tcp low false 11011.1 XoloX File Request service-p2p low false 11012.0 GTK-Gnutella File Request string-tcp low false 11012.1 GTK-Gnutella File Request service-p2p low false 11013.0 Mutella File Request string-tcp low false 11013.1 Mutella File Request service-p2p low false 11017.0 Direct Connect Server string-tcp low false Reply 11018.0 eDonkey Activity string-tcp low false 12501.7 H225 Q931 signature 1 service-h225 low false 12501.13H225 Q931 signature 1 service-h225 low false 12501.27H225 Q931 signature 1 service-h225 low false 12501.35H225 Q931 signature 1 service-h225 low false 12502.1 H225 TPKT signature 1 service-h225 low false 12503.2 H225 SETUP signature 1 service-h225 low false 12503.3 H225 SETUP signature 1 service-h225 low false 12503.4 H225 SETUP signature 1 service-h225 low false 12505.4 H225 SETUP fixed service-h225 low false signature 1 12505.6 H225 SETUP fixed service-h225 low false signature 1 12634.2 Content Type audio basic application-po low false Header Check licy-enforceme nt-http 35646.0 SMB Transaction Parsing string-tcp high true Vulnerability CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S620 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6789.0 Winamp Ultravox Stream string-tcp high false Title Stack Overflow 6966.2 Malformed Search File string-tcp informational false Code Execution 6968.1 Microsoft Access Snapshot meta informational false Viewer ActiveX Remote Code Execution 6968.2 Microsoft Access Snapshot string-tcp informational false Viewer ActiveX Remote Code Execution 6969.0 Microsoft Word Smart Tag string-tcp high false Corruption Exploit 6975.0 Arbitrary File Upload In string-tcp high false CA ARCserve 6978.0 PowerPoint Parsing string-tcp high false Overflow 6983.0 Microsoft PICT Filter string-tcp high false Parsing Exploit 6984.0 Windows Image Color meta high false Management System RCE 6985.0 Microsoft Office WPG string-tcp high false Image File Heap Corruption Exploit 6986.1 Microsoft IE HTML Objects string-tcp high false Memory Corruption Exploit 6999.0 Cisco PIM Multicast atomic-ip medium false Denial of Service Attack 7210.0 Microsoft Excel Remote string-tcp high false Code Execution 7210.1 Microsoft Excel Remote string-tcp high false Code Execution 7210.2 Microsoft Excel Remote string-tcp high false Code Execution 7216.0 Skype Skype4COM Heap string-tcp high false Corruption 7225.0 Adobe Flash Clipboard string-tcp high false Hijack 7226.0 Version Agnostic IOS fixed-tcp high false Shellcode 7226.1 Version Agnostic IOS fixed-udp high false Shellcode 7232.0 CA ARCserve Backup string-tcp high false Authentication Username Overflow 7234.0 CitectSCADA ODBC Service string-tcp high false Buffer Overflow 7241.0 Akamai Download Manager meta high false ActiveX Control Remote Code Execution 7241.2 Akamai Download Manager string-tcp informational false ActiveX Control Remote Code Execution 7244.0 Microsoft Excel Buffer string-tcp high false Overflow 7245.1 Microsoft Excel Integer string-tcp high false Overflow 7245.2 Microsoft Excel Integer string-tcp high false Overflow 7246.0 Microsoft Excel string-tcp high false Spreadsheet Buffer Overflow 7256.0 ActSoft DVD-Tools ActiveX meta high false control Buffer Overflow 7256.1 ActSoft DVD-Tools ActiveX string-tcp informational false control Buffer Overflow 7256.2 ActSoft DVD-Tools ActiveX string-tcp informational false control Buffer Overflow 7257.0 Microsoft Internet string-tcp high false Explorer Cross Domain Information Disclosure 7258.0 SMB Remote Code Execution string-tcp high false 7261.0 IPP Service Integer string-tcp high false Overflow Exploit 7262.0 Active Directory Overflow string-tcp high false Exploit 7264.0 Adobe util.printf meta high false JavaScript Stack Buffer Overflow 7264.2 Adobe util.printf string-tcp informational false JavaScript Stack Buffer Overflow 7264.3 Adobe util.printf string-tcp high false JavaScript Stack Buffer Overflow 7264.4 Adobe util.printf string-tcp high false JavaScript Stack Buffer Overflow 7265.0 GDI Integer Overflow string-tcp high false 7277.0 Microsoft Windows SMB multi-string high false WRITE_ANDX Memory Corruption 7278.0 Quicktime Itunes Heap string-tcp high false Overflow 7280.1 Windows Server Service service-smb-ad high false Remote Code Execution vanced CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S619 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5743.0 PeerCast Buffer Overflow string-tcp high false 6283.0 Malformed BMP Filter string-tcp high false Vulnerability 6296.0 IBM Lotus Sametime Server service-http high false Multiplexer Stack Buffer Overflow 6297.0 RealPlayer ActiveX Import meta high false Method Buffer Overflow 6412.0 Malformed BGP Message atomic-ip high false 6509.0 Microsoft DXmedia SDK6 meta high false ActiveX Control 6509.1 Microsoft DXmedia SDK6 string-tcp informational false ActiveX Control 6509.2 Microsoft DXmedia SDK6 string-tcp informational false ActiveX Control 6527.0 Microsoft Publisher string-tcp high false Invalid Memory Reference RCE 6530.0 SynCE Command Injection string-tcp high false 6532.0 Perdition IMAP Proxy string-tcp high false str_vwrite Format String 6533.0 Computer Associates string-tcp high false BrightStor ARCserve Backup Discovery Service 6535.0 Facebook Photo Uploader meta high false ActiveX Control 6535.1 Facebook Photo Uploader string-tcp informational false ActiveX Control 6539.0 Microsoft Malware string-tcp high false Protection Engine DoS 6539.1 Microsoft Malware string-tcp high false Protection Engine DoS 6543.0 CiscoWorks Common service-http high false Services Arbitrary Code Injection 6732.0 CA BrightStor ARCServe string-tcp high false Backup LGServer Password Buffer Overflow 6755.0 Windows Remote Kernel atomic-ip high false TCPIP ICMP Vulnerability 6765.0 Cisco Application service-http high false Velocity System Default Passwords 6793.0 Microsoft Windows GDI string-tcp high false Image Handling 6793.1 Microsoft Windows GDI string-tcp high false Image Handling 6794.0 CA BrightStor ARCserve meta high false Backup Listservcntrl ActiveX Overflow 6794.1 CA BrightStor ARCserve string-tcp informational false Backup Listservcntrl ActiveX Overflow 6798.0 HP StorageWorks Buffer string-tcp high false Overflow 6922.0 VBScript JScript Remote string-tcp high false Code Execution 6923.0 Word Memory Corruption meta high false Vulnerability 6923.1 Word Memory Corruption string-tcp informational false Vulnerability 6929.0 Microsoft Excel Memory string-tcp high false Corruption 6930.0 Office Web Components URL meta high false Parsing Vulnerability 6932.0 HTML Objects string-tcp high false Uninitialized Memory Corruption Vulnerability 6936.0 UCM Disaster Recovery string-tcp high false Framework Command Execution 6936.1 UCM Disaster Recovery string-tcp high false Framework Command Execution 6938.0 Microsoft IE Argument string-tcp high false Handling Memory Corruption Exploit 6942.0 Yahoo ActiveX Buffer meta high false Overflow 6942.1 Yahoo ActiveX Buffer string-tcp informational false Overflow 6946.0 Web Client Remote Code service-smb-ad high false Execution Vulnerability vanced 6961.0 IE HTML Objects Memory string-tcp high false Corruption 6966.0 Malformed Search File meta high false Code Execution 6966.1 Malformed Search File string-tcp informational false Code Execution CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S618 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5744.0 IMAP Login DoS string-tcp medium false 5758.0 Bomberclone Buffer atomic-ip high false Overflow 5766.0 DNS Resolution Response atomic-ip high false Code Execution 5809.0 DCERPC Authentication DoS meta medium false 5827.0 Internet Explorer ActiveX meta high false Control Arbitrary Code Execution 5832.1 IOS Crafted IP Option service-generi high false Vulnerability c 5832.2 IOS Crafted IP Option service-generi high false Vulnerability c 5838.0 IOS NAM SNMP Traffic service-snmp high false 5841.0 CatOS NAM SNMP Traffic service-snmp high false 5843.0 CA BrightStor Tape Engine service-msrpc high false Overflow 5849.0 Microsoft Content service-http high false Management Server Vulnerability 5852.0 Word Malformed String string-tcp high false Vulnerability 5860.1 IOS FTPd Successful Login string-tcp informational false 5861.1 Cisco CNS Netflow string-tcp high false Collection Engine Default Password 5879.0 Apple QuickTime Java string-tcp high false QTPointer Vulnerability 5906.0 Microsoft Malformed Word string-tcp high false Document Code Execution 5918.0 AskJeeves Toolbar ActiveX meta high false Buffer Overflow 5918.1 AskJeeves Toolbar ActiveX string-tcp informational false Buffer Overflow 5925.0 Internet Explorer HTML string-tcp high false Object Memory Corruption 5928.0 CSA for Windows System service-smb-ad high false Driver Remote Buffer vanced Overflow Vulnerability 5940.0 HTML Objects Memory string-tcp high false Corruption Vulnerability 5986.0 Microsoft GDI GIF Parsing string-tcp high false Vulnerability 6058.1 DNS SRV DoS service-dns high false 6059.2 DNS TSIG Overflow service-dns high false 6060.2 DNS Complain Overflow service-dns high false 6060.3 DNS Complain Overflow service-dns high false 6068.0 Cisco Wireless Control string-tcp medium false System Administrative Default Password 6100.1 RPC Port Registration service-rpc high false 6101.1 RPC Port Unregistration service-rpc high false 6767.0 Microsoft Windows RSH string-tcp high false Daemon Stack Overflow 6768.0 Samba WINS Remote Code meta high false Execution Vulnerability 6768.1 Samba WINS Remote Code atomic-ip informational false Execution Vulnerability 6768.2 Samba WINS Remote Code atomic-ip informational false Execution Vulnerability 6769.0 Netware LSASS CIFS.NLM service-smb-ad high false Driver Overflow vanced 6775.0 Microsoft Office Works string-tcp high false Converter Remote Code Execution 6776.0 Microsoft Works Converter string-tcp high false Input Validation Remote Code Execution 6781.0 SIP Proxy Response atomic-ip high false Overflow 6782.0 SIP MIME Request Boundary atomic-ip high false Overflow 6784.0 Adobe PDF Code Execution string-tcp high false 6787.0 Microsoft Office Cell string-tcp high false Parsing Memory Corruption Vulnerability CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S617 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3332.0 TCP MSRPC Messenger service-msrpc high false Overflow 3338.3 Windows LSASS RPC Overflow service-msrpc high false 4051.1 Snork atomic-ip low false 4507.1 SNMP Protocol Violation service-snmp high false 4507.5 SNMP Protocol Violation service-snmp high false 4507.12 SNMP Protocol Violation service-snmp high false 4507.14 SNMP Protocol Violation service-snmp high false 4507.16 SNMP Protocol Violation service-snmp high false 4507.18 SNMP Protocol Violation service-snmp high false 4507.20 SNMP Protocol Violation service-snmp high false 4507.24 SNMP Protocol Violation service-snmp high false 4507.27 SNMP Protocol Violation service-snmp high false 4507.30 SNMP Protocol Violation service-snmp high false 4507.37 SNMP Protocol Violation service-snmp high false 5368.0 Cisco ACS Windows CSAdmin service-http high false Overflow 5459.1 WebConnect Directory service-http medium false Traversal Vulnerability 5473.0 Java JNLP File Command string-tcp high false Injection 5477.0 Possible Heap Payload string-tcp low false Construction 5514.0 Cisco IP VC Embedded atomic-ip high false Community Names 5514.1 Cisco IP VC Embedded atomic-ip high false Community Names 5556.1 Javaprxy.dll Heap Overflow meta high false 5572.2 Design Tools Diagram meta high false Surface ActiveX Control 5579.1 SMB Remote Registry service-smb-ad medium false Access Attempt vanced 5588.1 Windows DCOM Overflow service-smb-ad high false vanced 5592.0 SMB RFPoison Attack service-smb-ad high false vanced 5593.0 SMB NIMDA Infected File service-smb-ad high false Transfer vanced 5597.0 SMB MSRPC Messenger service-smb-ad high false Overflow vanced 5598.0 Windows Workstation service-smb-ad high false Service Overflow vanced 5609.0 IE COM Object Memory string-tcp informational false Corruption Vulnerability 5609.1 IE COM Object Memory meta high false Corruption Vulnerability 5609.2 IE COM Object Memory meta high false Corruption Vulnerability 5641.0 MS DTC DoS string-tcp low false 5641.1 MS DTC DoS string-tcp informational false 5641.2 MS DTC DoS meta medium false 6104.1 RPC Port Reg Spoof service-rpc high false 6105.1 RPC Port UnReg Spoof service-rpc high false 6111.1 RPC RUSESRD Sweep meta high false 6114.1 RPC YPASSWDD Sweep meta high false 6115.1 RPC SELECTION SVC Sweep meta high false 6116.1 RPC REXD Sweep meta high false 6117.1 RPC STATUS Sweep meta high false 6118.1 RPC TTDB Sweep meta high false 6121.1 RPC RUSESRD Request service-rpc informational false 6124.1 RPC YPASSWDD Request service-rpc informational false 6125.1 RPC SELECTION SVC Request service-rpc informational false 6126.1 RPC REXD Request service-rpc informational false 6127.1 RPC STATUS Request service-rpc informational false 6128.1 RPC TTDB Request service-rpc informational false 6130.2 Microsoft Message Queuing string-tcp medium false Overflow 6130.3 Microsoft Message Queuing meta high false Overflow 6130.5 Microsoft Message Queuing meta high false Overflow 6131.10 Microsoft Plug and Play service-smb-ad high false Overflow vanced 6179.0 Malformed MGCP Packet atomic-ip medium false 6181.0 SIP DoS service-generi medium false c 6191.0 RPC.tooltalk Buffer service-rpc high false Overflow 6192.0 RPC mountd Buffer Overflow service-rpc high false 6194.1 sadmind Buffer Overflow service-rpc high false 6196.0 snmpXdmid Buffer Overflow service-rpc high false 6197.0 rpc yppaswdd overflow service-rpc high false 6198.0 Long rwalld Message service-rpc high false 6199.1 Cachefsd Overflow service-rpc high false 6224.0 Windows IGMP Overflow atomic-ip high false 6249.0 Visual Studio 6 ActiveX string-tcp high false Exploit 6258.0 Microsoft IE HTML string-tcp high false Rendering Memory Corruption 6261.0 ISC DHCP Remote DoS atomic-ip medium false 6265.0 Microsoft Jet Database string-tcp high false Engine Buffer Overflow 6270.0 HP OpenView Network Node string-tcp high false Manager Integer Overflow 6274.0 McAfee ePolicy atomic-ip high false Orchestrator Format String 6278.0 Office Web Components meta high false DataSource Vulnerability 6278.1 Office Web Components string-tcp informational false DataSource Vulnerability 6278.2 Office Web Components string-tcp informational false DataSource Vulnerability CAVEATS None. Modified signature(s) detail: All the modified signatures in this release have been retired. ================================================================================================= S616 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38646.0 QuickSoft EasyMail multi-string high false Objects Emimap4.dll Code Execution 38666.0 Quicksoft EasyMail multi-string high false Emmailstore.dll Code Execution 39006.0 Sybase Open Server Null meta high true Byte Stack Overflow 39006.1 Sybase Open Server Null string-tcp informational true Byte Stack Overflow 39006.2 Sybase Open Server Null string-tcp informational true Byte Stack Overflow 39046.0 Symantec AntiVirus And multi-string high false Symantec Client Security ActiveX Control 39246.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39266.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39286.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39287.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39288.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39926.0 Apple Safari File URL string-tcp high true Handling Remote Code Execution 40006.0 Webex Player Memory string-tcp high true Corruption 40086.0 SSL Denial of Service Tool string-tcp high true 40546.0 Microsoft Excel Record string-tcp high true Parsing Use After Free Vulnerability 40546.1 Microsoft Excel Record string-tcp high true Parsing Use After Free Vulnerability 40566.0 Microsoft Excel Out of string-tcp high true Bounds Array Indexing Vulnerability 41046.0 Microsoft Anti-Cross Site string-tcp high true Scripting Library Vulnerability 41086.0 Windows Media Component multi-string high true MIDI Remote Code Execution Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3710.0 Cisco Secure ACS service-http low false Directory Traversal 5681.0 ISC DHCP Daemon Buffer atomic-ip high false Overflow 6130.13 Microsoft Message Queuing meta informational false Overflow 6784.0 Adobe PDF Code Execution string-tcp high false 18380.1 Novell GroupWise SMTP state high false Buffer Overflow 21559.0 Microsoft Excel Memory string-tcp high true Corruption Vulnerability 21559.1 Microsoft Word Memory string-tcp high true Corruption Vulnerability 32719.0 Cisco Telepresence service-http high true Unauthenticated Remote Arbitrary Command Execution CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 6784-0 Adobe PDF Code Execution 3710-0 Cisco Secure ACS Directory Traversal 6130-13 Microsoft Message Queuing Overflow The following signatures have modified sig names or descriptions: 5681-0 ISC DHCP Daemon Buffer Overflow 21559-1 Microsoft Word Memory Corruption Vulnerability 21559-0 Microsoft Excel Memory Corruption Vulnerability 32719-0 Cisco Telepresence Unauthenticated Remote Arbitrary Command Execution 18380-1 Novell GroupWise SMTP Buffer Overflow ================================================================================================= S615 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34065.0 HP OpenView Network Node service-http high true Manager Remote Code Execution 34705.0 Windows Client Service service-smb-ad high false for NetWare Memory vanced Corruption Vulnerability 34845.0 RealNetworks RealPlayer meta high false RecordClip Parameter Injection Code Execution 34845.1 RealNetworks RealPlayer string-tcp informational false RecordClip Parameter Injection Code Execution 34845.2 RealNetworks RealPlayer string-tcp informational false RecordClip Parameter Injection Code Execution 34845.3 RealNetworks RealPlayer string-tcp informational false RecordClip Parameter Injection Code Execution 35065.0 Microsoft Excel Malformed string-tcp high false Record Code Execution 35646.0 SMB Transaction Parsing string-tcp high true Vulnerability 35666.0 Adobe Shockwave Player string-tcp high true Director File Record Processing Remote Code Execution Vulnerability 36006.0 Adobe printSeps() Remote multi-string high true Code Execution 36186.0 Microsoft Visual Basic multi-string high false Library Buffer Overflow 36586.0 Audio Lib Player Remote string-tcp high false Stack Buffer Overflow 36626.0 Adobe Flash Actionscript multi-string high true Memory Corruption Vulnerability 36866.0 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 36866.1 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 36866.2 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 36866.3 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 36866.4 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 36866.5 DATAC RealWin SCADA string-tcp high true Server Buffer Overflow 37706.0 Netgear WNR2000 FW service-http high false 1.2.0.8 Information Disclosure 37786.0 Microsoft PowerPoint multi-string high true Memory Handling Arbitrary Code Execution 37806.0 Net Transport string-tcp high false OP_LOGINREQUEST Arbitrary Code Execution 37886.0 Adobe Acrobat and Reader multi-string high true Memory Corruption Vulnerability 38366.0 McAfee Remediation Client multi-string high false ActiveX Control Buffer Overflow 38466.0 ClamAV Popen() Function string-tcp high false Arbitrary Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1710.0 IPv6 Extensions Headers atomic-ip-adva low false Out Of Order nced 1711.0 Duplicate IPv6 Extension atomic-ip-adva low false Headers nced 1716.0 IPv6 Options Padding Too atomic-ip-adva low false Long nced 1718.0 IPv6 Option Data Too Short atomic-ip-adva low false nced 1720.0 IPv6 Jumbo Payload Option atomic-ip-adva informational false Set nced 1728.0 IPv6 Routing Header Type 0 atomic-ip-adva informational false nced 1730.0 IPv6 Type 1 Routing Header atomic-ip-adva informational false nced 1738.0 IPv6 Unnecessary Fragment atomic-ip-adva informational false Header nced 5590.1 SMB User Enumeration service-smb-ad informational false vanced 5591.1 SMB Windows Share service-smb-ad informational false Enumeration vanced 12910.0 Define ftp command mkd application-po low false licy-enforceme nt-ftp 12911.0 Define ftp command mode application-po low false licy-enforceme nt-ftp 12912.0 Define ftp command nlst application-po low false licy-enforceme nt-ftp 12913.0 Define ftp command noop application-po low false licy-enforceme nt-ftp 12919.0 Define ftp command rein application-po low false licy-enforceme nt-ftp 36606.0 Cisco IOS ICMPv6 atomic-ip-adva low false Fingerprinting nced Vulnerability CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 12919-0 Define ftp command rein 12913-0 Define ftp command noop 12912-0 Define ftp command nlst 12911-0 Define ftp command mode 12910-0 Define ftp command mkd 5591-1 SMB Windows Share Enumeration 5590-1 SMB User Enumeration 1738-0 IPv6 Unnecessary Fragment Header 1730-0 IPv6 Type 1 Routing Header 1728-0 IPv6 Routing Header Type 0 1720-0 IPv6 Jumbo Payload Option Set 1718-0 IPv6 Option Data Too Short 1716-0 IPv6 Options Padding Too Long 1711-0 Duplicate IPv6 Extension Headers 36006-0 Adobe printSeps() Remote Code Execution ================================================================================================= S614 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 40826.0 Splunk Command Injection service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6120.0 RPC RSTATD Request service-rpc informational false 6121.0 RPC RUSESRD Request service-rpc informational false 6124.0 RPC YPASSWDD Request service-rpc informational false 6125.0 RPC SELECTION SVC Request service-rpc informational false 6126.0 RPC REXD Request service-rpc informational false 6127.0 RPC STATUS Request service-rpc informational false 6128.0 RPC TTDB Request service-rpc informational false 7101.0 ARP Source Broadcast atomic-arp informational false 12500.1 H225 ASN signature 1 service-h225 low false 12500.2 H225 ASN signature 1 service-h225 low false 12500.3 H225 ASN signature 1 service-h225 low false 12500.4 H225 ASN signature 1 service-h225 low false 12500.5 H225 ASN signature 1 service-h225 low false 12500.7 H225 ASN signature 1 service-h225 low false 12500.8 H225 ASN signature 1 service-h225 low false 12501.2 H225 Q931 signature 1 service-h225 low false 12501.8 H225 Q931 signature 1 service-h225 low false 12501.9 H225 Q931 signature 1 service-h225 low false 12501.11H225 Q931 signature 1 service-h225 low false 12501.12H225 Q931 signature 1 service-h225 low false 12501.14H225 Q931 signature 1 service-h225 low false 12501.15H225 Q931 signature 1 service-h225 low false 12501.16H225 Q931 signature 1 service-h225 low false 12501.17H225 Q931 signature 1 service-h225 low false 12501.19H225 Q931 signature 1 service-h225 low false 12501.20H225 Q931 signature 1 service-h225 low false 12501.21H225 Q931 signature 1 service-h225 low false 12501.22H225 Q931 signature 1 service-h225 low false 12501.23H225 Q931 signature 1 service-h225 low false 12501.24H225 Q931 signature 1 service-h225 low false 12501.25H225 Q931 signature 1 service-h225 low false 12501.26H225 Q931 signature 1 service-h225 low false 12501.28H225 Q931 signature 1 service-h225 low false 12501.29H225 Q931 signature 1 service-h225 low false 12501.30H225 Q931 signature 1 service-h225 low false 12501.31H225 Q931 signature 1 service-h225 low false 12501.32H225 Q931 signature 1 service-h225 low false 12501.33H225 Q931 signature 1 service-h225 low false 12501.34H225 Q931 signature 1 service-h225 low false 12501.37H225 Q931 signature 1 service-h225 low false 12501.39H225 Q931 signature 1 service-h225 low false 12501.40H225 Q931 signature 1 service-h225 low false 12501.41H225 Q931 signature 1 service-h225 low false 12501.42H225 Q931 signature 1 service-h225 low false CAVEATS None. Modified signature(s) detail: The modified signatures in this release have been retired. ================================================================================================= S613 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34485.0 WordPress Host Header service-http high false Processing Cross-Site Scripting 36346.0 HP NNM CGI webappmon.exe service-http high true OvJavaLocale Buffer Overflow 36366.0 HP OpenView Network Node service-http high true Manager ovwebsnmpsrv.exe ovutil Buffer Overflow 40226.0 IBM Lotus Domino service-http high true HPRAgentName Parameter Stack Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3175.0 ProFTPD STAT DoS string-tcp low false 3232.0 WWW finger attempt service-http low false 4052.1 Chargen DoS atomic-ip low false 4052.2 Chargen DoS atomic-ip low false 5051.2 IIS Double Byte Code Page service-http low false 5477.1 Possible Heap Payload string-tcp low false Construction 5477.2 Possible Heap Payload string-tcp informational false Construction 5534.0 KaZaA UDP Client Probe atomic-ip low false 5556.2 Javaprxy.dll Heap Overflow string-tcp informational false 5556.3 Javaprxy.dll Heap Overflow meta high false 5556.4 Javaprxy.dll Heap Overflow meta high false 5640.0 XML Race Condition in meta high false Internet Explorer 5640.1 XML Race Condition in string-tcp informational false Internet Explorer 5640.2 XML Race Condition in string-tcp informational false Internet Explorer 5640.3 XML Race Condition in string-tcp informational false Internet Explorer 5771.0 Winny Activity service-http low false 5789.0 HTTP Tunnel Client service-http informational false Activity 5905.0 Microsoft Internet string-tcp low false Explorer Address Bar Spoof 5905.1 Microsoft Internet string-tcp low false Explorer Address Bar Spoof 6792.0 SQL Memory Corruption service-http high false Vulnerability 6988.0 WebEx Meeting Manager meta high false ActiveX Overflow 6988.1 WebEx Meeting Manager string-tcp informational false ActiveX Overflow 7209.0 Trend Micro OfficeScan BO meta high false Exploit 7209.1 Trend Micro OfficeScan BO string-tcp informational false Exploit 7248.0 Microsoft SQL Server 2000 meta high false Client Components ActiveX Buffer Overflow 7248.1 Microsoft SQL Server 2000 string-tcp informational false Client Components ActiveX Buffer Overflow 7251.0 Iseemedia LPViewer meta high false ActiveX Buffer Overflows 7251.1 Iseemedia LPViewer string-tcp informational false ActiveX Buffer Overflows 19159.0 Green Dam Youth Escort service-http informational false Software Update Check 20360.0 Xunlei Activity string-tcp low false 21820.0 Microsoft LSA Subsystem string-tcp low false DoS 22522.0 Firefox Resource Directory string-tcp low false 33480.0 Cisco NAC Guest Server atomic-ip high true Vulnerability 33861.0 Cisco TelePresence meta high false Recording Server Command Execution Vulnerability 33861.1 Cisco TelePresence service-http informational false Recording Server Command Execution Vulnerability 33861.2 Cisco TelePresence service-http informational false Recording Server Command Execution Vulnerability 33861.3 Cisco TelePresence service-http informational false Recording Server Command Execution Vulnerability 33861.4 Cisco TelePresence service-http informational false Recording Server Command Execution Vulnerability 37566.0 Visual Studio Information string-tcp low false Leak 40466.0 Microsoft Internet string-tcp high false Explorer HTML Behavior Remote Code Execution CAVEATS None. Modified signature(s) detail: Following signatures are retired: 37566-0 Visual Studio Information Leak 33861-4 Cisco TelePresence Recording Server Command Execution Vulnerability 33861-3 Cisco TelePresence Recording Server Command Execution Vulnerability 33861-2 Cisco TelePresence Recording Server Command Execution Vulnerability 33861-1 Cisco TelePresence Recording Server Command Execution Vulnerability 33861-0 Cisco TelePresence Recording Server Command Execution Vulnerability 22522-0 Firefox Resource Directory 21820-0 Microsoft LSA Subsystem DoS 21539-0 FTP Service for IIS Denial of Service 20360-0 Xunlei Activity 19159-0 Green Dam Youth Escort Software Update Check 7251-1 Iseemedia LPViewer ActiveX Buffer Overflows 7251-0 Iseemedia LPViewer ActiveX Buffer Overflows 7248-1 Microsoft SQL Server 2000 Client Components ActiveX Buffer Overflow 7248-0 Microsoft SQL Server 2000 Client Components ActiveX Buffer Overflow 7209-1 Trend Micro OfficeScan BO Exploit 7209-0 Trend Micro OfficeScan BO Exploit 6988-1 WebEx Meeting Manager ActiveX Overflow 6988-0 WebEx Meeting Manager ActiveX Overflow 6792-0 SQL Memory Corruption Vulnerability 6130-0 Microsoft Message Queuing Overflow 5905-1 Microsoft Internet Explorer Address Bar Spoof 5905-0 Microsoft Internet Explorer Address Bar Spoof 5789-0 HTTP Tunnel Client Activity 5771-0 Winny Activity 5640-3 XML Race Condition in Internet Explorer 5640-2 XML Race Condition in Internet Explorer 5640-1 XML Race Condition in Internet Explorer 5640-0 XML Race Condition in Internet Explorer 5556-4 Javaprxy.dll Heap Overflow 5556-3 Javaprxy.dll Heap Overflow 5556-2 Javaprxy.dll Heap Overflow 5534-0 KaZaA UDP Client Probe 5477-2 Possible Heap Payload Construction 5477-1 Possible Heap Payload Construction 5051-2 IIS Double Byte Code Page 4052-2 Chargen DoS 4052-1 Chargen DoS 3232-0 WWW finger attempt 3175-0 ProFTPD STAT DoS 40466-0 Microsoft Internet Explorer HTML Behavior Remote Code Execution ================================================================================================= S612 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39647.0 MS Internet Explorer 8 XSS string-tcp medium true 40366.0 Microsoft OLE Handling string-tcp high true Code Injection 40386.0 Microsoft Publisher string-tcp high true Invalid Pointer Vulnerability 40406.0 Microsoft Publisher string-tcp high true Out-Bounds Array Index Vulnerability 40426.0 Microsoft Excel Record string-tcp high true Memory Corruption Vulnerability 40446.0 Microsoft Windows multi-string high true Publisher Memory Corruption 40466.0 Microsoft Internet string-tcp high true Explorer HTML Behavior Remote Code Execution 40486.0 Microsoft Powerpoint string-tcp high true Remote Code Execution 40506.0 Microsoft Word Remote multi-string high true Code Execution 40526.0 Windows Media Player string-tcp high true DVR-MS Memory Corruption Vulnerability 40606.0 Adobe Reader Remote Code string-tcp high true Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3171.0 FTP Priviledged Login string-tcp informational false 3303.0 SMB Login successful with service-smb informational false Guest Privileges 3305.0 SMB 95 98 Password File service-smb informational false Access 3308.0 SMB Remote Lsarpc Service service-smb informational false Access Attempt 3310.0 Netbios Enum Share DoS service-smb high false 3313.0 SMB Suspicious Password service-smb low false Usage 3314.1 Windows Locator Service service-smb high false Overflow 3314.2 Windows Locator Service service-smb high false Overflow 3317.0 LSASS DCE RPC Request string-tcp informational false 3318.0 DsRolerUpgradeDownlevelSe- string-tcp informational false rver Request 3319.0 DCE RPC Request string-tcp informational false 3320.0 SMB ADMIN Hidden Share service-smb low false Access Attempt 3321.0 SMB User Enumeration service-smb informational false 3322.0 SMB Windows Share service-smb informational false Enumeration 3324.0 SMB NIMDA Infected File service-smb high false Transfer 3338.1 Windows LSASS RPC Overflow meta high false 5795.0 DHCP Option Overflow Code multi-string high false Execution 5816.1 TOR Client Activity multi-string low false 5862.0 Outlook Web Access UTF multi-string high false Character Script Execution 5913.1 PIX ASA FWSM MGCP DoS multi-string medium false 6255.0 SMB Authorization Failure service-smb informational false 6295.0 LANDesk Intel QIP Service multi-string high false Heal Packet Buffer Overflow 6967.0 Microsoft SQL Server multi-string high false Privilege Elevation 18920.0 Administrative FTP User meta informational false Failed To Authenticate 50002.0 ICS_TEST_FILE multi-string low false 50012.0 TROJ_SMALL multi-string medium false 50012.1 TROJ_SMALL multi-string medium false 50012.2 TROJ_SMALL multi-string medium false 50012.3 TROJ_SMALL multi-string medium false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 50012-3 TROJ_SMALL 50012-2 TROJ_SMALL 50012-1 TROJ_SMALL 50012-0 TROJ_SMALL 50002-0 ICS_TEST_FILE 18920-0 Administrative FTP User Failed To Authenticate 6967-0 Microsoft SQL Server Privilege Elevation 6295-0 LANDesk Intel QIP Service Heal Packet Buffer Overflow 5913-1 PIX ASA FWSM MGCP DoS 5862-0 Outlook Web Access UTF Character Script Execution 5816-1 TOR Client Activity 5795-0 DHCP Option Overflow Code Execution 3338-1 Windows LSASS RPC Overflow 3319-0 DCE RPC Request 3318-0 DsRolerUpgradeDownlevelServer Request 3171-0 FTP Priviledged Login 6255-0 SMB Authorization Failure 3324-0 SMB NIMDA Infected File Transfer 3322-0 SMB Windows Share Enumeration 3321-0 SMB User Enumeration 3320-0 SMB ADMIN Hidden Share Access Attempt 3317-0 LSASS DCE RPC Request 3314-2 Windows Locator Service Overflow 3314-1 Windows Locator Service Overflow 3313-0 SMB Suspicious Password Usage 3310-0 Netbios Enum Share DoS 3308-0 SMB Remote Lsarpc Service Access Attempt 3305-0 SMB 95 98 Password File Access 3303-0 SMB Login successful with Guest Privileges ================================================================================================= S611 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 23782.0 HP OpenView Network Node meta high true Manager Buffer Overflow 23782.1 HP OpenView Network Node service-http informational true Manager Buffer Overflow 23782.2 HP OpenView Network Node string-tcp informational true Manager Buffer Overflow 28939.0 AstonSoft DeepBurner Path multi-string high false Buffer Overflow 29819.0 LPRng Format String string-tcp high false Vulnerability 30102.0 PHP Win32 service-http high false escapeshellcmd() Input Validation Command Execution 30219.0 Internet Explorer string-tcp medium false URLMon.DLL Denial Of Service 31019.0 Oracle Secure Backup service-http high false Remote Authentication Bypass 31279.0 Windows ATL Object Type string-tcp high false Mismatch Code Execution 31379.0 Adobe Shockwave Memory multi-string high true Corruption Vulnerability 31779.0 Microsoft MFC Library multi-string high false UpdateFrameTitleForDocume- nt() Buffer Overflow 32319.0 Oracle Secure Backup NDMP string-tcp high false CONNECT_CLIENT_AUTH Command Overflow 32439.0 Microsoft IE 8 string-tcp high true toStaticHTML XSS 33279.0 FreePBX File Upload And service-http high true Execution 33319.0 Apache HTTP Request Long string-tcp high false Headers 33339.0 Windows Workstation service-smb-ad medium false Service DoS vanced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1304.0 TCP Session Packet Queue normalizer informational true Overflow 3333.0 SMB MSRPC Messenger string-tcp high false Overflow 3334.0 Windows Workstation service-smb informational false Service Overflow 3334.1 Windows Workstation service-smb informational false Service Overflow 3334.2 Windows Workstation string-tcp informational false Service Overflow 3334.3 Windows Workstation meta high false Service Overflow 3334.4 Windows Workstation meta high false Service Overflow 3334.5 Windows Workstation service-msrpc high false Service Overflow 3334.6 Windows Workstation service-msrpc high false Service Overflow 3334.7 Windows Workstation string-tcp informational false Service Overflow 3334.8 Windows Workstation meta high false Service Overflow 3342.1 Windows NetDDE Overflow string-tcp high false 3533.0 Cisco IOS Misformed BGP string-tcp medium false Packet DoS 5082.0 IE HTML Objects Memory string-tcp high false Corruption 5404.0 Internet Explorer string-tcp high false Uninitialized Memory Corruption 5463.1 Computer Associates string-tcp high false License Software GETCONFIG Buffer Overflow CAVEATS None. Modified signature(s) detail: The following modified signatures have been retired: 5463-1 Computer Associates License Software GETCONFIG Buffer Overflow 5404-0 Internet Explorer Uninitialized Memory Corruption 5082-0 IE HTML Objects Memory Corruption 3533-0 Cisco IOS Misformed BGP Packet DoS 3342-1 Windows NetDDE Overflow 3334-8 Windows Workstation Service Overflow 3334-7 Windows Workstation Service Overflow 3334-6 Windows Workstation Service Overflow 3334-5 Windows Workstation Service Overflow 3334-4 Windows Workstation Service Overflow 3334-3 Windows Workstation Service Overflow 3334-2 Windows Workstation Service Overflow 3334-1 Windows Workstation Service Overflow 3334-0 Windows Workstation Service Overflow 3333-0 SMB MSRPC Messenger Overflow The following sig has modified fields: 1304-0 TCP Session Packet Queue Overflow ================================================================================================= S610 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6940.2 RealPlayer ActiveX Remote string-tcp informational false Code Execution 21339.2 Helix RTSP SETUP Request string-tcp medium false Denial Of Service 22059.1 License Logging Server string-tcp high false Heap Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 12705.0 Define Request Method application-po low false REVLOG licy-enforceme nt-http 12706.0 Define Request Method application-po low false REVADD licy-enforceme nt-http 12707.0 Define Request Method application-po low false REVNUM licy-enforceme nt-http 12708.0 Define Request Method application-po low false SETATTRIBUTE licy-enforceme nt-http 12709.0 Define Request Method application-po low false GETATTRIBUTENAME licy-enforceme nt-http 12710.0 Define Request Method application-po low false GETPROPERTIES licy-enforceme nt-http 12711.0 Define Request Method application-po low false STARTENV licy-enforceme nt-http 12712.0 Define Request Method application-po low false STOPREV licy-enforceme nt-http 12713.0 max-outstanding-requests-- application-po low false overrun licy-enforceme nt-http 25780.0 FTP STOR rhost string-tcp medium true CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 12712-0 Define Request Method STOPREV 12711-0 Define Request Method STARTENV 12710-0 Define Request Method GETPROPERTIES 12709-0 Define Request Method GETATTRIBUTENAME 12708-0 Define Request Method SETATTRIBUTE 12707-0 Define Request Method REVNUM 12706-0 Define Request Method REVADD 12705-0 Define Request Method REVLOG 21539-0 FTP Service for IIS Denial of Service The following sigs have modified fields: 25780-0 FTP STOR rhost 6940-2 RealPlayer ActiveX Remote Code Execution ================================================================================================= S609 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24879.1 Microsoft Internet multi-string high true Explorer Remote Code Execution 28022.0 Xenorate XPL Buffer string-tcp high false Overflow 33120.0 Solaris ypupdated Command atomic-ip high false Execution Vulnerability 33121.0 Solaris sadmind Command atomic-ip high false Execution 33180.0 Borland InterBase multi-string high false PWD_Db_Aliased Buffer Overflow 34027.0 VLC Media Player MKV File multi-string high true Remote Code Execution 34505.0 VideoLAN VLC Media Player string-tcp high false Subtitle StripTags Heap Buffer Overflow 35706.0 Distributed Ruby Remote fixed-tcp high false Code Execution 35826.0 XTACACSD Report Buffer atomic-ip high false Overflow 37186.0 HP IMC Syslog Arbitrary atomic-ip high false Code Execution 37406.0 Oracle Document Capture multi-string high false NCSECWLib ActiveX Buffer Overflow 37766.0 EasyMail IMAP4 LicenseKey multi-string high false Buffer Overflow 38986.0 Novell iPrint Client For meta high false Windows Browser Plug-in ExecuteRequest 38986.1 Novell iPrint Client For multi-string informational false Windows Browser Plug-in ExecuteRequest 40066.0 Cisco Network Registrar service-http medium true Default Credentials Authentication Bypass TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3740.0 IMail LDAP Service Buffer string-tcp high false Overflow 5477.2 Possible Heap Payload string-tcp informational true Construction 5733.0 Long HTTP Header Hostname string-tcp low false 15193.0 Waledac Trojan Activity service-http high true 24939.0 SafeNet SoftRemote IKE atomic-ip high false Service Buffer Overflow 29919.0 HTTP URI Evasion Attempt service-http high false 37206.0 Adobe U3D Remote Code multi-string high false Execution 38526.0 Internet Explorer Style multi-string high false Object Memory Corruption CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S608 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 40126.0 Microsoft Windows Mail multi-string high true and Microsoft Windows Meeting Space Remote Code Execution Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26901.0 Adobe PDF Launch Action string-tcp high true Exploits CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S607 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 40106.0 Duqu DNS Resolution atomic-ip high true TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S606 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 40046.0 Cisco Small Business service-http high true SRP500 Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S605 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39946.0 Cisco Unified Contact service-http medium true Center Express Directory Traversal 39946.1 Cisco Unified Contact service-http medium true Center Express Directory Traversal 39986.0 Cisco Unified service-http medium true Communications Manager Directory Traversal Vulnerability 40026.0 Cisco Webex Recording string-tcp high true Format File Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S604 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34565.0 MODBUS Invalid Read Coils service-generi medium false Request Parameters c 34566.0 MODBUS Invalid Read Coils service-generi medium false Response Parameters c 34586.0 MODBUS Invalid Write service-generi medium false Single Coil Request c Parameters 34626.0 MODBUS Invalid Read service-generi medium false Discrete Inputs Request c Parameters 34627.0 MODBUS Invalid Read service-generi medium false Discrete Inputs Response c Parameters 34645.0 MODBUS Invalid Read Input service-generi medium false Registers Request c Parameters 34646.0 MODBUS Invalid Read Input service-generi medium false Registers Response c Parameters 34766.0 MODBUS Serial Commands string-tcp medium false over TCP 34925.0 MODBUS Invalid Read service-generi medium false Holding Registers Request c Parameters 34926.0 MODBUS Invalid Read service-generi medium false Holding Registers c Response Parameters 34947.0 MODBUS Invalid Read FIFO service-generi medium false Queue Response Parameters c 34966.0 MODBUS Invalid Read/Write service-generi medium false Multiple Registers c Response Parameters 34968.0 SIS Unauthenticated service-generi high false Remote Programming Mode c Unlock 34969.0 DCS Telnet Services string-tcp high false Privilege Escalation 34985.0 MODBUS Invalid Read/Write service-generi medium false Multiple Registers c Request Parameters 35025.0 DCS Infrastructure Denial atomic-ip medium false of Service 35028.0 MODBUS Invalid Write service-generi medium false Multiple Registers c Request Parameters 35031.0 MODBUS Invalid Write service-generi low false Multiple Coils Request c Parameters 35185.0 MODBUS Illegal Read File service-generi medium false Record Response Parameters c 35447.0 MODBUS Write Command meta informational false 35447.1 MODBUS Write Command string-tcp informational false 35447.2 MODBUS Write Command string-tcp informational false 35486.0 MODBUS Invalid Read File service-generi medium false Record Request Parameters c 35526.0 MODBUS Invalid Write File service-generi medium false Record Request Parameters c 35546.0 MODBUS Invalid Write File service-generi medium false Record Response Parameters c 35566.0 MODBUS Header Length TCP service-generi medium false Segment Size Mismatch c 35926.0 Large MODBUS/TCP Data service-generi medium false Overflow c 36266.0 DNP3 DDL Invalid Length string-tcp medium false Parameter 36286.0 DNP3 DDL Empty User Data string-tcp medium false Crash 36367.0 CIP Malformed Electronic service-generi medium false Key Segment in Message c Router Request 36386.0 Invalid CIP Connected Get service-generi medium false Attribute Single Service c Request 36387.0 Invalid CIP Unconnected service-generi medium false Get Attribute Single c Service Request 36686.0 MODBUS Function Code Scan string-tcp low false 36706.0 MODBUS Point List Scan string-tcp low false 36746.0 CIP Connected service-generi medium false Reset-of-Identity-Object c Request 36748.0 CIP Unconnected service-generi medium false Reset-of-Identity-Object c Request 37266.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 37306.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 38087.0 Siemens FactoryLink service-generi high false Absolute Directory c Traversal 38290.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 38291.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 38292.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 38686.0 Dropbox File Sharing service-http informational false Client 38686.1 Dropbox File Sharing multi-string informational false Client 39067.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39126.0 Siemens FactoryLink service-generi high false Relative Directory c Traversal 39186.0 DATAC RealFlex RealWin service-generi high false v2.1 Buffer Overflow c 39206.0 Siemens FactoryLink service-generi high false Buffer Overflow c TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S603 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39586.0 CiscoWorks Common service-http high true Services Command Injection 39586.1 CiscoWorks Common service-http high true Services Command Injection 39866.0 German Federal Trojan string-tcp high true 39866.1 German Federal Trojan string-tcp high true TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S602 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 37846.0 Photodex ProShow Gold string-tcp high false Remote Arbitrary Code Execution 38047.0 IBM Tivoli Endpoint service-http high false Default Password Unauthorized Access TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39826.0 Microsoft Internet multi-string high false Explorer Jscript9.dll Remote Code Execution CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S601 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39546.0 Internet Explorer Remote string-tcp high true Code Execution Vulnerability 39566.0 Microsoft Internet string-tcp high true Explorer Memory Corruption 39606.0 Microsoft .NET Framework string-tcp high true Class Inheritance Vulnerability 39607.0 Microsoft Host atomic-ip-adva medium true Integration Server Denial nced Of Service 39608.0 Internet Explorer Select string-tcp high true Element Remote Code Execution 39626.0 Microsoft Forefront service-http high true Unified Access Gateway Default Reflected XSS 39666.0 Microsoft Ancillary string-tcp high true Function Driver Elevation of Privilege 39686.0 Microsoft Windows Font service-http high true Library File Buffer Overrun Vulnerability 39687.0 Microsoft Forefront UAG service-http medium true HTTP Response Splitting 39706.0 Microsoft Forefront service-http high true Unified Access Gateway XSS Vulnerability 39726.0 Microsoft Internet multi-string high true Explorer Memory Corruption Vulnerability 39746.0 Microsoft Internet string-tcp high true Explorer Event Handling Remote Code Execution 39766.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Remote Code Excution 39786.0 Microsoft Windows Null string-tcp high true Pointer Dereference Vulnerability 39787.0 Microsoft Windows Media multi-string high true Center Insecure Library Loading Vulnerability 39806.0 Microsoft Internet multi-string high true Explorer Memory Corruption Vulnerability 39826.0 Microsoft Internet multi-string high true Explorer Jscript9.dll Remote Code Execution 39846.0 Microsoft Forefront service-http medium true Unified Access Gateway DOS TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S600 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38406.0 Cisco ASA TACACS+ string-tcp high true Authentication Vulnerability 38446.0 SunRPC Arithmetic multi-string medium true Inspection Denial Of Service 39366.0 Cisco ASA SunRPC string-tcp medium true Inspection Denial of Service Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S599 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5513.1 SNMP Community String atomic-ip high false Public 7261.1 IPP Service Integer string-tcp high false Overflow Exploit 16155.0 Mozilla FireFox Animated meta high false PNG Processing Integer Overflow 16155.1 Mozilla FireFox Animated meta informational false PNG Processing Integer Overflow 16155.2 Mozilla FireFox Animated string-tcp informational false PNG Processing Integer Overflow 16155.3 Mozilla FireFox Animated string-tcp informational false PNG Processing Integer Overflow 16155.4 Mozilla FireFox Animated string-tcp informational false PNG Processing Integer Overflow 35346.0 HP OpenView NNM Invalid service-http high true Hostname Remote Code Execution 35586.0 AOL Rich Text File string-tcp high false Processing Buffer Overflow 35606.0 Oracle Database Server service-tns high false OLAP Component Buffer Overflow 35746.0 Oracle Database Server multi-string high true Remote Privilege Escalation 36086.0 Microsoft Windows string-tcp high true OpenType Font Buffer Overflow 36166.0 Apple CUPS multi-string high false Text-to-PostScript texttops Filter Integer Overflow 36426.0 Microsoft Excel Remote multi-string high true Code Execution 37106.0 7T IGSS File Operation multi-string high true Buffer Overflow 37126.0 HP IMC TFTP Server Buffer atomic-ip high true Overflow 37206.0 Adobe U3D Remote Code multi-string high false Execution 37366.0 Sun Java Web Start string-tcp high false Splashscreen GIF Decoding Buffer Overflow 37826.0 RealNetworks RealPlayer multi-string high false IVR Media File Handling Buffer Overflow 38066.0 IBM Lotus Domino Server string-tcp high false nLDAP.exe Component Buffer Overflow 38186.0 Adobe Audition Buffer multi-string high false Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3342.0 Windows NetDDE Overflow service-smb high false 5493.0 Llsrpc Bind service-smb informational false 5876.0 WinZip ActiveX Control string-tcp high false Instantiation 6131.0 Microsoft Plug and Play string-tcp medium false Overflow 6131.1 Microsoft Plug and Play string-tcp informational false Overflow 6131.2 Microsoft Plug and Play meta high false Overflow 6131.3 Microsoft Plug and Play service-smb informational false Overflow 6131.4 Microsoft Plug and Play service-smb informational false Overflow 6131.5 Microsoft Plug and Play meta high false Overflow 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 7261.0 IPP Service Integer string-tcp high true Overflow Exploit 33439.0 IE Memory Corruption string-tcp high false Vulnerability 34165.0 Permanently Obsoleted string-tcp informational false Signatures CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S598 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32379.0 Cisco Unified atomic-ip high true Communications Manager SIP Denial Of Service 33359.0 IOS Software IPv6 Denial atomic-ip-adva medium true Of Service nced 33899.0 Cisco IOS NAT LDAP Denial string-tcp high true of Service Vulnerability 34445.0 Cisco IOS SIP multi-string medium true Vulnerability 38806.0 Failed htran Connection fixed-tcp medium false Attempt TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6501.0 Tribe Flood Net Client traffic-icmp medium false Request 6503.0 Stacheldraht Client traffic-icmp medium false Request 20481.0 Malformed SIP Message string-tcp medium false 25999.0 Malformed SIP Packet atomic-ip high true Denial of Service 30059.1 Malformed SIP Message string-tcp medium false 33959.0 Binary Floating Point service-http medium true Number Conversion Denial of Service Vulnerability CAVEATS None. Modified signature(s) detail: The following tuned signature have modified regexes: 25999-0 Malformed SIP Packet Denial of Service The other tuned signatures have been retired. ================================================================================================= S597 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17259.2 VideoLAN VLC Media Player string-tcp high false TY Processing Buffer Overflow 26479.0 Medal Of Honor Allied atomic-ip high false Assault Remote Buffer Overflow Vulnerability 26979.0 RealNetworks RealPlayer string-tcp high false SMIL Buffer Overflow Vulnerability 27079.0 SpamAssassin Spamd Remote multi-string high false Command Execution 27419.0 Roxio CinePlayer meta high false SonicDVDDashVRNav.DLL ActiveX Buffer Overflow 27419.1 Roxio CinePlayer string-tcp informational false SonicDVDDashVRNav.DLL ActiveX Buffer Overflow 27459.0 EasyMail Objects multi-string high false EMSMTP.DLL ActiveX Buffer Overflow 28320.0 Mozilla Firefox string-tcp high false Javascript Navigator Object Remote Code Execution 28459.0 WinComLPD <= 3.0.2 Buffer string-tcp high false Overflow 28580.0 AwingSoft Web3D Player multi-string high false ActiveX Overflow 28699.0 Macromedia ActiveX multi-string high false DownloadAndExecute 28879.0 Multiple Vendor Java string-tcp high false Products Signed Applet Arbitrary Code Execution Vulnerability 29339.0 AtHocGov IWSAlerts multi-string high false ActiveX Control Buffer Overflow 29359.0 VUPlayer CUE File Buffer string-tcp high false Overflow Vulnerability 30039.0 CA CAB File Handling multi-string high false Buffer Overflow Vulnerability 31560.0 IDEAL Administration IPJ string-tcp high false File Processing Buffer Overflow 32920.0 TWiki Search Function service-http high false Arbitrary Command Execution 32939.0 TikiWiki Graph Formula service-http high false Remote PHP Code Execution 33039.0 OSCommerce 2.2 Arbitrary service-http high false PHP Code Execution 39166.0 Morto Worm Activity string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31079.0 Unisys Business string-tcp high false Information Server Stack Overflow 33439.0 IE Memory Corruption string-tcp high false Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S596 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39226.0 Cisco Identity Services service-tns medium true Engine Database Default Credentials Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S595 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 39086.0 Cisco LanWorks Buffer string-tcp high true Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24864.0 Microsoft DNS Server meta high false Cache Poisoning 24864.1 Microsoft DNS Server atomic-ip informational false Cache Poisoning 24864.2 Microsoft DNS Server atomic-ip informational false Cache Poisoning CAVEATS None. Modified signature(s) detail: The above tuned signatures have been retired. ================================================================================================= S594 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38586.0 Microsoft SharePoint service-http high true Server XSS Vulnerability 39106.0 Sharepoint Cross Site service-http high true Scripting TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5546.0 Internet Key Exchange DoS atomic-ip medium false 6067.0 DNS TSIG Bugtraq Overflow atomic-ip low false 6522.0 Failed HTTP Login / HTTP atomic-ip medium false 401 6523.0 Non-Printable in SIP atomic-ip high false Header 11239.0 ICQ Chat Invitation Sent string-tcp informational false 11240.0 ICQ Chat Invitation string-tcp informational false Received 11241.0 ICQ Specific Request string-tcp informational false 11242.0 ICQ File Transfer string-tcp informational false 11244.0 MSN P2P File Transfer string-tcp informational false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S593 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16217.0 Autodesk LiveUpdate meta high true ActiveX Control Code Execution 16217.1 Autodesk LiveUpdate string-tcp informational true ActiveX Control Code Execution 16217.2 Autodesk LiveUpdate string-tcp informational true ActiveX Control Code Execution 30819.0 IBM Informix IDS and EMC service-rpc high false Legato Networker librpc.dll Overflow 34007.0 HP OpenView Performance service-http high true Insight Server doPost() Arbitrary Code Execution 34145.0 Symantec Alert Management multi-string high true System Buffer Overflow 34205.0 IBM Informix Dynamic string-tcp high true Server USELASTCOMMITTED Arbitrary Code Execution 34285.0 Free Download Manager string-tcp high false Torrent Parsing Buffer Overflow 34345.0 Oracle Secure Backup service-http high true Administration Authentication Bypass 34745.0 MPlayer TwinVQ File Stack multi-string high false Buffer Overflow 34805.0 Novell NetWare NWFTPD.NLM string-tcp high true DELE Command Remote Code Execution 34886.0 IBM Tivoli Storage atomic-ip high false Manager FastBack Mount Service Memory Corruption 35009.0 Digium Asterisk UDPTL atomic-ip high false Stack Buffer Overflow 35286.0 HP OpenView NNM service-http high true ovwebsnmpsrv.exe Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5648.0 Tomcat Denial of Service atomic-ip medium false Attack 5716.0 IOS Stack Group Bidding atomic-ip medium false Protocol DoS 5739.0 Active Directory Failed atomic-ip medium false Login 6009.0 SYN Flood DOS atomic-ip medium false 6184.0 Large SIP Message atomic-ip medium false 6203.1 sadmind directory atomic-ip high false traversal command exec 6256.0 HTTP Authorization Failure atomic-ip informational false 6520.0 Long SIP Message atomic-ip medium false 6962.0 Cisco Unity DOS atomic-ip medium false 11205.0 Sametime Activity atomic-ip informational false 15016.0 DNS Query For ROOT atomic-ip high false 15255.0 PacketiX Network Traffic atomic-ip informational false 15454.0 LogMeIn Hamachi Activity atomic-ip informational false 15455.0 LogMeIn Product Activity atomic-ip low false 15816.0 WPAD Registration atomic-ip medium false Vulnerability 20481.1 Malformed SIP Message atomic-ip medium false 24600.0 Cisco IOS SIP DoS atomic-ip medium false 30059.0 Malformed SIP Message atomic-ip medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S592 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 18441.1 Microsoft Office Excel multi-string high false Remote Code Execution 27759.0 SAP DB Web Server service-http high false WAHTTP.EXE Buffer Overflow 31199.0 Symantec Alert Management string-tcp high true System Command Execution 33539.1 Microsoft Office Visio multi-string high true Remote Code Execution 33779.0 Oracle Document Capture meta medium true ActiveX Information Disclosure 33779.1 Oracle Document Capture string-tcp informational true ActiveX Information Disclosure 33779.2 Oracle Document Capture string-tcp informational true ActiveX Information Disclosure 33799.0 SAP Crystal Reports service-http high true Server 2008 Directory Traversal 33840.0 HP OpenView meta high true nnmRptConfig.exe Remote Code Execution 33840.1 HP OpenView service-http informational true nnmRptConfig.exe Remote Code Execution 33840.2 HP OpenView string-tcp informational true nnmRptConfig.exe Remote Code Execution 33939.0 HP OpenView Network Node service-http high true Manager Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1004.0 IP options-Loose Source atomic-ip high false Route 1007.0 IPv6 over IPv4 or IPv6 atomic-ip informational false 1107.0 RFC 1918 Addresses Seen atomic-ip informational false 1109.0 Cisco IOS Interface DoS atomic-ip medium false 1109.1 Cisco IOS Interface DoS atomic-ip medium false 1109.2 Cisco IOS Interface DoS atomic-ip medium false 1109.3 Cisco IOS Interface DoS atomic-ip medium false 2000.0 ICMP Echo Reply atomic-ip informational false 2001.0 ICMP Host Unreachable atomic-ip informational false 2001.1 ICMP Host Unreachable atomic-ip informational false 2002.0 ICMP Source Quench atomic-ip informational false 2003.0 ICMP Redirect atomic-ip informational false 2004.0 ICMP Echo Request atomic-ip informational false 2005.0 ICMP Time Exceeded for a atomic-ip informational false Datagram 2006.0 ICMP Parameter Problem on atomic-ip informational false Datagram 2007.0 ICMP Timestamp Request atomic-ip informational false 2008.0 ICMP Timestamp Reply atomic-ip informational false 2009.0 ICMP Information Request atomic-ip informational false 2010.0 ICMP Information Reply atomic-ip informational false 2011.0 ICMP Address Mask Request atomic-ip informational false 22480.0 Symantec Alert Management multi-string high true System Intel Alert Originator Service Buffer Overflow 33439.0 IE Memory Corruption string-tcp high true Vulnerability 33459.0 IE Memory Corruption string-tcp high true Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S591 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15004.0 DataApples BeyondRemote service-http medium false Activity 15004.1 DataApples BeyondRemote service-http medium false Activity 16193.0 Microsoft PicturePusher meta high false ActiveX AddString() File Upload Vulnerability 16193.1 Microsoft PicturePusher string-tcp informational false ActiveX AddString() File Upload Vulnerability 16193.2 Microsoft PicturePusher string-tcp informational false ActiveX AddString() File Upload Vulnerability 16193.3 Microsoft PicturePusher string-tcp informational false ActiveX AddString() File Upload Vulnerability 17264.0 FTP FlashGet 'PWD' string-tcp high false Response Denial of Service Vulnerability 23339.0 IBM Director CIM Server service-http medium false Denial of Service Vulnerability 24240.0 Cisco Digital Media multi-string high true Manager Vulnerability 25499.0 Opera URL Buffer Overflow string-tcp medium true 38846.0 Apache Range Remote service-http medium true Denial of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2150.0 Fragmented ICMP Traffic atomic-ip informational false 2151.0 Large ICMP Traffic atomic-ip informational false 2201.0 IGMP over fragmented IP atomic-ip low false 2202.0 IGMP Invalid Packet DoS atomic-ip low false 3051.0 TCP Connection Window atomic-ip medium false Size RST DoS 3051.1 TCP Connection Window atomic-ip medium false Size RST DoS 3143.3 BERBEW Trojan Activity atomic-ip medium false 3143.4 BERBEW Trojan Activity atomic-ip medium false 3301.0 NETBIOS Stat atomic-ip low false 3357.0 Invalid Netbios Name atomic-ip medium false 4062.0 Cisco CSS 11000 Malformed atomic-ip medium false UDP DoS 4068.0 DoS NBT Stream atomic-ip low false 4602.3 Beagle (Bagle) Virus DNS atomic-ip medium false Lookup 4602.4 Beagle (Bagle) Virus DNS atomic-ip medium false Lookup 4604.1 DHCP Request atomic-ip informational false 4605.1 DHCP Offer atomic-ip informational false 4607.6 Deep Throat Response atomic-ip high false 4607.7 Deep Throat Response atomic-ip high false 4607.8 Deep Throat Response atomic-ip high false 4607.9 Deep Throat Response atomic-ip high false 4609.1 Orinoco SNMP Info Leak atomic-ip medium false 4610.1 Kerberos 4 User Recon atomic-ip low false 4612.1 Cisco IP Phone TFTP atomic-ip low false Config Retrieve 4615.2 Beagle.B (Bagle.B) Virus atomic-ip medium false DNS Lookup 4615.3 Beagle.B (Bagle.B) Virus atomic-ip medium false DNS Lookup 4704.0 MSSQL Resolution Service atomic-ip high false Heap Overflow 5337.0 Dot Dot Slash in HTTP service-http low false Arguments 5506.0 Back Orifice Ping atomic-ip medium false 5506.1 Back Orifice Ping atomic-ip medium false 5509.0 Tftp Passwd File atomic-ip high false 5512.0 Cisco SNMP Message atomic-ip medium false Processing DoS 5513.0 SNMP Community String atomic-ip high false Public 5518.0 Quake Server Connect DoS atomic-ip medium false 5530.0 DHCP Discover atomic-ip informational false 5534.2 KaZaA UDP Client Probe atomic-ip low false 5535.0 Overnet Client Scan atomic-ip low false 5537.0 ICQ Client DNS Request atomic-ip informational false 5538.0 AIM Client DNS request atomic-ip informational false 5539.0 Yahoo Messenger Client atomic-ip informational false DNS Request 5540.0 MSN Messenger Client DNS atomic-ip informational false Request 5541.0 Modem DoS atomic-ip low false 5726.1 Active Directory Failed multi-string medium false Login 7104.0 ARP atomic-arp informational false MacAddress-Flip-Flop-Resp- onse 7105.0 ARP Inbalance-of-Requests atomic-arp informational false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S590 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38386.0 Cisco Intercompany Media multi-string medium true Engine Denial of Service 38386.1 Cisco Intercompany Media multi-string medium true Engine Denial Of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 18800.0 ASA WebVPN Cross Site string-tcp high false Scripting 21359.0 Internet Explorer string-tcp high false Uninitialized Memory Corruption Vulnerability 22820.0 Internet Authentication meta high false Service MS CHAPv2 Invalid Request 22820.1 Internet Authentication atomic-ip informational false Service MS CHAPv2 Invalid Request 22820.2 Internet Authentication atomic-ip informational false Service MS CHAPv2 Invalid Request 22820.3 Internet Authentication atomic-ip informational false Service MS CHAPv2 Invalid Request 23099.0 Obfuscated PDF Document multi-string high false 23679.0 Adobe Download Manager meta high false ActiveX Buffer Overflow Vulnerability 23679.1 Adobe Download Manager string-tcp informational false ActiveX Buffer Overflow Vulnerability 26401.0 Microsoft Internet string-tcp low false Explorer 8 XSS 32279.0 RealVNC Server string-tcp high false ClientCutText Memory Corruption 35846.0 Cisco CUCM Remote Code string-tcp high false Execution 50013.0 BKDR_VANBOT multi-string medium false 50013.1 BKDR_VANBOT multi-string medium false 50013.3 BKDR_VANBOT multi-string medium false 50013.4 BKDR_VANBOT multi-string medium false 50013.5 BKDR_VANBOT multi-string medium false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S589 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3110.0 Suspicious Mail Attachment state low false 3124.0 Sendmail prescan Memory state high false Corruption 3127.0 SMTP AUTH Brute Force state low false Attempt 3128.0 Exchange xexch50 overflow state high false 3143.0 BERBEW Trojan Activity string-tcp high false 3601.0 IOS Command History state high false Exploit 3883.0 Apache mod_proxy Buffer string-tcp high false Overflow 5237.0 HTTP CONNECT Tunnel string-tcp low false 5488.0 Icecast Server HTTP string-tcp high false Header Buffer Overflow 5500.0 IE .asp File Execution string-tcp informational false 5757.0 Microsoft Exchange Server state medium false Cross-Site Scripting 5878.0 VBE Object ID Buffer string-tcp high false Overflow 5920.0 Apple Quicktime string-tcp high false VRPanoSampleAtom Heap Overflow 6771.0 Microsoft Windows WebDAV string-tcp high false Mini Redirector 6790.0 Outlook Web Access state high false Privilege Escalation 6790.1 Outlook Web Access state high false Privilege Escalation 7218.0 Lotus Notes Applix state high false Graphics Overflow 7220.0 Pidgin MSN Overflow string-tcp high false 15193.2 Waledac Trojan Activity string-tcp high false 15253.0 Novell GroupWise Internet state high false Agent RCPT Overflow 16219.0 Mozilla Firefox XSL string-tcp high false Parsing Remote Memory Corruption 18380.0 Novell GroupWise SMTP state high false Buffer Overflow 21179.0 Squid HTTP Data string-tcp medium false Processing Remote Denial of Service 21381.0 nginx URI Parsing Buffer string-tcp high false Underflow 22519.2 HP OpenView Network Node string-tcp informational false Manager Toolbar.exe CGI Buffer Overflow Vulnerability 22780.0 IBM Installation Manager string-tcp high false iim:// URI Handling Code Execution 23679.2 Adobe Download Manager string-tcp informational false ActiveX Buffer Overflow Vulnerability 23699.0 HP OpenView Network Node meta high false Manager Buffer Overflow 23699.1 HP OpenView Network Node service-http informational false Manager Buffer Overflow 23699.2 HP OpenView Network Node string-tcp informational false Manager Buffer Overflow 23860.0 Novell iPrint Client meta high false ienipp.ocx Remote Buffer Overflow 23860.1 Novell iPrint Client string-tcp informational false ienipp.ocx Remote Buffer Overflow 23860.2 Novell iPrint Client string-tcp informational false ienipp.ocx Remote Buffer Overflow 26599.0 Microsoft Windows Help string-tcp high false and Support Center Whitelist Bypass Vulnerability 29619.0 Heap Feng Shui Code string-tcp high false 32419.0 Novell GroupWise Internet state high false Agent Buffer Overflow 33379.0 Windows MHTML Protocol string-tcp high false Handler Script Execution 33419.1 Novell iPrint Client meta high false ienipp.ocx Arbitrary Code Execution 33419.3 Novell iPrint Client string-tcp informational false ienipp.ocx Arbitrary Code Execution 33819.0 Backdoor zwShell Command string-tcp high false and Control 34029.0 HP OpenView nnmRptConfig meta high false Remote Code Execution 34029.2 HP OpenView nnmRptConfig string-tcp informational false Remote Code Execution 35285.0 Lizamoon SQL Injection string-tcp high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S588 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38506.0 Microsoft Remote Desktop service-http medium true Web Access XSS 38526.0 Internet Explorer Style multi-string high true Object Memory Corruption 38606.0 Microsoft Chart Control service-http medium true Information Disclosure 38626.0 Microsoft Telnet Protocol service-http high true Handler Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3150.0 FTP Remote Command string-tcp informational false Execution 3151.0 FTP SYST Command Attempt string-tcp informational false 3325.0 Samba call_trans2open string-tcp high false Overflow 3343.0 Windows Account Locked string-tcp informational false 3502.0 rlogin Activity string-tcp informational false 3578.0 IMAP Format String string-tcp high false 5420.0 IIS TRACK Requests string-tcp low false 5448.0 Blaster Worm string-tcp medium false 5449.0 Massacre Virus Attachment string-tcp medium false 5450.0 Love Letter Worm string-tcp medium false Attachment 5451.0 IIS WebDAV DoS string-tcp medium false 5497.0 SMTP BDAT Vulnerability string-tcp medium false 5526.0 Telnet Environment Option string-tcp medium false Information Disclosure 5555.0 Cisco ONS Telnet DOS string-tcp medium false 5566.0 Potential IE Cross Frame string-tcp informational false Scripting 5630.0 Modbus TCP - Read Request string-tcp informational false to a PLC 5631.0 Modbus TCP - Write string-tcp informational false Request to a PLC 5632.0 Modbus TCP - Non-Modbus string-tcp informational false Communication 5632.1 Modbus TCP - Non-Modbus string-tcp informational false Communication 5652.0 FTP Directory Traversal string-tcp informational false 5653.0 Cisco WLSE/HSE Default string-tcp high false Username 5654.0 FTP Root Drive Access string-tcp medium false Attempt 5663.0 NoOp Sled On HTTPS Port string-tcp high false 5710.0 Eicar Standard Anti-Virus string-tcp informational false Test File 5740.1 Kerio Personal Firewall string-tcp high false Remote Authentication Buffer Overflow 6253.0 POP3 Authorization Failure string-tcp informational false 6996.0 GDI+ BMP Integer Overflow string-tcp high false 11025.0 IRC DCC File Transfer string-tcp informational false 11200.0 Yahoo Messenger Activity string-tcp informational false 11201.0 MSN Messenger Activity string-tcp informational false 11202.0 AIM / ICQ Messenger string-tcp informational false Activity 11204.0 Jabber Activity string-tcp low false 11213.0 AOL IM Login string-tcp informational false 11214.0 AOL IM Message Send string-tcp informational false 11215.0 AOL IM Message Receive string-tcp informational false 11216.0 AOL IM Chat - User Join string-tcp informational false 11217.0 Yahoo Messenger Logon string-tcp informational false 11218.0 Yahoo Messenger Send string-tcp informational false Message 11219.0 Yahoo Messenger Receive string-tcp informational false Message 11221.0 Yahoo Messenger Chat string-tcp informational false Invitation Activity 11222.0 MSN Login string-tcp informational false 11223.0 MSN Message Sent string-tcp informational false 11224.0 MSN Message Received string-tcp informational false 11225.0 MSN Chat Invitation Sent string-tcp informational false 11226.0 MSN Chat Invitation string-tcp informational false Received 11227.0 MSN Chat Invitation string-tcp informational false Accepted 11228.0 MSN Chat Joined string-tcp informational false 11229.0 AOL IM Chat - User Leave string-tcp informational false 11230.0 AOL IM Chat - Incoming string-tcp informational false Message 11231.0 AOL IM Chat - Outgoing string-tcp informational false Message 11232.0 AOL IM Chat - Create room string-tcp informational false 11233.0 SSH Over Non-standard string-tcp informational false Ports 11233.1 SSH Over Non-standard string-tcp informational false Ports 11233.2 SSH Over Non-standard string-tcp informational false Ports 11234.0 Jabber Logon string-tcp informational false 11235.0 MSN File Transfer string-tcp informational false Proposal Sent 11236.0 MSN File Transfer string-tcp informational false Proposal Received 11237.0 Jabber Chatroom Activity string-tcp informational false 11238.0 MSNFTP File Transfer string-tcp informational false CAVEATS None. Modified signature(s) detail: The following signatures have been retired for better memory usage: 11219-0 Yahoo Messenger Receive Message 11218-0 Yahoo Messenger Send Message 11217-0 Yahoo Messenger Logon 11216-0 AOL IM Chat - User Join 11215-0 AOL IM Message Receive 11214-0 AOL IM Message Send 11213-0 AOL IM Login 11204-0 Jabber Activity 11202-0 AIM / ICQ Messenger Activity 11201-0 MSN Messenger Activity 11200-0 Yahoo Messenger Activity 11025-0 IRC DCC File Transfer 6996-0 GDI+ BMP Integer Overflow 6253-0 POP3 Authorization Failure 5740-1 Kerio Personal Firewall Remote Authentication Buffer Overflow 5710-0 Eicar Standard Anti-Virus Test File 5663-0 NoOp Sled On HTTPS Port 5654-0 FTP Root Drive Access Attempt 5653-0 Cisco WLSE/HSE Default Username 11238-0 MSNFTP File Transfer 11237-0 Jabber Chatroom Activity 11236-0 MSN File Transfer Proposal Received 11235-0 MSN File Transfer Proposal Sent Delete 11234-0 Jabber Logon Delete 11233-2 SSH Over Non-standard Ports Delete 11233-1 SSH Over Non-standard Ports Delete 11233-0 SSH Over Non-standard Ports Delete 11232-0 AOL IM Chat - Create room Delete 11231-0 AOL IM Chat - Outgoing Message Delete 11230-0 AOL IM Chat - Incoming Message Delete 11229-0 AOL IM Chat - User Leave Delete 11228-0 MSN Chat Joined Delete 11227-0 MSN Chat Invitation Accepted Delete 11226-0 MSN Chat Invitation Received Delete 11225-0 MSN Chat Invitation Sent Delete 11224-0 MSN Message Received Delete 11223-0 MSN Message Sent Delete 11222-0 MSN Login Delete 11221-0 Yahoo Messenger Chat Invitation Activity Delete 5652-0 FTP Directory Traversal Delete 5632-1 Modbus TCP - Non-Modbus Communication Delete 5632-0 Modbus TCP - Non-Modbus Communication Delete 5631-0 Modbus TCP - Write Request to a PLC Delete 5630-0 Modbus TCP - Read Request to a PLC Delete 5566-0 Potential IE Cross Frame Scripting Delete 5555-0 Cisco ONS Telnet DOS Delete 5526-0 Telnet Environment Option Information Disclosure Delete 5497-0 SMTP BDAT Vulnerability Delete 5451-0 IIS WebDAV DoS Delete 5450-0 Love Letter Worm Attachment Delete 5449-0 Massacre Virus Attachment Delete 5448-0 Blaster Worm Delete 5420-0 IIS TRACK Requests Delete 3578-0 IMAP Format String Delete 3502-0 rlogin Activity Delete 3343-0 Windows Account Locked Delete 3325-0 Samba call_trans2open Overflow Delete 3151-0 FTP SYST Command Attempt Delete 3150-0 FTP Remote Command Execution ================================================================================================= S587 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 12628.2 Content Type image/jpeg application-po low false Header Check licy-enforceme nt-http 12629.0 Content Type image/cgf application-po low false Header Check licy-enforceme nt-http 12629.1 Content Type image/cgf application-po low false Invalid Message Length licy-enforceme nt-http 12631.0 Content Type image/x-xpm application-po low false Header Check licy-enforceme nt-http 12631.1 Content Type image/x-xpm application-po low false Invalid Message Length licy-enforceme nt-http 12633.0 Content Type audio/midi application-po low false Header Check licy-enforceme nt-http 12633.1 Content Type audio/midi application-po low false Invalid Message Length licy-enforceme nt-http 12634.0 Content Type audio/basic application-po low false Header Check licy-enforceme nt-http 12634.1 Content Type audio/basic application-po low false Invalid Message Length licy-enforceme nt-http 12635.0 Content Type audio/mpeg application-po low false Header Check licy-enforceme nt-http 12635.1 Content Type audio/mpeg application-po low false Invalid Message Length licy-enforceme nt-http 12636.0 Content Type application-po low false audio/x-adpcm Header Check licy-enforceme nt-http 12636.1 Content Type application-po low false audio/x-adpcm Invalid licy-enforceme Message Length nt-http 12637.0 Content Type audio/x-aiff application-po low false Header Check licy-enforceme nt-http 12637.1 Content Type audio/x-aiff application-po low false Invalid Message Length licy-enforceme nt-http 12648.0 Content Type video/flc application-po low false Header Check licy-enforceme nt-http 12648.1 Content Type video/flc application-po low false Invalid Message Length licy-enforceme nt-http 12649.0 Content Type video/mpeg application-po low false Header Check licy-enforceme nt-http 12649.1 Content Type video/mpeg application-po low false Invalid Message Length licy-enforceme nt-http 12650.0 Content Type text/xmcd application-po low false Header Check licy-enforceme nt-http 12650.1 Content Type text/xmcd application-po low false Invalid Message Length licy-enforceme nt-http 12651.0 Content Type application-po low false video/quicktime Header licy-enforceme Check nt-http 12651.1 Content Type application-po low false video/quicktime Invalid licy-enforceme Message Length nt-http 12652.0 Content Type video/sgi application-po low false Header Check licy-enforceme nt-http 12652.1 Content Type video/sgi application-po low false Invalid Message Length licy-enforceme nt-http 12653.0 Content Type video/x-avi application-po low false Header Check licy-enforceme nt-http 12653.1 Content Type video/x-avi application-po low false Invalid Message Length licy-enforceme nt-http 12654.0 Content Type video/x-fli application-po low false Header Check licy-enforceme nt-http 12654.1 Content Type video/x-fli application-po low false Invalid Message Length licy-enforceme nt-http 12664.0 Content Type application-po low false application/x-gzip Header licy-enforceme Check nt-http 12664.1 Content Type application-po low false application/x-gzip licy-enforceme Invalid Message Length nt-http 12665.0 Content Type application-po low false application/x-java-archiv- licy-enforceme e Header Check nt-http 12665.1 Content Type application-po low false application/x-java-archiv- licy-enforceme e Invalid Message Length nt-http 12666.0 Content Type application-po low false application/x-java-vm licy-enforceme Header Check nt-http 12666.1 Content Type application-po low false application/x-java-vm licy-enforceme Invalid Message Length nt-http 12667.0 Content Type application-po low false application/pdf Header licy-enforceme Check nt-http 12667.1 Content Type application-po low false application/pdf Invalid licy-enforceme Message Length nt-http 12668.0 Content Type unknown application-po low false Header Check licy-enforceme nt-http 12668.1 Content Type unknown application-po low false Invalid Message Length licy-enforceme nt-http 12669.0 Content Type application-po low false image/x-bitmap Header licy-enforceme Check nt-http 12669.1 Content Type application-po low false image/x-bitmap Invalid licy-enforceme Message Length nt-http 12674.0 Alarm on non-http traffic application-po low false licy-enforceme nt-http 12675.0 Yahoo Messenger application-po low false licy-enforceme nt-http 12677.0 Define Request Method application-po low false Allowed PUT licy-enforceme nt-http 12678.0 Define Request Method application-po low false CONNECT licy-enforceme nt-http 12679.0 Define Request Method application-po low false DELETE licy-enforceme nt-http 12680.0 Define Request Method GET application-po low false licy-enforceme nt-http 33860.0 Cisco TelePresence service-http high false Multipoint Switch Java Servlet Access 33860.1 Cisco TelePresence service-http high false Multipoint Switch Java Servlet Access CAVEATS None. Modified signature(s) detail: All the signatures were retired. ================================================================================================= S586 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6735.1 Microsoft Internet multi-string high false Explorer HHCtrl.ocx Buffer Overflow 7258.1 SMB Remote Code Execution string-tcp high false TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5840.0 Internet Explorer CLSID string-tcp high false Code Execution 5925.0 Internet Explorer HTML string-tcp high true Object Memory Corruption 5930.3 Generic SQL Injection service-http high true 6064.0 BIND Large OPT Record DoS service-dns low false 6079.0 ACDSee Products XPM string-tcp high false Vulnerability 6095.0 Apache apr-util IPv6 URI service-http high false Parsing Vulnerability 6186.0 RIS Data Collector Heap string-tcp high true Overflow 6212.0 IE HTML Tag Memory string-tcp high false Corruption 6217.0 eDirectory iMonitor NDS service-http high false Server Buffer Overflow 6259.0 HP Linux Printing And string-tcp high true Imaging hpssd Command Injection 6260.0 VERITAS Storage atomic-ip high false Foundation Administrator Buffer Overflow 6994.0 Cisco Secure ACS EAP service-generi high false Overflow c 12681.0 Define Request Method HEAD application-po low false licy-enforceme nt-http 12682.0 define-request-method application-po low false OPTIONS licy-enforceme nt-http 12683.0 Define Request Method POST application-po low false licy-enforceme nt-http 12685.0 Define Request Method application-po low false TRACE licy-enforceme nt-http 12687.0 Define Tranfer-Encoding application-po low false deflate licy-enforceme nt-http 12688.0 Define Tranfer-Encoding application-po low false Identity licy-enforceme nt-http 12689.0 Define Tranfer-Encoding application-po low false Compress licy-enforceme nt-http 12690.0 Define Tranfer-Encoding application-po low false Gzip licy-enforceme nt-http 12693.0 Define Tranfer-Encoding application-po low false Chunked licy-enforceme nt-http 12694.0 Chunked Tranfer Encoding application-po low false Error licy-enforceme nt-http 12695.0 Define Request Method application-po low false Index licy-enforceme nt-http 12696.0 Define Request Method Move application-po low false licy-enforceme nt-http 12697.0 Define Request Method application-po low false mkdir licy-enforceme nt-http 12698.0 Define Request Method copy application-po low false licy-enforceme nt-http 12699.0 Define Request Method EDIT application-po low false licy-enforceme nt-http 12700.0 Define Request Method application-po low false UNEDIT licy-enforceme nt-http 12701.0 Define Request Method SAVE application-po low false licy-enforceme nt-http 12702.0 Define Request Method Lock application-po low false licy-enforceme nt-http 12703.0 Define Request Method application-po low false UNLOCK licy-enforceme nt-http 12704.0 Define Request Method application-po low false REVLABEL licy-enforceme nt-http CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S585 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1742.0 IPv6 No Next Header atomic-ip-adva informational false Option Present nced 5674.1 Snort Back Orifice meta high false Preprocessor Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5107.0 WWW Mandrake Linux /perl service-http low false Access 5110.0 WWW SuSE Installed service-http informational false Packages Access 5111.0 WWW Solaris Answerbook 2 service-http low false Access 5112.0 WWW Solaris Answerbook 2 service-http medium false Attack 5113.0 WWW CommuniGate Pro Access service-http low false 5114.9 WWW IIS Unicode Attack string-tcp high false 5117.0 phpGroupWare Remote service-http high false Command Exec 5151.0 WebStore Admin Bypass service-http medium false 5232.1 URL with XSS service-http high false 5291.0 WEB-INF Dot File service-http informational false Disclosure 5334.0 DB4Web File Disclosure service-http medium false 5377.0 HTTP args to xp_cmdshell service-http high true in HTTP Request 5417.0 IE Object Tag Overflow string-tcp high false 5474.0 SQL Query in HTTP Request service-http low true 5525.0 Outlook Express Overflow string-tcp high false 5534.0 KaZaA UDP Client Probe atomic-ip low true 5545.0 HTTP Request Smuggling service-http low false Attempt 5580.0 SMB Remote Lsarpc Service service-smb-ad informational true Access Attempt vanced 5685.0 WebBBS Command Execution service-http high false Vulnerability 5692.0 Macromedia Flash Overflow string-tcp high false 5708.0 SWAT Pre-Authentication service-http high false Buffer Overflow 5763.0 Wireless Control System service-http high true Cross Server Site Scripting 5771.0 Winny Activity service-http low true CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S584 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 12638.0 Content Type audio/x-ogg application-po low false Header Check licy-enforceme nt-http 12638.1 Content Type audio/x-ogg application-po low false Invalid Message Length licy-enforceme nt-http 12638.2 Content Type audio/x-ogg application-po low false Header Check licy-enforceme nt-http 12639.0 Content Type audio/x-wav application-po low false Header Check licy-enforceme nt-http 12639.1 Content Type audio/x-wav application-po low false Invalid Message Length licy-enforceme nt-http 12639.2 Content Type audio/x-wav application-po low false Header Check licy-enforceme nt-http 12641.0 Content Type text/html application-po low false Header Check licy-enforceme nt-http 12641.1 Content Type text/html application-po low false Invalid Message Length licy-enforceme nt-http 12641.2 Content Type text/html application-po low false Header Check licy-enforceme nt-http 12642.0 Content Type text/css application-po low false Header Check licy-enforceme nt-http 12642.1 Content Type text/css application-po low false Invalid Message Length licy-enforceme nt-http 12643.0 Content Type text/plain application-po low false Header Check licy-enforceme nt-http 12643.1 Content Type text/plain application-po low false Invalid Message Length licy-enforceme nt-http 12644.0 Content Type application-po low false text/richtext Header Check licy-enforceme nt-http 12644.1 Content Type application-po low false text/richtext Invalid licy-enforceme Message Length nt-http 12645.0 Content Type text/sgml application-po low false header Check licy-enforceme nt-http 12645.1 Content Type text/sgml application-po low false Invalid Message Length licy-enforceme nt-http 12645.2 Content Type text/sgml application-po low false header Check licy-enforceme nt-http 12646.0 Content Type text/xml application-po low false Header Check licy-enforceme nt-http 12646.1 Content Type text/xml application-po low false Invalid Message Length licy-enforceme nt-http CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 12646-1,12646-0,12645-2,12645-1,12645-0,12644-1,12644-0,12643-1,12643-0,12642-1,12642-0,12641-2,12641-1,12641-0,12639-2,12639-1,12639-0,12638-2,12638-1 and 12638-0 ================================================================================================= S583 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5389.0 WebAdmin Long User Name service-http high false Logon Buffer Overflow 12621.0 Content Type image/gif application-po low false Header Check licy-enforceme nt-http 12621.1 Content Type image/gif application-po low false Invalid Message Length licy-enforceme nt-http 12621.2 Content Type image/gif application-po low false Header Check licy-enforceme nt-http 12622.0 Content Type image/png application-po low false Header Check licy-enforceme nt-http 12622.1 Content Type image/png application-po low false Invalid Message Length licy-enforceme nt-http 12622.2 Content Type image/png application-po low false Header Check licy-enforceme nt-http 12623.0 Content Type image/tiff application-po low false Header Check licy-enforceme nt-http 12623.1 Content Type image/tiff application-po low false Invalid Message Length licy-enforceme nt-http 12623.2 Content Type image/tiff application-po low false Header Check licy-enforceme nt-http 12624.0 Content Type image/x-3ds application-po low false Header Check licy-enforceme nt-http 12624.1 Content Type image/x-3ds application-po low false Invalid Message Length licy-enforceme nt-http 12624.2 Content Type image/x-3ds application-po low false Header Check licy-enforceme nt-http 12626.0 Content Type application-po low false image/x-portable-bitmap licy-enforceme Header Check nt-http 12626.1 Content Type application-po low false image/x-portable-bitmap licy-enforceme Invalid Message Length nt-http 12626.2 Content Type application-po low false image/x-portable-bitmap licy-enforceme Header Check nt-http 12627.0 Content Type application-po low false image/x-portable-graymap licy-enforceme Header Check nt-http 12627.1 Content Type application-po low false image/x-portable-graymap licy-enforceme Invalid Message Length nt-http 12627.2 Content Type application-po low false image/x-portable-graymap licy-enforceme Header Check nt-http 12628.0 Content Type image/jpeg application-po low false Header Check licy-enforceme nt-http 12628.1 Content Type image/jpeg application-po low false Invalid Message Length licy-enforceme nt-http 12655.0 Content Type video/x-mng application-po low false Header Check licy-enforceme nt-http 12655.1 Content Type video/x-mng application-po low false Invalid Message Length licy-enforceme nt-http 12655.2 Content Type video/x-mng application-po low false Header Check licy-enforceme nt-http 12656.0 Content Type application-po low false video/x-msvideo Header licy-enforceme Check nt-http 12656.1 Content Type application-po low false video/x-msvideo Invalid licy-enforceme Message Length nt-http 12656.2 Content Type application-po low false video/x-msvideo Header licy-enforceme Check nt-http 12658.0 Content Type application-po low false application/msword Header licy-enforceme Check nt-http 12658.1 Content Type application-po low false application/msword licy-enforceme Invalid Message Length nt-http 12659.0 Content Type application-po low false application/octet-stream licy-enforceme Header Check nt-http 12659.1 Content Type application-po low false application/octet-stream licy-enforceme Invalid Message Length nt-http 12660.0 Content Type application-po low false application/postscript licy-enforceme Header Check nt-http 12660.1 Content Type application-po low false application/postscript licy-enforceme Header Check nt-http 12660.2 Content Type application-po low false application/postscript licy-enforceme Header Check nt-http 12661.0 Content Type application-po low false application/vnd.ms-excel licy-enforceme Header Check nt-http 12661.1 Content Type application-po low false application/vnd.ms-excel licy-enforceme Invalid Message Length nt-http 12662.0 Content Type application-po low false application/vnd.ms-powerp- licy-enforceme oint Header Check nt-http 12662.1 Content Type application-po low false application/vnd.ms-powerp- licy-enforceme oint Invalid Message nt-http Length 12663.0 Content Type application-po low false application/zip Header licy-enforceme Check nt-http 12663.1 Content Type application-po low false application/zip Invalid licy-enforceme Message Length nt-http 12663.2 Content Type application-po low false application/zip Header licy-enforceme Check nt-http CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 12628-1,12628-0,12627-2,12627-1,12627-0,12626-2,12626-1,12626-0,12624-2,12624-1,12624-0,12623-2,12623-1,12623-0,12622-2,12622-1,12622-0,12621-2,12621-1,12621-0,12663-2,12663-1,12663-0,12662-1,12662-0,12661-1,12661-0,12660-2,12660-1,12660-0,12659-1,12659-0,12658-1,12658-0,12656-2,12656-1,12656-0,12655-2,12655-1, 5389-0 and 12655-0 ================================================================================================= S582 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15693.0 OneSwarm Client Activity atomic-ip informational false 15693.1 OneSwarm Client Activity service-http informational false 35968.0 Apple iTunes Remote meta high false Buffer Overflow 35968.1 Apple iTunes Remote string-tcp informational false Buffer Overflow 35968.2 Apple iTunes Remote string-tcp informational false Buffer Overflow 36406.0 RealPlayer AVI Processing multi-string high true Arbitrary Code Execution 36449.0 Realtek Media Player string-tcp high false Playlist File Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1604.0 ICMPv6 option type 4 atomic-ip-v6 medium false violation 1606.0 ICMPv6 short option data atomic-ip-v6 medium false 5633.0 .HTR Source View service-http low false 5726.0 Active Directory Failed multi-string medium false Login 11252.1 AIM Express Activity service-http informational false 12000.0 Gator Spyware Beacon service-http low false 12007.0 GameSpy Activity service-http low false 12012.0 Purityscan Activity service-http low false 12027.0 Cart32 Expdate service-http medium false 50013.2 BKDR_VANBOT multi-string medium false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 50013-2 12027-0,12012-0,12007-0,12000-0,11252-1,5726-0,5633-0,1606-0 and 1604-0 ================================================================================================= S581 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5954.0 ePolicy Orchestrator meta high false SiteManager ActiveX Buffer Overflow 5954.1 ePolicy Orchestrator string-tcp informational false SiteManager ActiveX Buffer Overflow 5954.2 ePolicy Orchestrator string-tcp informational false SiteManager ActiveX Buffer Overflow 26699.0 AOL Radio AmpX ActiveX meta high false Control ConvertFile Buffer Overflow Vulnerability 26699.1 AOL Radio AmpX ActiveX string-tcp informational false Control ConvertFile Buffer Overflow Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3220.0 IIS Long URL Attack service-http informational false 5055.0 HTTP Basic Authentication service-http high false Overflow 5183.0 PHP File Inclusion Remote service-http informational false Exec 5256.0 Dot Dot Slash in URI service-http low false 6005.0 Unencrypted SSL Traffic service-http low false 11024.0 Imesh Client Activity service-http low false 11211.0 MSN Messenger Through service-http informational false HTTP Proxy 11211.1 MSN Messenger Through service-http informational false HTTP Proxy 11212.0 Yahoo Messenger Through service-http informational false HTTP Proxy 11248.0 Gadu-Gadu Login service-http informational false 11251.0 Skype Client Activity service-http informational false 11252.0 AIM Express Activity service-http informational false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 11252-0,11251-0,11248-0,11212-0,11211-1,11211-0,11024-0,6005-0,5256-0,5183-0,5055-0 and 3220-0 ================================================================================================= S580 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 38247.0 Cisco Content Services atomic-ip medium true Gateway Denial of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6210.0 LPR Format String Overflow state high false 6792.0 SQL Memory Corruption service-http high true Vulnerability CAVEATS None. Modified signature(s) detail: Signature 6210-0 has been retired. Signatures 6792-0 has been tuned for performance. ================================================================================================= S579 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 2200.0 Invalid IGMP Header DoS service-generi high false c 3302.0 NBT NetBios Session service-smb informational false Service Failed Login 3304.0 SMB NULL login attempt service-smb informational false 3311.0 SMB Remote SAM Service service-smb informational false Access Attempt 3312.0 SMB .eml email file service-smb informational false remote access 3323.0 SMB: RFPoison Attack service-smb high false 3348.0 NetBIOS Disk Enumerations service-smb informational false 3349.0 NetBIOS Date And Time service-smb informational false Enumerations 3350.0 NetBIOS Transport service-smb informational false Enumerations 3351.0 NetBIOS User Session service-smb informational false Enumerations 4512.0 SNMP Community String service-snmp low false Public 4516.0 SNMP Printer Query DoS service-snmp medium false 6003.0 SNMP Community String service-snmp low false Private 6053.0 DNS Request for All service-dns informational false Records 6053.1 DNS Request for All service-dns informational false Records 6066.0 DNS Tunneling service-dns medium false 6152.0 yppasswdd Portmap Request service-rpc informational false 6152.1 yppasswdd Portmap Request service-rpc informational false 6155.0 mountd Portmap Request service-rpc low false 6155.1 mountd Portmap Request service-rpc low false 7202.0 UDP eDonkey Activity service-p2p low false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 7202-0, 6155-1, 6155-0, 6152-1, 6152-0, 6066-0, 6053-1, 6053-0, 6003-0, 4516-0, 4512-0, 3351-0, 3350-0, 3349-0, 3348-0, 3323-0, 3312-0, 3311-0, 3304-0, 3302-0 and 2200-0 ================================================================================================= S578 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6000.0 Oracle Server Reports service-http high false Command Execution 6022.0 WebSphere J_Username service-http high false Buffer Overflow 15017.0 Oracle Secure Backup service-http high true Login.php Command Injection 15275.0 SpamAssassin Spamd Remote string-tcp high false Command Execution 22820.0 Internet Authentication meta high true Service MS CHAPv2 Invalid Request 22820.1 Internet Authentication atomic-ip informational true Service MS CHAPv2 Invalid Request 22820.2 Internet Authentication atomic-ip informational true Service MS CHAPv2 Invalid Request 22820.3 Internet Authentication atomic-ip informational true Service MS CHAPv2 Invalid Request 23019.0 MySQL Mysql_Log Format string-tcp medium false String 36486.0 Cisco CDS Internet string-tcp high false Streamer Web Server Vulnerability CAVEATS None. Modified signature(s) detail: Signatures 23019-0 and 36486-0 have been retired. The following signatures have been modified to improve coverage: 6022-0, 6000-0, 15017-0, 15275-0, 22820-0, 22820-1, 22820-2 and 22820-3 ================================================================================================= S577 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16173.0 Sun Java Web Start JNLP string-tcp high true java-vm-args Heap Buffer Overflow 16175.0 Oracle Database Server string-tcp high true DBMS_AQELM Package Buffer Overflow 22759.1 Microsoft Internet string-tcp high false Explorer Memory Corruption Vulnerability 24864.0 Microsoft DNS Server meta high true Cache Poisoning 24864.1 Microsoft DNS Server atomic-ip informational true Cache Poisoning 24864.2 Microsoft DNS Server atomic-ip informational true Cache Poisoning 30879.0 Oracle Internet Directory string-tcp high false Denial Of Service 31039.0 HP Operations Manager for service-http high false Windows Remote File Access 31040.0 HP Power Manager Server service-http high true Buffer Overflow 31259.0 Solaris sadmind RPC service-rpc high false Integer Overflow 31299.0 CA eTrust Secure Content string-tcp high false Manager FTP PASV Stack Overflow 31319.0 Apache Struts2 Remote service-http high true Command Execution 31899.0 MIT Kerberos KDC atomic-ip medium true Authentication Denial Of Service 32059.0 Novell GroupWise Agent service-http high true HTTP Remote Code Execution 32279.0 RealVNC Server string-tcp high true ClientCutText Memory Corruption 32639.0 Powerpoint File Path string-tcp high false Processing Buffer Overflow 32860.0 Oracle Network service-tns high false Authentication Buffer Overflow 32879.0 ProFTPD TELNET IAC Stack string-tcp high true Buffer Overflow 33419.0 Novell iPrint Client meta high true ienipp.ocx Arbitrary Code Execution 33419.1 Novell iPrint Client meta high true ienipp.ocx Arbitrary Code Execution 33419.2 Novell iPrint Client string-tcp informational true ienipp.ocx Arbitrary Code Execution 33419.3 Novell iPrint Client string-tcp informational true ienipp.ocx Arbitrary Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S576 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 36606.0 Cisco IOS ICMPv6 atomic-ip-adva low true Fingerprinting nced Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 12920.0 Define ftp command rest application-po low false licy-enforceme nt-ftp 12921.0 Define ftp command retr application-po low false licy-enforceme nt-ftp 12922.0 Define ftp command rmd application-po low false licy-enforceme nt-ftp 12923.0 Define ftp command rnfr application-po low false licy-enforceme nt-ftp 12924.0 Define ftp command rnto application-po low false licy-enforceme nt-ftp 12925.0 Define ftp command site application-po low false licy-enforceme nt-ftp 12926.0 Define ftp command smnt application-po low false licy-enforceme nt-ftp 12927.0 Define ftp command stat application-po low false licy-enforceme nt-ftp 12928.0 Define ftp command stor application-po low false licy-enforceme nt-ftp 12929.0 Define ftp command stou application-po low false licy-enforceme nt-ftp 12930.0 Define ftp command stru application-po low false licy-enforceme nt-ftp 12931.0 Define ftp command syst application-po low false licy-enforceme nt-ftp 12932.0 Define ftp command type application-po low false licy-enforceme nt-ftp CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 12932-0 Define ftp command type 12931-0 Define ftp command syst 12930-0 Define ftp command stru 12929-0 Define ftp command stou 12928-0 Define ftp command stor 12927-0 Define ftp command stat 12926-0 Define ftp command smnt 12925-0 Define ftp command site 12924-0 Define ftp command rnto 12923-0 Define ftp command rnfr 12922-0 Define ftp command rmd 12921-0 Define ftp command retr 12920-0 Define ftp command rest ================================================================================================= S575 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 37946.0 Internet Explorer Use multi-string high true After Free Vulnerability 37986.0 XMPP Server XML DTD multi-string medium true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 12900.0 Unrecognized ftp command application-po low false licy-enforceme nt-ftp 12901.0 Define ftp command abor application-po low false licy-enforceme nt-ftp 12902.0 Define ftp command acct application-po low false licy-enforceme nt-ftp 12903.0 Define ftp command allo application-po low false licy-enforceme nt-ftp 12904.0 Define ftp command appe application-po low false licy-enforceme nt-ftp 12905.0 Define ftp command cdup application-po low false licy-enforceme nt-ftp 12906.0 Define ftp command cwd application-po low false licy-enforceme nt-ftp 12907.0 Define ftp command dele application-po low false licy-enforceme nt-ftp 12908.0 Define ftp command help application-po low false licy-enforceme nt-ftp 12909.0 Define ftp command list application-po low false licy-enforceme nt-ftp CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S574 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 37486.0 Microsoft OLE Automation multi-string high true Underflow 37526.0 Microsoft Server Message multi-string high true Parsing Vulnerability 37546.0 Microsoft MHTML Mime string-tcp medium true Format Vulnerability 37566.0 Visual Studio Information string-tcp low true Leak 37606.0 SMB Request Parsing multi-string medium true Vulnerability 37626.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Vulnerability 37666.0 Microsoft Internet multi-string high true Explorer Vulnerability 37686.0 Microsoft Internet multi-string high true Explorer Memory Corruption Vulnerability 37687.0 Microsoft Internet multi-string high false Explorer Vulnerability 37726.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 37346.0 Cisco AnyConnect VPN string-tcp high true Client Arbitrary Program Execution CAVEATS None. Modified signature(s) detail: Signature 37346-0 has been modified to improve coverage. ================================================================================================= S573 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32419.0 Novell GroupWise Internet state high true Agent Buffer Overflow 32459.0 Novell eDirectory string-tcp high false Accept-Language Value Handling Buffer Overflow 32959.0 HP OpenView Network Node string-tcp high false Manager ovalarmsrv.exe Remote Code Execution 32980.0 HP OpenView Network Node meta high true Manager rping Stack Overflow 32980.1 HP OpenView Network Node service-http informational true Manager rping Stack Overflow 32980.2 HP OpenView Network Node string-tcp informational true Manager rping Stack Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3010.0 TCP High Port Sweep sweep low false 3109.0 Long SMTP Command state high false 3109.1 Long SMTP Command state medium false 4001.0 UDP Port Sweep sweep high false 6901.0 Net Flood ICMP Reply flood-net informational false 6902.0 Net Flood ICMP Request flood-net informational false 6903.0 Net Flood ICMP Any flood-net informational false 6910.0 Net Flood UDP flood-net informational false 6920.0 Net Flood TCP flood-net informational false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 6920-0, 6910-0, 6903-0, 6902-0, 6901-0, 4001-0, 3109-1, 3109-0, 3010-0 ================================================================================================= S572 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1621.0 ICMPv6 Neighbor atomic-ip-adva informational false Solicitation nced 1622.0 ICMPv6 Neighbor atomic-ip-adva informational false Advertisement nced 1623.0 ICMPv6 Redirect atomic-ip-adva informational false nced 1624.0 ICMPv6 Router Renumbering atomic-ip-adva informational false nced 1625.0 ICMPv6 Membership Report atomic-ip-adva informational false V2 nced 1626.0 Large ICMPV6 Traffic atomic-ip-adva informational false nced 1627.0 Fragmented ICMPv6 Traffic atomic-ip-adva informational false nced 1719.0 IPv6 Endpoint atomic-ip-adva informational false Identification Option Set nced 1721.0 IPv6 Router Alert Option atomic-ip-adva informational false Set nced 1724.0 IPv6 Endpoint atomic-ip-adva informational false Identification Option Set nced 1725.0 IPv6 Tunnel Encapsulation atomic-ip-adva informational false Limit Option Set nced 1731.0 IPv6 Type 2 Routing Header atomic-ip-adva informational false nced 1737.0 IPv6 Routing Header atomic-ip-adva medium false Reserved Bits Set nced 1741.0 IPv6 Fragment Header atomic-ip-adva low false Reserved Bits Set nced 2152.0 ICMP Flood flood-host medium false 4002.0 UDP Host Flood flood-host low false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 4002-0, 2152-0, 1741-0, 1737-0, 1731-0, 1725-0, 1724-0, 1721-0, 1719-0, 1627-0, 1626-0, 1625-0, 1624-0, 1623-0, 1622-0, 1621-0 ================================================================================================= S571 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 37346.0 Cisco AnyConnect VPN string-tcp high true Client Arbitrary Program Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34029.2 HP OpenView nnmRptConfig string-tcp informational true Remote Code Execution CAVEATS None. Modified signature(s) detail: Signature 34029-2 has been modified to increase coverage. ================================================================================================= S570 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1705.0 IPv6 ESP Header Present atomic-ip-adva informational false nced 1706.0 Invalid IPv6 Header atomic-ip-adva informational false Traffic Class Field nced 1707.0 Invalid IPv6 Header Flow atomic-ip-adva informational false Label Field nced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S569 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1700.0 IPv6 Hop-by-Hop Options atomic-ip-adva informational false Present nced 1701.0 IPv6 Destination Options atomic-ip-adva informational false Header Present nced 1702.0 IPv6 Routing Header atomic-ip-adva informational false Present nced 1703.0 IPv6 Fragmented Traffic atomic-ip-adva informational false nced 1704.0 IPv6 Authentication atomic-ip-adva informational false Header Present nced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S568 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 36486.0 Cisco CDS Internet string-tcp high true Streamer Web Server Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S567 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1400.0 GRE Over IPv6 atomic-ip-adva informational false Encapsulation nced 1401.0 IPIP Encapsulation atomic-ip-adva informational false nced 1402.0 MPLS Over IPv6 atomic-ip-adva informational false Encapsulation nced 1403.0 IPv4 Over IPv6 atomic-ip-adva informational false Encapsulation nced 1405.0 Teredo Destination IP atomic-ip-adva informational false Address nced 1406.0 Teredo Source Port atomic-ip-adva medium false nced 1407.0 Teredo Destination Port atomic-ip-adva informational false nced 1408.0 Teredo Data Packet atomic-ip-adva informational false nced 1409.0 GRE Tunnel Detected atomic-ip-adva informational false nced 1410.0 IPv6 Over MPLS Tunnel atomic-ip-adva informational false nced 1610.0 ICMPv6 Echo Request atomic-ip-adva informational false nced 1611.0 ICMPv6 Echo Reply atomic-ip-adva informational false nced 1612.0 ICMPv6 Destination atomic-ip-adva informational false Unreachable nced 1613.0 ICMPv6 Packet Too Big atomic-ip-adva informational false Message nced 1614.0 ICMPv6 Time Exceeded atomic-ip-adva informational false Message nced 1615.0 ICMPv6 Parameter Problem atomic-ip-adva informational false Message nced 1616.0 ICMPv6 Group Membership atomic-ip-adva informational false Query nced 1617.0 ICMPv6 Group Membership atomic-ip-adva informational false Report nced 1619.0 ICMPv6 Router Solicitation atomic-ip-adva informational false nced 1620.0 ICMPv6 Router atomic-ip-adva informational false Advertisement nced CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 1620-0,1619-0,1617-0,1616-0,1615-0,1614-0,1613-0,1612-0,1611-0,1610-0,1410-0,1409-0,1408-0,1407-0,1406-0,1405-0,1403-0,1402-0,1401-0,1400-0 ================================================================================================= S566 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 29619.0 Heap Feng Shui Code string-tcp high true 29700.0 AWStats migrate Remote service-http high false Command Execution 29859.0 Wireshark LWRES Dissector atomic-ip high false Buffer Overflow 30040.0 CA ARCserve Backup service-msrpc medium true Message Engine Denial of Service Vulnerability 30099.0 Snort Back Orifice fixed-udp informational false Preprocessor Overflow 30101.0 SentinelLM UDP Buffer atomic-ip high false Overflow 30260.0 Apple QuickTime QTPlugin meta high true Code Execution 30260.1 Apple QuickTime QTPlugin string-tcp informational true Code Execution 30260.2 Apple QuickTime QTPlugin string-tcp informational true Code Execution 30680.0 Foxy P2P Application fixed-tcp informational true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6094.0 Nullsoft Winamp M3U string-tcp high false Remote Buffer Overflow 16095.0 Mozilla Firefox UTF-8 URL string-tcp medium false Handling Stack Buffer Overflow 16219.0 Mozilla Firefox XSL string-tcp high true Parsing Remote Memory Corruption 17197.2 MicroWorld Technologies service-http high false MailScan Multiple Remote Vulnerabilities 17740.0 HTTP WEBMOD Directory service-http high false Traversal 22841.0 Novell GroupWise string-tcp high false Messenger Stack Overflow 30719.1 Cisco TelePresence CCP service-http informational false Communication 30719.2 Cisco TelePresence CCP service-http informational false Communication 31359.1 Microsoft Internet multi-string high false Explorer Invalid Flag Reference Remote Code Execution Vulnerability 31359.2 Microsoft Internet string-tcp high true Explorer Invalid Flag Reference Remote Code Execution Vulnerability 31919.0 Microsoft Office Graphic string-tcp high true Filter RCE 33579.0 Scripting Engines multi-string medium true Information Disclosure Vulnerability 35466.0 Microsoft Excel Remote string-tcp high true Code Execution CAVEATS None. Modified signature(s) detail: The following signatures have been fixed for some reported failures, by modifying regexes or change service directions: 35466-0 Microsoft Excel Remote Code Execution 33579-0 Scripting Engines Information Disclosure Vulnerability 31919-0 Microsoft Office Graphic Filter RCE 31359-2 Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability 31359-1 Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability 30719-2 Cisco TelePresence CCP Communication 30719-1 Cisco TelePresence CCP Communication 22841-0 Novell GroupWise Messenger Stack Overflow 17740-0 HTTP WEBMOD Directory Traversal 17197-2 MicroWorld Technologies MailScan Multiple Remote Vulnerabilities 16219-0 Mozilla Firefox XSL Parsing Remote Memory Corruption 6094-0 Nullsoft Winamp M3U Remote Buffer Overflow The following signature was retired: 16095-0 Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow ================================================================================================= S565 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 1303.0 TCP Session Closing normalizer informational false Timeout 5041.0 WWW anyform attack service-http high false 5043.1 WWW Cold Fusion Attack service-http high false 5044.0 WWW Webcom.se Guestbook service-http high false attack 5078.0 WWW Piranha passwd attack service-http medium false 5079.0 WWW PCCS MySQL Admin service-http low false Access 5089.0 WWW Big Brother Directory service-http low false Access 5095.0 WWW CGI Script Center service-http medium false Account Manager Attack 5096.0 WWW CGI Script Center service-http low false Subscribe Me Attack 5103.0 WWW SuSE Apache CGI service-http low false Source Access CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S564 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33519.0 ProFTPD Backdoor string-tcp high true Unauthorized Access 33619.0 OpenLDAP modrdn DoS string-tcp medium true 34029.0 HP OpenView nnmRptConfig meta high true Remote Code Execution 34029.1 HP OpenView nnmRptConfig service-http informational true Remote Code Execution 34029.2 HP OpenView nnmRptConfig string-tcp informational true Remote Code Execution 34385.0 Greylisting Daemon(GLD) multi-string high false Postfix Buffer Overflow 34425.0 Apache Tomcat service-http medium true Transfer-Encoding Denial Of Service 34665.0 Adobe Acrobat Reader BMP multi-string high true RLE_8 Decompression Arbitrary Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6408.0 IE DHTML Memory Corruption meta high false 6408.1 IE DHTML Memory Corruption string-tcp informational false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S563 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 36106.0 Microsoft Fax Cover Page string-tcp high true Editor TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S562 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 35085.0 Cisco Call Manager SQL service-http high true Injection 35846.0 Cisco CUCM Remote Code string-tcp high true Execution 35866.0 Cisco CUCM SIP string-tcp high true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27839.2 Windows LNK File Code service-smb-ad informational true Execution vanced 27839.3 Windows LNK File Code service-smb-ad informational true Execution vanced CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S561 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15012.1 Oracle BEA WebLogic string-tcp medium true Server Apache Connector Buffer Overflow 16095.0 Mozilla Firefox UTF-8 URL string-tcp medium true Handling Stack Buffer Overflow 16793.2 Adobe Reader getAnnots() string-tcp high false Remote Code Execution 17999.1 Backdoor Beast string-tcp high false 18357.0 Sun Glassfish 'name' service-http high false Parameter Cross Site Scripting Vulnerability 18600.1 Active Directory Invalid string-tcp high false Free Vulnerability 19600.1 Mozilla Firefox multi-string high false Just-In-Time JavaScript Parsing Arbitrary Code Execution Vulnerability 21000.0 ClamAV libclamav MEW PE string-tcp high false File Handling Integer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15012.0 Oracle BEA WebLogic service-http medium true Server Apache Connector Buffer Overflow 18379.0 Logitech Video Call string-tcp high false ActiveX Control Buffer Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S560 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3342.2 Windows NetDDE Overflow service-smb-ad high false vanced 3793.2 ZENworks 6.5 fixed-tcp high false Authentication Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3577.0 IMAP LOGIN Command string-tcp high false Invalid Username 3701.0 Oracle 9iAS Web Cache service-http high false Buffer Overflow 3705.0 Tivoli Storage Manager service-http medium false Client Acceptor Overflow 3710.0 Cisco Secure ACS service-http low true Directory Traversal 5035.0 HTTP cgi HylaFAX Faxsurvey service-http high false 5037.0 WWW SGI MachineInfo Attack service-http low false 5038.0 WWW wwwsql file read Bug service-http medium false 5039.0 WWW finger attempt service-http low true CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S559 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 35626.0 Adobe Remote Code string-tcp high true Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31419.0 Microsoft Office Insecure service-http high false Library Loading Vulnerability 35386.0 IE Object Management multi-string high true Memory Corruption CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S558 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 35125.0 Microsoft Windows CIFS atomic-ip high true Clientside Buffer Overflow 35145.0 MS Excel Office Drawing string-tcp high true File Format Vulnerability 35205.0 Windows GDI+ Buffer string-tcp high true Overflow 35245.0 MS IE Memory Corruption multi-string high true Vulnerability 35306.0 Microsoft Fax Cover Page string-tcp high true Editor Heap Corruption 35326.0 Windows WordPad Converter multi-string high true Parsing Remote Code Execution 35327.0 Windows DNS Client atomic-ip high true Service Remote Code Execution 35366.0 Microsoft Excel Memory multi-string high true Corruption Exploit 35367.0 MS IE JavaScript multi-string high true Information Disclosure Vulnerability 35386.0 IE Object Management multi-string high true Memory Corruption 35387.0 Windows Kernel-Mode string-tcp high true Drivers Vulnerability 35406.0 Microsoft Windows string-tcp medium true Kernel-Mode Drivers Vulnerability 35426.0 Microsoft Excel Record multi-string high true Parsing WriteAV Exploit 35427.0 Microsoft Excel Dangling multi-string high true Pointer Exploit 35428.0 Microsoft Excel Buffer multi-string high true Overwrite Exploit 35446.0 Microsoft Excel Remote string-tcp high true Code Execution 35466.0 Microsoft Excel Remote string-tcp high true Code Execution 35506.0 Microsoft Windows string-tcp high true Messenger ActiveX Control Vulnerability 35507.0 Microsoft WMITools string-tcp high true ActiveX Control Vulnerability 35509.0 Microsoft Excel Remote string-tcp high true Code Execution Vulnerability 35527.0 Microsoft Excel Remote string-tcp high true Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S557 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 35285.0 Lizamoon SQL Injection string-tcp high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3142.0 Sasser Worm Activity string-tcp high false 3142.1 Sasser Worm Activity string-tcp high false 3142.3 Sasser Worm Activity string-tcp medium false 5916.0 URL Handler Vulnerability string-tcp high false 6785.0 Microsoft Visual Basic meta high false VBP File Processing Buffer Overflow 6785.1 Microsoft Visual Basic string-tcp informational false VBP File Processing Buffer Overflow 6785.2 Microsoft Visual Basic string-tcp informational false VBP File Processing Buffer Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S556 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33480.0 Cisco NAC Guest Server atomic-ip high true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3178.0 Denial Of Service in string-tcp high false Microsoft SMS Client 5674.0 Snort Back Orifice atomic-ip informational false Preprocessor Overflow 5777.0 Mozilla Favicon Code string-tcp high false Execution 5916.0 URL Handler Vulnerability string-tcp high false 6226.0 Trojan.Srizbi Bot atomic-ip high false 6264.0 Excel Malformed Header string-tcp high false 6266.0 Excel Malformed Header string-tcp high false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S555 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3327.13 Windows RPC DCOM Overflow string-tcp informational false 3347.1 Windows ASN.1 Library Bit string-tcp high false String Heap Corruption 3347.2 Windows ASN.1 Library Bit service-http high false String Heap Corruption 3603.0 IOS Enable Bypass state informational false 5413.0 WhatsUp Gold Buffer service-http high false Overflow Vulnerability 5440.0 IRC Bot Activity string-tcp low false 5569.0 MDaemon Imap string-tcp high false Authentication Overflow 5621.0 DNP3 - Miscellaneous string-tcp informational false Request to a PLC 5622.0 Modbus TCP - Force Listen string-tcp informational false Only Mode 5623.0 Modbus TCP - Restart string-tcp informational false Communications Option 5624.0 Modbus TCP - Clear string-tcp informational false Counters and Diagnostic Registers 5625.0 Modbus TCP - Read Device string-tcp informational false Identification 5626.0 Modbus TCP - Report string-tcp informational false Server Information 5627.0 Modbus TCP - Illegal string-tcp informational false Packet Size 5627.1 Modbus TCP - Illegal string-tcp informational false Packet Size 5628.0 Modbus Slave Device Busy string-tcp informational false Exception Code Delay 5629.0 Modbus Acknowledge string-tcp informational false Exception Code Delay 5813.1 Microsoft Internet string-tcp informational false Explorer Vector Markup Language Vulnerability 5813.2 Microsoft Internet string-tcp informational false Explorer Vector Markup Language Vulnerability 5813.3 Microsoft Internet string-tcp informational false Explorer Vector Markup Language Vulnerability 5817.0 ASP .NET Cross Site string-tcp high false Scripting 5820.0 Symantec AntiVirus and string-tcp high false Client Security Buffer Overflow 5857.0 UPnP Memory Corruption meta high false Vulnerability 5857.1 UPnP Memory Corruption string-tcp informational false Vulnerability 5857.2 UPnP Memory Corruption string-tcp informational false Vulnerability 5857.3 UPnP Memory Corruption string-xl-tcp informational false Vulnerability 5857.4 UPnP Memory Corruption meta informational false Vulnerability 5898.0 Microsoft Agent HTTP Code meta high false Execution 6521.0 Call Manager Overflow string-tcp medium false 6773.0 WordPerfect X3 Printer string-tcp high false Selection Vulnerability 33379.0 Windows MHTML Protocol string-tcp high true Handler Script Execution CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 6773-0 WordPerfect X3 Printer Selection Vulnerability 6521-0 Call Manager Overflow 5898-0 Microsoft Agent HTTP Code Execution 3603-0 IOS Enable Bypass 5629-0 Modbus Acknowledge Exception Code Delay 5628-0 Modbus Slave Device Busy Exception Code Delay 5627-1 Modbus TCP - Illegal Packet Size 5627-0 Modbus TCP - Illegal Packet Size 5626-0 Modbus TCP - Report Server Information 5625-0 Modbus TCP - Read Device Identification 5624-0 Modbus TCP - Clear Counters and Diagnostic Registers 5623-0 Modbus TCP - Restart Communications Option 5622-0 Modbus TCP - Force Listen Only Mode 5621-0 DNP3 - Miscellaneous Request to a PLC 5413-0 WhatsUp Gold Buffer Overflow Vulnerability 3347-1 Windows ASN.1 Library Bit String Heap Corruption 3347-2 Windows ASN.1 Library Bit String Heap Corruption 5440-0 IRC Bot Activity 5569-0 MDaemon Imap Authentication Overflow 5813-1 Microsoft Internet Explorer Vector Markup Language Vulnerability 5813-2 Microsoft Internet Explorer Vector Markup Language Vulnerability 5813-3 Microsoft Internet Explorer Vector Markup Language Vulnerability 5817-0 ASP .NET Cross Site Scripting 5820-0 Symantec AntiVirus and Client Security Buffer Overflow 5857-0 UPnP Memory Corruption Vulnerability 5857-1 UPnP Memory Corruption Vulnerability 5857-2 UPnP Memory Corruption Vulnerability 5857-3 UPnP Memory Corruption Vulnerability 5857-4 UPnP Memory Corruption Vulnerability 3327-13 Windows RPC DCOM Overflow ================================================================================================= S554 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34465.0 authplay.dll Memory string-tcp high true Corruption Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3453.0 MS NetMeeting RDS DoS string-tcp low false 5502.0 Llssrv RPC Activity string-tcp informational false 5502.1 Llssrv RPC Activity service-smb informational false 5502.2 Llssrv RPC Activity service-smb informational false 5502.3 Llssrv RPC Activity string-tcp informational false 5502.4 Llssrv RPC Activity service-smb informational false 5547.0 SMB File Name Overflow string-tcp high false 5680.0 Apache Line Feed DoS string-tcp medium false 5776.0 Routing and Remote Access meta high false Service Code Execution 5776.1 Routing and Remote Access string-tcp informational false Service Code Execution 5776.2 Routing and Remote Access service-smb informational false Service Code Execution 5776.3 Routing and Remote Access string-tcp informational false Service Code Execution 5776.4 Routing and Remote Access meta high false Service Code Execution 5868.0 IE Navigation Cancel Page string-tcp medium false Spoofing Vulnerability 5908.0 NNTP Overflow meta high false 5908.1 NNTP Overflow string-tcp informational false 5908.2 NNTP Overflow string-tcp informational false 6350.0 MS-SQL Query Abuse string-tcp high false 6544.0 ActiveX Object Memory meta high false Corruption Vulnerability 6544.1 ActiveX Object Memory string-tcp informational false Corruption Vulnerability 6921.0 Microsoft Word Code string-tcp high false Execution 34165.0 Permanently Obsoleted string-tcp informational false Signatures CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 5547-0 SMB File Name Overflow 5502-4 Llssrv RPC Activity 5502-3 Llssrv RPC Activity 5502-2 Llssrv RPC Activity 5502-1 Llssrv RPC Activity 5502-0 Llssrv RPC Activity 6350-0 MS-SQL Query Abuse 5908-2 NNTP Overflow 5908-1 NNTP Overflow 5908-0 NNTP Overflow 5868-0 IE Navigation Cancel Page Spoofing Vulnerability 5776-4 Routing and Remote Access Service Code Execution 5776-3 Routing and Remote Access Service Code Execution 5776-2 Routing and Remote Access Service Code Execution 5776-1 Routing and Remote Access Service Code Execution 5776-0 Routing and Remote Access Service Code Execution 5680-0 Apache Line Feed DoS 6921-0 Microsoft Word Code Execution 6544-1 ActiveX Object Memory Corruption Vulnerability 6544-0 ActiveX Object Memory Corruption Vulnerability 3453-0 MS NetMeeting RDS DoS ================================================================================================= S553 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34165.0 Permanently Obsoleted string-tcp informational false Signatures TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3113.0 Email Attachment with string-tcp medium false Malicious Payload 5612.0 DNP3 - Unsolicited string-tcp informational false Response Storm 5613.0 DNP3 - Cold Restart string-tcp informational false Request 5614.0 DNP3 - Disable string-tcp informational false Unsolicited Responses 5615.0 DNP3 - Read Request to a string-tcp informational false PLC 5616.0 DNP3 - Stop Application string-tcp informational false 5617.0 DNP3 - Warm Restart string-tcp informational false 5618.0 DNP3 - Broadcast Request string-tcp informational false 5619.0 Non-DNP3 Communication on string-tcp informational false a DNP3 Port 5619.1 Non-DNP3 Communication on string-tcp informational false a DNP3 Port 5620.0 DNP3 - Write Request to a string-tcp informational false PLC 5639.0 Web View Script Injection string-tcp high false Vulnerability 5767.0 FreeSSHd Key Exchange string-tcp high false Overflow 5794.0 Routing and Remote Access meta high false Service RASMAN Registry Stack Overflow 5794.1 Routing and Remote Access string-tcp informational false Service RASMAN Registry Stack Overflow 5794.2 Routing and Remote Access string-tcp informational false Service RASMAN Registry Stack Overflow 5822.0 Workstation Service meta high false Memory Corruption Vulnerability 5822.2 Workstation Service string-tcp informational false Memory Corruption Vulnerability 11246.0 AIM File Transfer Request string-tcp informational false 11247.0 AIM File Transfer string-tcp informational false CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 5620-0 DNP3 - Write Request to a PLC 5619-1 Non-DNP3 Communication on a DNP3 Port 5619-0 Non-DNP3 Communication on a DNP3 Port 5618-0 DNP3 - Broadcast Request 5617-0 DNP3 - Warm Restart 5616-0 DNP3 - Stop Application 5615-0 DNP3 - Read Request to a PLC 5614-0 DNP3 - Disable Unsolicited Responses 5613-0 DNP3 - Cold Restart Request 5612-0 DNP3 - Unsolicited Response Storm 11247-0 AIM File Transfer 11246-0 AIM File Transfer Request 5822-2 Workstation Service Memory Corruption Vulnerability 5822-0 Workstation Service Memory Corruption Vulnerability 5794-2 Routing and Remote Access Service RASMAN Registry Stack Overflow 5794-1 Routing and Remote Access Service RASMAN Registry Stack Overflow 5794-0 Routing and Remote Access Service RASMAN Registry Stack Overflow 5767-0 FreeSSHd Key Exchange Overflow 5639-0 Web View Script Injection Vulnerability 3113-0 Email Attachment with Malicious Payload ================================================================================================= S552 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 34045.0 Windows Media Remote Code multi-string high true Execution Exploit 34046.0 Adobe Flash Player Memory multi-string high true Corruption 34047.0 Adobe Remote Code string-tcp high true Execution Vulnerability 34048.0 Adobe Reader and Acrobat multi-string high true Arbitrary Code Execution 34049.0 Adobe Flash Player string-tcp high true Content Parsing Memory Corruption Vulnerability 34050.0 IMAP Long FETCH Command string-xl-tcp medium true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5779.0 ICCP COTP Connection string-tcp informational false Request 5780.0 ICCP COTP Connection string-tcp informational false Established 5781.0 ICCP Client Association string-tcp informational false 5782.0 ICCP MMS Write Request string-tcp informational false Attempt 5783.0 ICCP MMS Write Request string-tcp informational false Succeeded 5784.0 ICCP COTP Address Unknown string-tcp low false Disconnect 5785.0 ICCP COTP Protocol Error string-tcp low false Disconnect 5786.0 ICCP Invalid OSI SSEL string-tcp low false 5787.0 ICCP Invalid OSI PSEL string-tcp low false 5788.0 ICCP Invalid TPKT Protocol string-tcp low false 15293.0 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.1 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.2 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.3 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.4 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.5 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.6 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.7 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID 15293.8 Microsoft Internet string-tcp informational false Explorer ActiveX Kill Bit CLSID CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 15293-8 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-7 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-6 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-5 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-4 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-3 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-2 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-1 Microsoft Internet Explorer ActiveX Kill Bit CLSID 15293-0 Microsoft Internet Explorer ActiveX Kill Bit CLSID 5788-0 ICCP Invalid TPKT Protocol 5787-0 ICCP Invalid OSI PSEL 5786-0 ICCP Invalid OSI SSEL 5785-0 ICCP COTP Protocol Error Disconnect 5784-0 ICCP COTP Address Unknown Disconnect 5783-0 ICCP MMS Write Request Succeeded 5782-0 ICCP MMS Write Request Attempt 5781-0 ICCP Client Association 5780-0 ICCP COTP Connection Established 5779-0 ICCP COTP Connection Request ================================================================================================= S551 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33959.0 Binary Floating Point service-http medium true Number Conversion Denial of Service Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 9401.2 Back Door Y3K RAT atomic-ip high false 9403.2 Back Door Xanadu atomic-ip high false 9412.1 Back Door The Unexplained atomic-ip high false 9418.1 Back Door Revenger atomic-ip high false 9430.1 Back Door Alvgus atomic-ip high false 9433.1 Back Door Blasitix atomic-ip high false 9515.0 Back Door Kuang string-tcp high false 9516.0 Back Door Butt-man string-tcp high false 9580.0 Back Door AckCmd atomic-ip high false 9583.0 Back Orifice Activity atomic-ip medium false (UDP) 11018.1 eDonkey Activity service-p2p low false 11019.0 WinMx Server Response string-tcp low false 11019.1 WinMx Server Response service-p2p low false 11020.2 BitTorrent Client Activity fixed-udp low false 11020.3 BitTorrent Client Activity fixed-udp low false 11020.4 BitTorrent Client Activity fixed-udp low false 11022.1 Overnet Client Scan service-p2p low false CAVEATS None. Modified signature(s) detail: The following signatures were retired: 9401-2 Back Door Y3K RAT 9403-2 Back Door Xanadu 9412-1 Back Door The Unexplained 9418-1 Back Door Revenger 9430-1 Back Door Alvgus 9433-1 Back Door Blasitix 9515-0 Back Door Kuang 9516-0 Back Door Butt-man 9580-0 Back Door AckCmd 9583-0 Back Orifice Activity (UDP) 11018-1 eDonkey Activity 11019-0 WinMx Server Response 11019-1 WinMx Server Response 11020-2 BitTorrent Client Activity 11020-3 BitTorrent Client Activity 11020-4 BitTorrent Client Activity 11022-1 Overnet Client Scan ================================================================================================= S550 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32719.0 Cisco Telepresence service-http high true Unauthenticated Remote Arbitrary Command Execution 33859.0 Cisco TelePresence service-http high true Endpoint CGI Command Injection 33860.0 Cisco TelePresence service-http high false Multipoint Switch Java Servlet Access 33860.1 Cisco TelePresence service-http high false Multipoint Switch Java Servlet Access 33861.0 Cisco TelePresence meta high true Recording Server Command Execution Vulnerability 33861.1 Cisco TelePresence service-http informational true Recording Server Command Execution Vulnerability 33861.2 Cisco TelePresence service-http informational true Recording Server Command Execution Vulnerability 33861.3 Cisco TelePresence service-http informational true Recording Server Command Execution Vulnerability 33861.4 Cisco TelePresence service-http informational true Recording Server Command Execution Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3654.0 SSH Gobbles Exploit service-ssh high false 5634.0 Barracuda Spam Firewall service-http high false Command Execution 5684.7 Malformed SIP Packet atomic-ip medium false 6130.1 Microsoft Message Queuing string-tcp informational false Overflow 6130.4 Microsoft Message Queuing string-tcp informational false Overflow 6130.6 Microsoft Message Queuing service-msrpc informational false Overflow 6130.7 Microsoft Message Queuing string-tcp informational false Overflow 6130.8 Microsoft Message Queuing string-tcp informational false Overflow 6130.9 Microsoft Message Queuing meta high false Overflow 6130.10 Microsoft Message Queuing string-tcp informational false Overflow 6130.11 Microsoft Message Queuing meta high false Overflow 23199.0 Microsoft Windows string-tcp high false Embedded OpenType Font Engine Remote Code Execution 23899.0 Microsoft Office string-tcp high false PowerPoint Viewer TextBytesAtom Record Stack Overflow Vulnerability 23919.0 Microsoft Office string-tcp high false PowerPoint Remote Code Excution Vulnerability 23979.0 Microsoft Powerpoint multi-string high false Remote Code Execution Vulnerability 24099.0 Microsoft Paint Remote multi-string high false Code Execution Vulnerability 28419.0 Windows LSASS Heap string-tcp high false Overflow 29499.0 Microsoft Windows string-tcp high false Uniscribe Fonts Vulnerability 29559.0 Microsoft Wordpad Memory string-tcp high false Corruption Vulnerability 29579.0 Microsoft Windows Media string-tcp high false Player Remote Code Execution Vulnerability 29739.0 Microsoft Outlook Code atomic-ip high false Execution CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 24099-0,23899-0,23979-0,23919-0,23199-0,29739-0,29579-0,29559-0,29499-0,28419-0,6130-11,6130-10,6130-9,6130-8,6130-7,6130-6,6130-4,6130-1,5684-7,5634-0 and 3654-0 ================================================================================================= S549 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30103.0 SunRPC XDR atomic-ip-adva high false xdrmem_getbytes Overflow nced 31859.0 Sasser Worm FTP Server string-tcp high true Remote Buffer Overflow 32539.0 Novell eDirectory dhost service-http high true Module Buffer Overflow 32919.0 CA BrightStor HSM Buffer string-tcp high true Overflow 33059.0 HP Operations Manager service-http high true Unauthorized File Upload 33159.0 PHP ZVAL Reference multi-string high false Counter Integer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6263.0 XSS in Cisco ACS Server service-http medium true 6267.0 IMAP Long FETCH Command string-tcp high true 6269.0 HP Openview Operations string-tcp high false Buffer Overflow 6721.0 OpenBSD ISAKMP Message atomic-ip high false Handling Denial Of Service 6723.0 Sun Directory Server LDAP string-tcp high false Denial of Service Details 6735.0 Microsoft Internet multi-string high false Explorer HHCtrl.ocx Image Property Heap Corruption 6765.0 Cisco Application service-http high true Velocity System Default Passwords 7273.0 Ipswitch FTP Client string-tcp high false Format String 24499.0 Cisco CUCM Malformed SCCP string-tcp medium false Message CAVEATS None. Modified signature(s) detail: The following signatures have been tuned for performance: 24499-0, 6765-0, 6735-0, 6723-0, 6721-0, 6269-0, 6267-0, 6263-0 and 7273-0 ================================================================================================= S548 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33819.0 Backdoor zwShell Command string-tcp high true and Control 33839.0 Windows Server Active atomic-ip high true Directory Windows Server BROWSER ELECTION Remote Heap Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S547 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33659.0 Adobe Reader Embedded multi-string high true Fonts Program Heap Corruption 33660.0 Adobe Flash Remote Code multi-string high true Execution 33679.0 Adobe Reader Input string-tcp medium true Validation Vulnerability 33680.0 Adobe Reader Cross Domain string-tcp high true Restriction Bypass 33681.0 Adobe Reader and Acrobat string-tcp high true PDF Memory Corruption 33699.0 Adobe Flash Player multi-string medium true Asnative Memory Corruption 33700.0 Acrobat Reader JPEG 2000 multi-string high true Images Memory Corruption Vulnerability 33719.0 Adobe Flash Player multi-string medium true Arbitrary Memory Access 33740.0 Adobe Flash Player multi-string high true Dynamic Code Execution 33759.0 Acrobat Reader Memory multi-string medium true Corruption Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S546 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33239.0 OpenType Font Encoded multi-string high true Character Vulnerability 33260.0 Microsoft Office Visio string-tcp high true Remote Code Execution 33299.0 Kerberos Elevation of atomic-ip medium true Privilege Vulnerability 33399.0 Microsoft Internet string-tcp high true Explorer CSS Import Memory Corruption Vulnerability 33439.0 IE Memory Corruption string-tcp high true Vulnerability 33459.0 IE Memory Corruption string-tcp high true Vulnerability 33539.0 Microsoft Office Visio string-tcp high true Remote Code Execution 33559.0 IIS FTP Service Heap string-tcp high true Buffer Overflow 33579.0 Scripting Engines multi-string medium true Information Disclosure Vulnerability 33599.0 Windows Shell Graphics string-tcp high true Processing Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S545 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33499.0 Default Credentials For multi-string high true Root Account on Tandberg Endpoints TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S544 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 33379.0 Windows MHTML Protocol string-tcp high true Handler Script Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S543 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5452.1 Office XP URL Processing string-tcp high false Buffer Overflow 5512.1 Cisco SNMP Message atomic-ip medium false Processing DoS 5718.1 VERITAS NetBackup Volume string-tcp high true Manager Daemon Buffer Overflow 26619.0 Racer Remote Buffer atomic-ip high false Overflow 30139.0 SMB Directory Traversal string-tcp medium false 31939.0 Samba Session Setup AndX multi-string medium true Security Blob Length Denial Of Service 32479.0 Adobe Flash Remote Code string-tcp high true Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6711.0 Microsoft Internet service-http high false Explorer Image Download Spoofing 6712.0 Microsoft Internet string-tcp high false Explorer Script Engine Stack Exhaustion 6717.0 Microsoft Internet string-tcp high false Explorer Status Bar URL Spoofing CAVEATS None. Modified signature(s) detail: Signatures 6711-0, 6712-0 and 6717-0 have been modified to increase fidelity. ================================================================================================= S542 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5583.0 SMB Remote SAM Service service-smb-ad informational true Access Attempt vanced 5588.0 Windows DCOM Overflow service-smb-ad high true vanced 5588.1 Windows DCOM Overflow service-smb-ad high true vanced 5592.0 SMB: RFPoison Attack service-smb-ad high true vanced 5598.0 Windows Workstation service-smb-ad high true Service Overflow vanced 5601.1 Windows LSASS RPC Overflow service-smb-ad high true vanced 5858.5 DNS Server RPC Interface service-smb-ad high true Buffer Overflow vanced 6131.10 Microsoft Plug and Play service-smb-ad high true Overflow vanced 6131.11 Microsoft Plug and Play service-smb-ad high true Overflow vanced 7280.0 Windows Server Service service-smb-ad high true Remote Code Execution vanced 7280.1 Windows Server Service service-smb-ad high true Remote Code Execution vanced CAVEATS None. Modified signature(s) detail: The following signatures have been tuned for performance: 5583-0, 5588-0, 5588-1, 5592-0, 5598-0, 5601-1, 5858-5, 6131-10, 6131-11, 7280-0 and 7280-1. ================================================================================================= S541 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15005.1 Microsoft Windows SMB service-smb-ad high false Remote Code Execution vanced 24299.0 Oracle Secure Backup DoS string-tcp high false 28619.0 HP Mercury Quality Center multi-string high false ActiveX Vulnerability 29279.0 NCTAudioFile2.AudioFile multi-string high false ActiveX Control Buffer Overflow 31359.1 Microsoft Internet multi-string high false Explorer Invalid Flag Reference Remote Code Execution Vulnerability 31359.2 Microsoft Internet string-tcp high true Explorer Invalid Flag Reference Remote Code Execution Vulnerability 31759.0 Yahoo Messenger ActiveX string-tcp high false Control Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6296.0 IBM Lotus Sametime Server service-http high true Multiplexer Stack Buffer Overflow 6422.0 Microsoft ASP.NET service-http medium false Application Folder Information Disclosure 6451.0 MediaWiki Language Option service-http high false PHP Code Execution 6500.0 RingZero Trojan service-http medium false 16433.0 Microsoft Office Text string-tcp high false Converter Buffer Overflow 21622.0 Microsoft Windows GDI+ multi-string high false Code Execution CAVEATS None. Modified signature(s) detail: Signature 16433-0 has been modified to increase fidelity. Signature 21622-0 has been retired. The following signatures have been tuned for performance: 6296-0, 6422-0, 6451-0 and 6500-0. ================================================================================================= S540 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17020.0 Magento Multiple Cross service-http high false Site Scripting 17120.0 Apache Tomcat service-http high false "RequestDispatcher" Information Disclosure Vulnerability 17121.0 SonicWALL Email Security service-http high false Host Header Cross-Site Scripting Vulnerability 17122.0 SAP Internet Transaction service-http high false Server wgate.dll Cross-Site Scripting Vulnerability 17122.1 SAP Internet Transaction service-http high false Server wgate.dll Cross-Site Scripting Vulnerability 17125.0 cPanel "manpage.html" service-http high false Cross-Site Scripting Vulnerability 17126.0 Alcatel-Lucent OmniPCX service-http high false Office Remote Command Execution Vulnerability 17197.1 MicroWorld Technologies service-http low false MailScan Multiple Remote Vulnerabilities 17219.0 PHP Easy Download Remote service-http high false Code Execution 17502.0 IE Table Frameset DoS string-tcp high false 17624.0 Web Tours Upload service-http high false Directory Traversal 30419.0 Internet Explorer 8 XSS string-tcp low true Attack CAVEATS None. Modified signature(s) detail: The following signatures have been tuned for performance: 30419-0, 21539-0, 17624-0, 17502-0, 17219-0, 17197-1, 17126-0, 17125-0, 17122-1, 17122-0, 17121-0, 17120-0, 17020-0 ================================================================================================= S539 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32739.0 Microsoft Graphic string-tcp high true Rendering Engine CreateSizedDIBSECTION Stack Buffer Overflow 32759.0 Microsoft Data Access multi-string high true Component Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S538 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6413.0 McAfee Subscription string-tcp high false Manager ActiveX Stack Buffer Overflow 6433.0 Norton Internet Security atomic-ip high false NBNS Stack Overflow 6493.0 Microsoft Windows string-tcp high false Graphics Rendering Engine Buffer Overflow Vulnerability 6496.1 Microsoft Internet service-http medium false Explorer URL Spoofing Vulnerability 6542.0 TFTPServer Error Overflow atomic-ip high false 25519.0 ClamAV AntiVirus string-tcp high false cli_check_jpeg_exploit Function Denial of Service 31519.0 HP OpenView Network Node service-http high true Manager Buffer Overflow 31879.0 Large Email Subject state high false 31959.0 Microsoft Office UA multi-string high false OUACTRL.OCX ActiveX Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S537 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 32679.0 MS IE CSS Recursion string-tcp high true Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S536 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31919.0 Microsoft Office Graphic string-tcp high true Filter RCE 31979.0 Windows DLL Loading service-http high false Remote Code Execution 32000.0 Microsoft Office multi-string high true Publisher Indexing Memory Corruption 32019.0 Internet Explorer HTML multi-string high true Element Memory Corruption 32099.0 Windows OpenType Font multi-string high true Format Driver Index Vulnerability 32100.0 Windows NetLogon Service service-smb-ad medium true Denial Of Service vanced Vulnerability 32119.0 HTML Object Memory multi-string high true Corruption 32139.0 HTML Object Memory string-tcp high true Corruption 32179.0 Microsoft Office Graphics string-tcp high true Filters Remote Code Execution 32199.0 TIFF Image Converter multi-string high true Buffer Overflow Malformed File 32200.0 Microsoft Windows multi-string high true OpenType Format Font Driver Malicious File 32200.1 Microsoft Windows multi-string high true OpenType Format Font Driver Malicious File 32239.0 Microsoft Office Graphics string-tcp high true Filters Remote Code Execution 32240.0 Microsoft Office Graphics string-tcp high true Filters Remote Code Execution 32260.0 Internet Explorer Memory string-tcp high true Corruption Vulnerability 32299.0 Microsoft Sharepoint multi-string high true Command Injection Vulnerability 32320.0 Microsoft Office string-tcp high true Publisher Remote Code Execution 32339.0 Microsoft Office TIFF multi-string high true Image Converter Heap Overflow 32359.0 Windows Movie Maker multi-string high true Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31419.0 Microsoft Office Insecure service-http high false Library Loading Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S535 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24939.0 SafeNet SoftRemote IKE atomic-ip high false Service Buffer Overflow 25179.0 Sun Java Run Time string-tcp high false Environment GIF Parsing Memory Corruption Vulnerability 28124.1 Symantec Altiris multi-string high false Deployment Solution ActiveX Control Arbitrary File Download and Execute 28380.0 Adobe Illustrator meta high false Encapsulated Postscript File Remote Buffer Overflow Vulnerability 28380.1 Adobe Illustrator string-tcp informational false Encapsulated Postscript File Remote Buffer Overflow Vulnerability 28380.2 Adobe Illustrator string-tcp informational false Encapsulated Postscript File Remote Buffer Overflow Vulnerability 29759.0 ContentKeeper Web service-http high false mimencode Remote Command Execution 32079.0 Mozilla Firefox WOFF Font multi-string high false Processing Integer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 20899.0 IIS FTP ls Command Denial string-tcp medium false of Service 25359.0 Microsoft Windows Server atomic-ip medium true SMTP Denial of Service 30359.0 Microsoft Windows multi-string medium true Opentype Compact Font Format Validation Denial of Service CAVEATS None. Modified signature(s) detail: Signature 20899-0 has been retired. Signature 25359-0 has been tuned for performance. The description of signature 30359-0 has been modified. ================================================================================================= S534 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 11020.2 BitTorrent Client Activity fixed-udp low false 11020.3 BitTorrent Client Activity fixed-udp low false 11020.4 BitTorrent Client Activity fixed-udp low false 11020.5 BitTorrent Client Activity string-tcp low false TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 11020.0 BitTorrent Client Activity string-tcp low false 11020.1 BitTorrent Client Activity service-p2p low true 11030.0 Bittorrent Tracker Query service-http low true 11031.0 Bittorrent Tracker Scrape service-http low true 31020.0 SMB Secure NULL Login service-smb-ad informational false Attempt vanced CAVEATS None. Modified signature(s) detail: Signature 31020-0 has been retired. The following signatures have been modified to increase coverage: 11020-0 11020-1 11020-2 11030-0 11031-0 ================================================================================================= S533 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24820.0 IBM Lotus Domino LDAP string-tcp high true Buffer Overflow 27619.0 E-Book Systems FlipViewer meta high false FlipViewerX.DLL ActiveX Buffer Overflow 27619.1 E-Book Systems FlipViewer string-tcp informational false FlipViewerX.DLL ActiveX Buffer Overflow 27899.0 gAlan Audio Processing string-tcp high false Tool Arbitrary Code Execution Vulnerability 30179.0 ISC DHCP Server atomic-ip medium true Zero-Length Client Identifier Denial Of Service 30739.0 Adobe Reader JPXDecode multi-string high false Memory Corruption 31119.0 Squid Proxy NULL Pointer string-tcp medium true Denial Of Service 31499.0 Novell iManager Class service-http high true Name Remote Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S532 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31620.0 FTP Access in Cisco UVC string-tcp high true 31622.0 Cisco Unified Video meta high true Conferencing Default Accounts 31622.1 Cisco Unified Video string-tcp informational true Conferencing Default Account 31639.0 Cisco Unified service-http high true Videoconferencing Remote Command Injection TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S531 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31579.0 Gbot Command and control service-http high true over HTTP TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17245.0 Squid HTTP Version Number service-http medium false DoS 17248.0 HP OpenView Network Node service-http high false Manager CGI Buffer Overflow Vulnerabilities 17267.0 Hylafax Fax Survey Remote service-http high false Command Execution Vulnerability 17359.0 PhpBB XS phpbb_root_path service-http high false File Include 17363.1 Rustock Botnet service-http informational true 17363.2 Rustock Botnet service-http informational true 17432.0 HP OpenView Directory service-http medium false Traversal 17637.0 Oracle Rapid Install Web service-http high false Server Secondary Login Page CSS 17779.0 WS_FTP server Manager service-http medium false Information Leak 17779.1 WS_FTP server Manager service-http medium false Information Leak 17780.0 SAP Web Application service-http medium false Server XSS 17784.0 Facebook Newsroom Remote service-http medium false File Inclusion 17786.0 YouTube Blog Remote File service-http high false Include Vulnerability 17790.0 HTTP Apache 2.0 Path service-http low false Disclosure CAVEATS None. Modified signature(s) detail: The following signatures have been tuned for performance: 17790-0 HTTP Apache 2.0 Path Disclosure 17786-0 YouTube Blog Remote File Include Vulnerability 17784-0 Facebook Newsroom Remote File Inclusion 17780-0 SAP Web Application Server XSS 17779-1 WS_FTP server Manager Information Leak 17779-0 WS_FTP server Manager Information Leak 17637-0 Oracle Rapid Install Web Server Secondary Login Page CSS 17432-0 HP OpenView Directory Traversal 17363-2 Rustock Botnet 17363-1 Rustock Botnet 17359-0 PhpBB XS phpbb_root_path File Include 17267-0 Hylafax Fax Survey Remote Command Execution Vulnerability 17248-0 HP OpenView Network Node Manager CGI Buffer Overflow Vulnerabilities 17245-0 Squid HTTP Version Number DoS ================================================================================================= S530 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27860.0 Mozilla Suite meta high false InstallVersion Code Execution 27860.1 Mozilla Suite string-tcp informational false InstallVersion Code Execution 30699.0 Cisco TelePresence in SIP string-tcp informational false Traffic 30719.0 Cisco TelePresence CCP service-http informational false Communication 30719.1 Cisco TelePresence CCP service-http informational false Communication 30719.2 Cisco TelePresence CCP service-http informational false Communication 30719.3 Cisco TelePresence CCP service-http informational false Communication 30820.0 IBM Informix Dynamic atomic-ip high false Server librpc.dll Overflow 31079.0 Unisys Business string-tcp high true Information Server Stack Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5577.1 SMB Secure NULL Login service-smb-ad informational false Attempt vanced 30339.0 Microsoft Windows multi-string medium true OpenType Compact Font Format Parsing Denial of Service 31359.0 Microsoft Internet multi-string high false Explorer Invalid Flag Reference Remote Code Execution Vulnerability CAVEATS None. Modified signature(s) detail: Signature 31359-0 has been retired. Signature 5577-1 has been retired. The description for signature 30339-0 has been updated. ================================================================================================= S529 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30959.0 Microsoft Office Remote string-tcp high true Code Execution Vulnerability 31159.0 Microsoft Forefront service-http high true Unified Access Gateway Script Injection Vulnerability 31179.0 Microsoft Excel Remote string-tcp high true Code Execution Vulnerability 31219.0 Microsoft Forefront service-http medium true Unified Access Gateway Redirection Attack 31239.0 Windows RTF Stack Buffer multi-string high true Overflow 31339.0 Microsoft Forefront service-http medium true Unified Access Gateway Privilege Elevation Vulnerability 31399.0 Microsoft Forefront service-http medium true Unified Access Gateway Vulnerability 31419.0 Microsoft Office Remote service-http high true Code Execution Vulnerability 31420.0 MS Office Embedded Office string-tcp high true Art Drawings Memory Corruption Vulnerability 31439.0 PowerPoint Integer multi-string high true Underflow Heap Corruption TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S528 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31359.0 Microsoft Internet multi-string high true Explorer Invalid Flag Reference Remote Code Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S527 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 22401.0 Microsoft IIS Phone Book service-http high false Service Overflow 25320.2 Microsoft Windows SMB service-smb-ad high true Client Transaction Exploit vanced 26799.0 Symantec RunCmd() ActiveX multi-string high false Control Buffer Overflow Vulnerability 28340.0 MySQL MaxDB Remote Buffer service-http high false Overflow 31020.0 SMB Secure NULL Login service-smb-ad informational true Attempt vanced TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 18000.0 Opera CSS Background string-tcp high false Property DoS 19279.0 Cisco IOS Legacy service-http medium true Interface Access 19499.0 Ipswitch Whatsup Small service-http medium false Business Directory Traversal 19699.0 Firefox location.hostname string-tcp high true Null Byte Vulnerability 19740.0 Oracle Application Server service-http high false desname Arbitrary File Overwriting 19800.0 427BB Cookie-based service-http high false Authentication Bypass 20002.0 Microsoft Internet multi-string high true Explorer Object Handling Remote Code Execution 20099.0 Cisco CME Buffer Overflow service-http high true 20150.0 ASP.NET Denial Of Service service-http medium true 20559.0 ACal Cookie Based service-http high false Authentication Bypass CAVEATS None. Modified signature(s) detail: The following signatures have been modified to increase performance: 20559-0 ACal Cookie Based Authentication Bypass 20150-0 ASP.NET Denial Of Service 20099-0 Cisco CME Buffer Overflow 20002-0 Microsoft Internet Explorer Object Handling Remote Code Execution 19800-0 427BB Cookie-based Authentication Bypass 19740-0 Oracle Application Server desname Arbitrary File Overwriting 19699-0 Firefox location.hostname Null Byte Vulnerability 19499-0 Ipswitch Whatsup Small Business Directory Traversal 19279-0 Cisco IOS Legacy Interface Access 18000-0 Opera CSS Background Property DoS ================================================================================================= S526 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31099.0 Adobe Remote Code multi-string high true Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S525 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 31059.0 Firefox Interleaving multi-string high true document.write Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30659.0 Microsoft Excel Ghost string-tcp high true Record Type Parsing Vulnerability CAVEATS None. Modified signature(s) detail: Signature 30659-0 has been modified to increase fidelity. ================================================================================================= S524 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30859.0 CiscoWorks Common service-http high true Services Arbitrary Code Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S523 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30899.0 Adobe Shockwave Player multi-string high true Memory Corruption Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S522 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17817.0 Office OCX ActiveX multi-string high false Program Execution Vulnerability 18420.1 Microsoft Office Excel string-tcp high true Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17791.0 Ipswitch Imail Arbitrary service-http high false File Read 17797.0 Apache Tomcat URL service-http high false Information Disclosure 17797.1 Apache Tomcat URL service-http high false Information Disclosure 18057.0 Push Toolbar Information service-http high false Search 18058.0 ABetterInternet service-http high false Information Upload 18119.0 Firefox About Blank service-http low false Spoofing Vulnerability 18157.0 Sun Java System Identity service-http high false Manager activeControl Cross-Site Scripting 18183.0 uTorrent Activity service-http low false 18183.1 uTorrent Activity service-http low false 18257.0 Oracle Application Server service-http medium false Portal Authentication Bypass 18258.0 Apache Tomcat Servlet service-http high false Path Disclosure Vulnerability 18740.0 Firefox Password Manager service-http high false Information Disclosure 19159.0 Green Dam Youth Escort service-http informational true Software Update Check CAVEATS None. Modified signature(s) detail: The following signatures have been tuned for performance: 19159-0 Green Dam Youth Escort Software Update Check 18740-0 Firefox Password Manager Information Disclosure 18258-0 Apache Tomcat Servlet Path Disclosure Vulnerability 18257-0 Oracle Application Server Portal Authentication Bypass 18183-1 uTorrent Activity 18183-0 uTorrent Activity 18157-0 Sun Java System Identity Manager activeControl Cross-Site Scripting 18119-0 Firefox About Blank Spoofing Vulnerability 18058-0 ABetterInternet Information Upload 18057-0 Push Toolbar Information Search 17797-1 Apache Tomcat URL Information Disclosure 17797-0 Apache Tomcat URL Information Disclosure 17791-0 Ipswitch Imail Arbitrary File Read ================================================================================================= S521 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 20840.0 Mozilla Network Security string-tcp high false Services SSLv2 Server Stack Overflow 21339.0 Helix RTSP SETUP Request string-tcp medium true Denial Of Service 21339.1 Helix RTSP SET_PARAMETER multi-string medium true Request Denial Of Service 21679.0 Oracle Application Server service-http high true Portal Cross Site Scripting TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 20560.0 Nullsoft Shoutcast Server service-http high false Request Log Cross-Site Scripting 20759.0 TheWebForum Login.php service-http high true Username Parameter SQL Injection 21259.0 ActiveCampaign 1-2-All service-http medium false Control Panel Username SQL Injection Vulnerability 21779.0 Application Server BPEL service-http high true Module Cross-Site Scripting 21860.0 Webmin/Usermin Unspecifed service-http medium false Information Disclosure Vulnerability 22599.0 HP Power Manager Web service-http high true Server Login Remote Code Execution Vulnerability 22639.0 Apache Tomcat Directory service-http medium false Listing Information Disclosure 22779.0 Novell eDirectory dhost service-http high true HTTPSTK Buffer Overflow 23539.0 TrendMicro Web-Deployment multi-string high true ActiveX Remote Code Execution 23699.1 HP OpenView Network Node service-http informational true Manager Buffer Overflow 23700.1 HP OpenView Network Node service-http informational true Manager Buffer Overflow CAVEATS None. Modified signature(s) detail: The following signatues have been tuned for performance: 23700-1 HP OpenView Network Node Manager Buffer Overflow 23699-1 HP OpenView Network Node Manager Buffer Overflow 23539-0 TrendMicro Web-Deployment ActiveX Remote Code Execution 22779-0 Novell eDirectory dhost HTTPSTK Buffer Overflow 22639-0 Apache Tomcat Directory Listing Information Disclosure 22599-0 HP Power Manager Web Server Login Remote Code Execution Vulnerability 21860-0 Webmin/Usermin Unspecifed Information Disclosure Vulnerability 21779-0 Application Server BPEL Module Cross-Site Scripting 21259-0 ActiveCampaign 1-2-All Control Panel Username SQL Injection Vulnerability 20759-0 TheWebForum Login.php Username Parameter SQL Injection 20560-0 Nullsoft Shoutcast Server Request Log Cross-Site Scripting ================================================================================================= S520 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26999.0 AOL Phobos.Playlist multi-string medium false ActiveX Control Buffer Overflow 27939.0 SafeNet SoftRemote Code string-tcp medium false Execution 28779.0 VxWorks Remote Debug atomic-ip high true Interface 29839.0 Symantec AMS Arbitrary string-tcp high false Command Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3142.0 Sasser Worm Activity string-tcp high true 3327.2 Windows RPC DCOM Overflow atomic-ip high false 3327.3 Windows RPC DCOM Overflow atomic-ip high false 3327.5 Windows RPC DCOM Overflow atomic-ip high false 3327.6 Windows RPC DCOM Overflow string-tcp high false 3345.0 RPC WinNuke atomic-ip high false 4004.0 DNS Flood Attack flood-host medium false 5036.1 WWW Windows Password File service-http medium false Access Attempt 5379.0 Windows Media Services string-tcp high false Logging ISAPI Overflow 5443.0 Microsoft ActiveX Help string-tcp high false Control 5471.1 SafeNet Sentinel Buffer atomic-ip high false Overflow 5507.0 Unreal Engine /secure/ atomic-ip high false Overflow 5517.0 AnswerBook2 Format String service-http high false 5586.0 Windows Locator Service service-smb-ad high false Overflow vanced 5611.0 WordPress Cookie string-tcp medium false cache_lastpostdate Overflow 5674.0 Snort Back Orifice atomic-ip high false Preprocessor Overflow 6402.0 Samba SPOOLSS Notify service-smb-ad high false Options Heap overflow vanced 6528.0 Oracle Application Server service-http medium false 10G EmChartBeam Remote Directory Traversal 6710.0 Macromedia Flash Player string-tcp medium false LoadMovie DoS 6785.0 Microsoft Visual Basic meta high true VBP File Processing Buffer Overflow 6944.0 CUPS CGI Compile Search service-http high false Overflow 6945.0 HP OpenView OVAS.EXE service-http high false Stack Overflow 7222.0 Joomla 1.5 Password Token service-http high false Bypass 7249.0 Microsoft Help Project string-tcp high false Files (HPJ) Buffer Overflow 7266.0 TWiki Remote Command service-http high false Execution 7269.0 Trend Micro OfficeScan service-http high false Server Overflow 15133.0 XML Race Condition in string-tcp high false Internet Explorer 15314.0 Symantec Firewall DNS atomic-ip high false Response Denial Of Service 16997.0 MSWord CSS Processing string-tcp high false Code Execution 21319.0 Novell Client For Windows string-tcp medium false 2000/XP ActiveX Remote DoS Vulnerability 27940.0 Microsoft Visual Basic string-tcp high false 6.0 File Overflow 28119.0 Media Jukebox Buffer string-tcp high false Overflow 28140.0 Microsoft Windows VML string-tcp high false Document Arbitrary Code Execution Vulnerability 28379.1 Internet Explorer Style string-tcp informational false Object Remote Code Execution CAVEATS None. Modified signature(s) detail: 6710-0 obsoletes 28119-0. 6785-0 obsoletes 27940-0. 15133-0, 16977-0, 28140-0, 28397-0 are modified to address compile issues. The following sigs are retired: 21319-0 Novell Client For Windows 2000/XP ActiveX Remote DoS Vulnerability 15314-0 Symantec Firewall DNS Response Denial Of Service 7269-0 Trend Micro OfficeScan Server Overflow 7266-0 TWiki Remote Command Execution 7249-0 Microsoft Help Project Files (HPJ) Buffer Overflow 7222-0 Joomla 1.5 Password Token Bypass 6945-0 HP OpenView OVAS.EXE Stack Overflow 6944-0 CUPS CGI Compile Search Overflow 6528-0 Oracle Application Server 10G EmChartBeam Remote Directory Traversal 6402-0 Samba SPOOLSS Notify Options Heap overflow 5674-0 Snort Back Orifice Preprocessor Overflow 5611-0 WordPress Cookie cache_lastpostdate Overflow 5586-0 Windows Locator Service Overflow 5517-0 AnswerBook2 Format String 5507-0 Unreal Engine /secure/ Overflow 5471-1 SafeNet Sentinel Buffer Overflow 5443-0 Microsoft ActiveX Help Control 5379-0 Windows Media Services Logging ISAPI Overflow 5036-1 WWW Windows Password File Access Attempt 4004-0 DNS Flood Attack 3345-0 RPC WinNuke 3327-6 Windows RPC DCOM Overflow 3327-5 Windows RPC DCOM Overflow 3327-3 Windows RPC DCOM Overflow 3327-2 Windows RPC DCOM Overflow 3142-0 Sasser Worm Activity 28119-0 Media Jukebox Buffer Overflow 27940-0 Microsoft Visual Basic 6.0 File Overflow ================================================================================================= S519 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 30279.0 Microsoft Excel Remote string-tcp high true Code Execution Vulnerability 30299.0 Microsoft HtmlDlgHelper string-tcp high true Remote Code Execution 30320.0 Microsoft Internet string-tcp high true Explorer CSS Remote Code Execution 30339.0 Microsoft Windows multi-string medium true OpenType Compact Font Format Parsing Denial of Service 30359.0 Microsoft Windows multi-string medium true Opentype Compact Font Format Validation Denial of Service 30380.0 Microsoft Excel Remote multi-string high true Code Execution Vulnerability 30381.0 Excel Record Parsing string-tcp high true Integer Overflow 30382.0 MS Word Parsing multi-string high true Vulnerability 30399.0 Word Index Parsing multi-string high true Vulnerability 30419.0 Internet Explorer 8 XSS string-tcp low true Attack 30459.0 Windows Media Player meta high true Network Sharing Service Remote Code Execution 30459.1 Windows Media Player string-tcp informational true Network Sharing Service Remote Code Execution 30459.2 Windows Media Player string-tcp informational true Network Sharing Service Remote Code Execution 30461.0 Microsoft Office Excel string-tcp high true Remote Code Execution Vulnerability 30462.0 Internet Explorer Cross string-tcp medium true Domain Infoleak 30499.0 Microsoft Embedded multi-string high true OpenType (EOT) Font Engine Remote Code Execution Exploit 30500.0 Internet Explorer string-tcp high true Uninitialized Memory Corruption Vulnerability 30519.0 Internet Explorer Memory string-tcp high true Corruption Vulnerability 30539.0 Microsoft Excel Record multi-string high true Parsing Memory Corruption Vulnerability 30659.0 Microsoft Excel Ghost string-tcp high true Record Type Parsing Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S518 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3138.1 Bagle.C Virus Email string-xl-tcp high false Attachment 3158.1 FTP SITE EXEC Format string-xl-tcp high true String 3537.1 MailEnable HTTP string-xl-tcp high false Authorization Buffer Overflow 3540.1 Cisco Secure ACS CSAdmin string-xl-tcp high false Attack 3720.1 MSSQL sa Account Brute string-xl-tcp high true Force 3793.1 ZENworks 6.5 string-xl-tcp high true Authentication Overflow 5425.1 Internet Explorer IFRAME string-xl-tcp high false Tag Overflow 5463.2 Computer Associates string-xl-tcp high true License Software GETCONFIG Buffer Overflow 5463.3 Computer Associates string-xl-tcp high false License Software GETCONFIG Buffer Overflow 5464.3 Computer Associates string-xl-tcp high false License Suite Network Buffer Overflow 5465.1 Computer Associates string-xl-tcp high false License Suite Checksum Buffer Overflow 5468.1 Computer Associates string-xl-tcp high false License Suite Invalid Command Overflow 5548.1 Veritas Backup Exec string-xl-tcp high false Windows Remote Agent Password Overflow 5565.5 Print Spooler Service string-xl-tcp informational false Overflow 5565.6 Print Spooler Service meta high false Overflow 5649.1 ESignal Remote Buffer string-xl-tcp high false Overflow 5671.1 IMAP Select Excessive string-xl-tcp high true Length 5732.3 Web Client Remote Code string-xl-tcp medium false Execution Vulnerability 5732.4 Web Client Remote Code meta informational false Execution Vulnerability 5857.3 UPnP Memory Corruption string-xl-tcp informational true Vulnerability 5857.4 UPnP Memory Corruption meta informational true Vulnerability 5866.1 IBM Lotus Domino IMAP string-xl-tcp high true CRAM-MD5 Overflow 5922.1 BEA WebLogic Admin string-xl-tcp high false Console Cross Site Scripting 5978.1 MailEnable SMTP Service string-xl-tcp medium false SPF Lookup Buffer Overflow 6130.12 Microsoft Message Queuing string-xl-tcp medium true Overflow 6130.13 Microsoft Message Queuing meta informational true Overflow 6934.1 GDI Buffer Overflow string-xl-tcp high true 7262.1 Active Directory Overflow string-xl-tcp high true Exploit 7299.1 Microsoft Word RTF RCE string-xl-tcp high true 17268.1 IntelliTamper HTML 'href' string-xl-tcp high false Parsing Buffer Overflow Vulnerability 18337.1 IIS PROPFIND DoS string-xl-tcp medium false 19781.2 WordPress 2.1.1 Backdoor string-xl-tcp high false IX Parameter Injection Detection 19781.3 WordPress 2.1.1 Backdoor string-xl-tcp high false IX Parameter Injection Detection 20859.1 Apple QuickTime Plug-In string-xl-tcp high false Security Bypass 21619.3 Windows Vista/2008 SMBv2 string-xl-tcp informational true DoS 21619.4 Windows Vista/2008 SMBv2 meta informational true DoS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3138.0 Bagle.C Virus Email string-tcp high false Attachment 3158.0 FTP SITE EXEC Format string-tcp high true String 3537.0 MailEnable HTTP string-tcp high false Authorization Buffer Overflow 3540.0 Cisco Secure ACS CSAdmin string-tcp high false Attack 3704.0 IIS FTP STAT Denial of string-tcp low true Service 3720.0 MSSQL sa Account Brute string-tcp high true Force 3785.0 Oracle 9i XDB FTP UNLOCK string-tcp high true Buffer Overflow 3788.0 Solaris LPD Remote string-tcp high false Command Execution 3793.0 ZENworks 6.5 string-tcp high true Authentication Overflow 5425.0 Internet Explorer IFRAME string-tcp high false Tag Overflow 5463.0 Computer Associates string-tcp high false License Software GETCONFIG Buffer Overflow 5463.1 Computer Associates string-tcp high true License Software GETCONFIG Buffer Overflow 5464.1 Computer Associates string-tcp high false License Suite Network Buffer Overflow 5465.0 Computer Associates string-tcp high false License Suite Checksum Buffer Overflow 5468.0 Computer Associates string-tcp high true License Suite Invalid Command Overflow 5548.0 Veritas Backup Exec string-tcp high false Windows Remote Agent Password Overflow 5556.0 Javaprxy.dll Heap Overflow string-tcp high false 5556.1 Javaprxy.dll Heap Overflow meta high true 5565.1 Print Spooler Service string-tcp informational false Overflow 5565.2 Print Spooler Service meta high false Overflow 5644.0 Client Service for string-tcp informational false NetWare Overflow 5644.1 Client Service for string-tcp informational false NetWare Overflow 5644.2 Client Service for string-tcp informational false NetWare Overflow 5644.3 Client Service for meta high false NetWare Overflow 5649.0 ESignal Remote Buffer string-tcp high false Overflow 5671.0 IMAP Select Excessive string-tcp high true Length 5732.0 Web Client Remote Code meta high false Execution Vulnerability 5732.2 Web Client Remote Code string-tcp medium false Execution Vulnerability 5799.2 Server Service Code string-tcp informational false Execution 5799.5 Server Service Code string-tcp informational false Execution 5813.0 Microsoft Internet meta high false Explorer Vector Markup Language Vulnerability 5813.4 Microsoft Internet string-tcp high false Explorer Vector Markup Language Vulnerability 5857.0 UPnP Memory Corruption meta high true Vulnerability 5857.2 UPnP Memory Corruption string-tcp informational true Vulnerability 5866.0 IBM Lotus Domino IMAP string-tcp high true CRAM-MD5 Overflow 5905.1 Microsoft Internet string-tcp low true Explorer Address Bar Spoof 5922.0 BEA WebLogic Admin string-tcp high false Console Cross Site Scripting 5978.0 MailEnable SMTP Service string-tcp medium false SPF Lookup Buffer Overflow 6130.2 Microsoft Message Queuing string-tcp medium true Overflow 6130.3 Microsoft Message Queuing meta high true Overflow 6130.5 Microsoft Message Queuing meta high true Overflow 6462.1 Microsoft Internet string-tcp informational false Explorer CDF Cross Domain Scripting 6462.2 Microsoft Internet string-tcp informational false Explorer CDF Cross Domain Scripting 6780.1 IE Argument Handling string-tcp informational false Memory Corruption Vulnerability 6934.0 GDI Buffer Overflow string-tcp high false 6936.0 UCM Disaster Recovery string-tcp high true Framework Command Execution 7262.0 Active Directory Overflow string-tcp high true Exploit 7299.0 Microsoft Word RTF RCE string-tcp high true 16453.0 IBM Lotus Expeditor cai string-tcp high false URI Handler Command Execution 17268.0 IntelliTamper HTML 'href' string-tcp high false Parsing Buffer Overflow Vulnerability 18337.0 IIS PROPFIND DoS string-tcp medium false 19781.0 WordPress 2.1.1 Backdoor string-tcp high false IX Parameter Injection Detection 19781.1 WordPress 2.1.1 Backdoor string-tcp high false IZ Parameter Injection Detection 20141.1 Microsoft Office Web string-tcp informational true Components ActiveX Buffer Overflow 20143.1 Microsoft Office Web string-tcp informational true Components ActiveX Buffer Overflow 20859.0 Apple QuickTime Plug-In string-tcp high false Security Bypass 21619.0 Windows Vista/2008 SMBv2 meta medium true DoS 21619.2 SMBv2 Denial Of Service string-tcp informational true Attack 21841.0 Adobe PDF Deflate string-tcp high true Parameter Integer Overflow 22579.0 Internet Explorer CSS string-tcp high true Remote Code Execution 25042.2 Microsoft Internet string-tcp informational true Explorer Remote Code Execution 25059.0 HTML Element Cross-Domain string-tcp medium true Vulnerability 28485.0 Microsoft Internet string-tcp high true Explorer Uninitialized Memory Corruption Vulnerability CAVEATS None. Modified signature(s) detail: 28485-0 - This signature was modified for better performance 25059-0 - This signature was modified for better performance 25042-2 - This signature was modified for better performance 22579-0 - This signature was modified for better performance 21841-0 - This signature was modified for better performance 21619-2 - This signature was obsoleted by 21619-3 21619-0 - This signature was modified for better performance 20859-0 - This signature was obsoleted by 20859-1 20143-1 - This signature was modified for better performance 20141-1 - This signature was modified for better performance 19781-1 - This signature was obsoleted by 19781-3 19781-0 - This signature was obsoleted by 19781-2 18337-0 - This signature was modified for better performance 17268-0 - This signature was obsoleted by 17268-1 16453-0 - This signature was modified for better performance 7299-0 - This signature was obsoleted by 7299-1 7262-0 - This signature was obsoleted by 7262-1 6936-0 - This signature was modified for better performance 6934-0 - This signature was obsoleted by 6934-1 6780-1 - This signature was modified for better performance 6462-2 - This signature was modified for better performance 6462-1 - This signature was modified for better performance 6130-5 - This signature was modified for better performance 6130-3 - This signature was modified for better performance 6130-2 - This signature was obsoleted by 6130-12 5978-0 - This signature was obsoleted by 5978-1 5922-0 - This signature was obsoleted by 5922-1 5905-1 - This signature was modified for better performance 5866-0 - This signature was obsoleted by 5866-1 3138-0 - This signature was obsoleted by 3138-1 3158-0 - This signature was obsoleted by 3158-1 3537-0 - This signature was obsoleted by 3537-1 3540-0 - This signature was obsoleted by 3540-1 3704-0 - This signature was modified for better performance 3720-0 - This signature was obsoleted by 3720-1 3785-0 - This signature was modified for better performance 3788-0 - This signature was modified for better performance 3793-0 - This signature was obsoleted by 3793-1 5425-0 - This signature was obsoleted by 5425-1 5463-0 - This signature was obsoleted by 5463-3 5463-1 - This signature was obsoleted by 5463-2 5464-1 - This signature was obsoleted by 5464-3 5465-0 - This signature was obsoleted by 5465-1 5468-0 - This signature was obsoleted by 5468-1 5548-0 - This signature was obsoleted by 5548-1 5556-0 - This signature was obsoleted by 5556-1 5565-1 - This signature was obsoleted by 5565-5 5565-2 - This signature was modified for better performance 5644-0 - This signature was obsoleted by 5644-3 5644-1 - This signature was obsoleted by 5644-3 5644-2 - This signature was obsoleted by 5644-3 5644-3 - This signature was retired and disabled 5649-0 - This signature was obsoleted by 5649-1 5671-0 - This signature was obsoleted by 5671-1 5732-0 - This signature was modified for better performance 5732-2 - This signature was obsoleted by 5732-3 5799-2 - This signature was modified for better performance 5799-5 - This signature was modified for better performance 5813-0 - This signature was modified for better performance 5813-4 - This signature was obsoleted by 5813-0 5857-0 - This signature was modified for better performance 5857-2 - This signature was obsoleted by 5857-3 ================================================================================================= S517 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 22422.0 Fake Antivirus Alert Bot service-http medium false 22666.1 Microsoft Wordpad Remote string-tcp high true Code Execution 23779.0 NTPD Autokey Stack Buffer atomic-ip high true Overflow Vulnerability 24499.0 Cisco CUCM Malformed SCCP string-tcp medium true Message 24521.0 IBM DB2 Database Server multi-string medium true Invalid Data Stream Denial of Service 24580.1 Windows Movie Maker multi-string high true Buffer Overflow 25239.0 CUPS HPGL Filter Remote string-tcp high false Code Execution 25260.0 RealNetworks RealPlayer multi-string high false IVR Overly Long Filename Code Execution 25420.0 Novell Netware Memory string-tcp medium false Consumption Denial Of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24039.1 HP OpenView Network Node service-http informational true Manager nnmRptConfig.exe Buffer Overflow 24381.0 IIS ExAir DoS service-http medium false 24381.1 IIS ExAir DoS service-http medium false 24381.2 IIS ExAir DoS service-http medium false 24620.0 ET Trojan service-http high true 24739.0 Cisco Network Building service-http high true Mediator HTTP Privilege Escalation 25119.0 Oracle Secure Enterprise service-http high false Search Cross Site Scripting 25739.0 Test-Cgi File Access service-http low false Vulnerability CAVEATS None. Modified signature(s) detail: Signatures 24620-0,24739-0,25119-0,25739-0,24039-1,24381-0,24381-1 and 24381-2 been tuned for performance. ================================================================================================= S516 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26040.0 phpMyAdmin PHP Code service-http high true Injection Vulnerability 26399.0 Microsoft Visio DXF File multi-string high true Insertion Buffer Overflow 26620.0 HP OpenView Network Node service-http high true Manager Buffer Overflow 26739.0 HT-MP3Player 1.0 HT3 File string-tcp high false Parsing Buffer Overflow 26859.0 HP OpenView Network Node service-http high true Manager ovet_demandpoll.exe Format String Code Execution 27100.0 JBoss JMX Console string-tcp high true Authentication Bypass 28600.0 Adobe RoboHelp Server 8.0 service-http high false Authentication Bypass 28999.0 W32Dasm Buffer Overflow string-tcp high false Vulnerability 29019.0 Tumbleweed FileTransfer meta high false ActiveX Control Buffer Overflow 29019.1 Tumbleweed FileTransfer string-tcp informational false ActiveX Control Buffer Overflow 29019.2 Tumbleweed FileTransfer string-tcp informational false ActiveX Control Buffer Overflow 29259.0 Symantec Altiris eXpress multi-string high false Buffer Overflow 29261.0 SonicWalll NELaunchCtrl multi-string high false ActiveX Buffer Overflow 29379.0 SAPLPD Buffer Overflow string-tcp high false 29439.0 Internet Explorer Unsafe multi-string high false Scripting Misconfiguration 29599.0 Borland InterBase string-tcp high false open_marker_file Buffer Overflow 29699.0 Mambo Cache_Lite Remote service-http medium false File Inclusion 29719.0 Spring Framework Remote service-http high true Code Execution 29919.0 HTTP URI Evasion Attempt service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 28659.0 Internet Explorer Heap string-tcp high true Spray Code CAVEATS None. Modified signature(s) detail: Signature 28659-0 has been tuned for performance. ================================================================================================= S515 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 11016.0 Hotline Tracker Login string-tcp low false CAVEATS None. Modified signature(s) detail: Signature 11016-0 has been retired. ================================================================================================= S514 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27000.0 IOS SIP Translation DoS atomic-ip medium true 28819.0 Malicious IGMP Packet service-generi high false c 30059.0 Malformed SIP Message atomic-ip medium false 30059.1 Malformed SIP Message string-tcp medium false TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S513 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3352.1 Samba Fragment string-tcp high false Reassembly Overflow 5647.1 Savant Webserver Request string-tcp high false Overflow 6143.1 Borland Interbase string-tcp high false Database Service Create-Request Buffer Overflow 26160.0 BEA WebLogic JSESSIONID string-tcp high false Cookie Value Overflow 26779.0 Adobe Photoshop CS4 ABR multi-string high true File Buffer Overflow 27519.0 Iseemedia LPViewer meta high false ActiveX Buffer Overflows 27519.1 Iseemedia LPViewer string-tcp informational false ActiveX Buffer Overflows 27819.0 HP OpenView Network Node service-http high false Manager 'OvWebHelp.exe' Remote Heap Buffer Overflow 27979.0 Talkative IRC Client string-tcp high false Remote Code Execution 28019.0 Netcat for Windows doexec string-tcp high false Buffer Overflow Exploit 28119.0 Media Jukebox Buffer string-tcp high false Overflow 28125.0 Un4seen XMPlay Buffer string-tcp high false Overflow 28140.0 Microsoft Windows VML string-tcp high false Document Arbitrary Code Execution Vulnerability 28679.0 Electronic Arts multi-string high false SnoopyCtrl ActiveX Control Buffer Overflow 28919.0 Microsoft HTML Help string-tcp high false Workshop Buffer Overflow 29039.0 SasCam Webcam Server meta high false ActiveX Buffer Overflow 29039.1 SasCam Webcam Server string-tcp informational false ActiveX Buffer Overflow 29039.2 SasCam Webcam Server string-tcp informational false ActiveX Buffer Overflow 29119.0 VariCAD 2010 DWB File multi-string high false Remote Buffer Overflow 29179.0 Windows RSH daemon Stack string-tcp high false Based Buffer Overflow Vulnerability 29319.0 Borland InterBase Buffer string-tcp high false Overflow Vulnerability 29360.0 Mini-Stream 3.0.1.1 string-tcp high false Buffer Overflow 29380.0 HP OpenView Operations string-tcp high false OVTrace Buffer Overflow 29419.0 Firebird Relational multi-string high false Database isc_attach_database Buffer Overflow 29519.0 Sun Java System Web string-tcp high false Server WebDAV Buffer Overflow 29659.0 HP OpenView Network Node multi-string high false Manager snmp.exe Buffer Overflow 29879.0 Ultra Office Control multi-string high false HttpUpload() Method Arbitrary Code Execution Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5573.0 Novell eDirectory Server service-http high false iMonitor Buffer Overflow 5743.0 PeerCast Buffer Overflow string-tcp high true 20599.0 LANDesk Management Suite atomic-ip high false Alert Service Stack Overflow Vulnerability 24863.0 IBM Access Support string-tcp high false ActiveX Stack Overflow Exploit 29459.0 Microsoft Windows Print service-smb-ad high false Spooler Design Flaw vanced Vulnerability CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S512 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 28419.0 Windows LSASS Heap string-tcp high true Overflow 29459.0 Microsoft Windows Print service-smb-ad high true Spooler Design Flaw vanced Vulnerability 29479.0 Microsoft Internet service-http high true Information Services Remote Code Execution Vulnerability 29499.0 Microsoft Windows string-tcp high true Uniscribe Fonts Vulnerability 29559.0 Microsoft Wordpad Memory string-tcp high true Corruption Vulnerability 29579.0 Microsoft Windows Media string-tcp high true Player Remote Code Execution Vulnerability 29739.0 Microsoft Outlook Code atomic-ip high true Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3122.0 SMTP EXPN root Recon string-tcp low false 3307.0 Red Button meta informational false 3465.0 Finger Activity string-tcp informational false 3732.0 MSSQL xp_cmdshell Usage string-tcp low false 5177.1 DoS Arnudp atomic-ip medium false 5222.0 DoS Beer atomic-ip high false 5447.0 VB.aw Trojan/Back Door string-tcp medium false 5495.0 LDAP Active Directory string-tcp medium false Stack Overflow 5529.0 CheckPoint Firewall RDP atomic-ip medium false ByPass 5529.1 CheckPoint Firewall RDP atomic-ip medium false ByPass 5529.2 CheckPoint Firewall RDP atomic-ip medium false ByPass 5529.3 CheckPoint Firewall RDP atomic-ip medium false ByPass 5532.0 Back Door Deltasource atomic-ip high false 5533.0 Back Door Remote Boot Tool atomic-ip high false 5544.0 Back Door Blaaaaa atomic-ip high false 5577.1 SMB Secure NULL Login service-smb-ad informational true Attempt vanced 6234.0 VideoLAN VLC Subtitle string-tcp high false Overflow 6235.0 Apple Quicktime SMIL string-tcp high false Overflow 6236.0 AMI Pro File Buffer string-tcp high false Overflow 6242.0 Trend Micro ServerProtect service-msrpc high false eng50.dll Stack Overflow 6284.0 Openwsman HTTP Basic service-http high false Authentication Buffer Overflow 6510.0 GOM Player ActiveX meta high false Control Buffer Overflow 6512.0 Macrovision FlexNet meta high false isusweb.dll DownloadAndExecute Method 6512.1 Macrovision FlexNet string-tcp informational false isusweb.dll DownloadAndExecute Method 6512.2 Macrovision FlexNet string-tcp informational false isusweb.dll DownloadAndExecute Method 6536.0 Aurigma ImageUploader meta high false ActiveX Control 6536.1 Aurigma ImageUploader string-tcp informational false ActiveX Control 6770.0 OpenOffice PRTDATA Heap string-tcp high false Overflow 6795.1 Panda ActiveScan ActiveX string-tcp informational false Overflow 6972.0 Rosoft Media Player string-tcp high false Overflow 6974.0 Motorola Timbuktu Pro string-tcp high false Arbitrary File Deletion/Creation 6977.1 Wonderware Suitlink string-tcp high false Denial Of Service 7213.0 Poppler Uninitialized string-tcp high false Pointer 16176.0 NCTsoft NCTAudioFile2 meta high false ActiveX Control Remote Buffer Overflow 16176.1 NCTsoft NCTAudioFile2 string-tcp informational false ActiveX Control Remote Buffer Overflow 16176.2 NCTsoft NCTAudioFile2 string-tcp informational false ActiveX Control Remote Buffer Overflow 16176.3 NCTsoft NCTAudioFile2 string-tcp informational false ActiveX Control Remote Buffer Overflow 16194.0 PacketiX VPN Connection fixed-tcp low false 23559.0 CA BrightStor HSM Buffer string-tcp high false Overflow 24959.0 HP OpenView Storage Data string-tcp high false Protector Buffer Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S511 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5734.1 IE isComponentInstalled() multi-string high false Overflow 18297.3 Trend Micro OfficeScan service-http high true CgiChkMasterPwd Buffer Overflow 27061.0 VeryPDF PDFView ActiveX multi-string high false Heap Buffer Overflow 27379.0 IBM Lotus Domino Web meta high false Access Upload Module Buffer Overflow 27379.1 IBM Lotus Domino Web string-tcp informational false Access Upload Module Buffer Overflow 27379.2 IBM Lotus Domino Web string-tcp informational false Access Upload Module Buffer Overflow 27379.3 IBM Lotus Domino Web string-tcp informational false Access Upload Module Buffer Overflow 27439.0 Altnet Download Manager 4 meta high false ActiveX Buffer Overflow 27439.1 Altnet Download Manager 4 multi-string informational false ActiveX Buffer Overflow 27559.0 Gadu-Gadu Client Activity service-http informational true 27560.0 UTorrent Client Activity service-http informational true 28123.0 Mercury Mail Remote string-tcp high false Mailbox Name Service Buffer Overflow 28124.0 Symantec Altiris multi-string high false Deployment Solution ActiveX Control Arbitrary File Download and Execute 28241.0 Microsoft Windows MDAC multi-string high false Remote Code Execution Vulnerability 28259.0 Yahoo Messenger Webcam multi-string high false Upload ActiveX Control Buffer Overflow 28279.0 Apple OS X iTunes ITMS string-tcp high false Overflow 28700.0 Millennium Mp3 Studio PLS multi-string high false File Buffer Overflow 29079.0 Zenturi ProgramChecker meta high false ActiveX Control Arbitrary File Download 29079.1 Zenturi ProgramChecker string-tcp informational false ActiveX Control Arbitrary File Download 29079.2 Zenturi ProgramChecker string-tcp informational false ActiveX Control Arbitrary File Download TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5823.0 McAfee Epolicy Overflow service-http high false CAVEATS None. Modified signature(s) detail: The following sig was retired: 5823-0 McAfee Epolicy Overflow ================================================================================================= S510 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 29219.0 CUCM Malformed REGISTER multi-string medium true Message DoS 29239.0 Cisco CUP Memory string-tcp high true Corruption Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3133.1 Novarg / Mydoom Virus string-tcp high false Mail Attachment Variant B 3135.0 MyDoom Virus Activity string-tcp high false 3135.7 MyDoom Virus Activity string-tcp medium false 3137.1 Sober Virus Activity string-tcp high false 3137.2 Sober Virus Activity string-tcp high false 3137.4 Sober Virus Activity string-tcp high false 3137.5 Sober Virus Activity string-tcp high false 3140.0 Bagle Virus Activity string-tcp high false 3140.1 Bagle Virus Activity string-tcp high false 3140.2 Bagle Virus Activity string-tcp high false 3140.3 Bagle Virus Activity service-http high false 3140.5 Bagle Virus Activity string-tcp high false 3140.6 Bagle Virus Activity string-tcp high false 3140.7 Bagle Virus Activity string-tcp high false 3140.8 Bagle Virus Activity string-tcp high false 3140.9 Bagle Virus Activity string-tcp high false 3140.10 Bagle Virus Activity string-tcp high false 3140.11 Bagle Virus Activity string-tcp high false 3140.12 Bagle Virus Activity string-tcp high false 3140.13 Bagle Virus Activity string-tcp high false 3140.14 Bagle Virus Activity string-tcp high false 3140.15 Bagle Virus Activity string-tcp high false 3146.0 Bropia Worm Activity string-tcp high false 3234.0 IE Local Trusted Resource service-http high false Execution 3234.1 IE Local Trusted Resource service-http high false Execution 4051.1 Snork atomic-ip low true 4051.2 Snork atomic-ip low false 4051.3 Snork atomic-ip low false 5455.1 Arkeia Type 77 Request string-tcp high false Buffer Overflow 5484.0 Sambar Server Search service-http high false Overflow 5496.0 License Logging Service meta high false Overflow 5500.0 IE .asp File Execution string-tcp informational true 5572.0 Design Tools Diagram string-tcp informational false Surface ActiveX Control 5572.1 Design Tools Diagram meta high false Surface ActiveX Control 5599.0 Anig Worm File Transfer service-smb-ad high false vanced 5644.3 Client Service for meta high false NetWare Overflow 5673.0 NetBackup Format String string-tcp high false 5886.0 Sun Java Socks Proxy string-tcp high false Overflow 5921.0 Apple Quicktime Color string-tcp high false Table Overflow 6279.0 Citrix Presentation meta high false Server Client ActiveX Overflow 6279.1 Citrix Presentation string-tcp informational false Server Client ActiveX Overflow 6298.0 Creative Software meta high false AutoUpdate Engine ActiveX Stack-Overflow 6502.0 Tribe Flood Net Server traffic-icmp medium false Reply 6760.0 RealPlayer ActiveX Buffer meta high false overflow 6934.0 GDI Buffer Overflow string-tcp high false 6940.0 RealPlayer ActiveX Remote meta high false Code Execution 6940.1 RealPlayer ActiveX Remote string-tcp informational false Code Execution 7286.0 Citrix IMA Service Buffer string-tcp high false Overflow 7293.0 Trend Micro OfficeScan service-http high false Password Decryption Function Buffer Overflow 7306.0 Microsoft Internet string-tcp high false Explorer XML Code Execution 7306.1 Microsoft Internet string-tcp high false Explorer XML Code Execution 7306.2 Microsoft Internet string-tcp high false Explorer XML Code Execution 7306.3 Microsoft Internet string-tcp high false Explorer XML Code Execution 15235.0 Exchange Server Memory state high false Corruption Vulnerability CAVEATS None. Modified signature(s) detail: 7293-0 : Disabled & Retired. 7286-0 : Disabled & Retired. 6502-0 : Disabled & Retired. 6298-0 : Disabled & Retired. 6279-1 : Disabled & Retired. 6279-0 : Disabled & Retired. 5921-0 : Disabled & Retired. 5886-0 : Disabled & Retired. 5484-0 : Disabled & Retired. 5455-1 : Disabled & Retired. 4051-3 : Disabled & Retired. 4051-2 : Disabled & Retired. 4051-1 : Disabled & Retired. 3133-1 : Disabled & Retired. 3135-0 : Disabled & Retired. 3135-7 : Disabled & Retired. 3137-1 : Disabled & Retired. 3137-2 : Disabled & Retired. 3137-4 : Disabled & Retired. 3137-5 : Disabled & Retired. 3140-0 : Disabled & Retired. 3140-1 : Disabled & Retired. 3140-2 : Disabled & Retired. 3140-3 : Disabled & Retired. 5673-0 : Disabled & Retired. ================================================================================================= S509 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 28759.0 Apple iTunes Playlist multi-string high false Buffer Overflow Vulnerability 28959.0 Linksys WRT54G Code service-http high false Execution Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4703.0 MSSQL Resolution Service atomic-ip high true Stack Overflow 4704.0 MSSQL Resolution Service atomic-ip high false Heap Overflow 5703.0 Video Surveillance IP string-tcp high false Gateway Encoder/Decoder Telnet Authentication Vulnerability 5738.0 Windows ACS Registry string-tcp informational false Access 5738.2 Windows ACS Registry string-tcp informational false Access 5738.3 Windows ACS Registry meta medium false Access 5751.0 Ultr@VNC Client Overflow string-tcp high false 5775.1 MHTML Redirection string-tcp low false 5822.1 Workstation Service string-tcp informational false Memory Corruption Vulnerability 5877.0 IE Protocol Handler string-tcp high false Command Execution 5985.0 Quicktime RTSP string-tcp high false Content-Type Excessive Length 6171.0 HP Info Center string-tcp high false HPInfoDLL.dll ActiveX Control Remote Code Execution 6227.0 Visual Basic Charts string-tcp high false Control Memory Corruption 6406.0 DirectShow WAV Parsing string-tcp high false Remote Code Execution 6510.1 GOM Player ActiveX string-tcp informational false Control Buffer Overflow 6510.2 GOM Player ActiveX string-tcp informational false Control Buffer Overflow 6784.1 Adobe PDF Code Execution string-tcp high false 6784.2 Adobe PDF Code Execution string-tcp high false 6784.3 Adobe PDF Code Execution string-tcp high false 6931.0 Virtual-Access Interface string-tcp medium false Exhaustion DoS 6937.0 IE File Handling Memory string-tcp high false Corruption 6951.0 Word Drawing Object string-tcp high false Vulnerability 6952.0 Word Cascading Style string-tcp high false Sheet (CSS) Vulnerability 6954.0 CUCM SIP Stack DoS string-tcp high false 6954.1 CUCM SIP Stack DoS atomic-ip high false 6963.0 MJPEG Decoder string-tcp high false Vulnerability 6977.0 Wonderware Suitlink string-tcp high false Denial Of Service 7422.1 Oracle WebLogic Apache string-tcp high false Connector Buffer Overflow 7425.0 Visual Basic 6 ActiveX meta high false Runtime Overflow 7425.1 Visual Basic 6 ActiveX string-tcp informational false Runtime Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S508 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 19080.1 Norton Internet Security multi-string high false 2004 Buffer Overflow 20145.3 Microsoft Office Web meta high false Components ActiveX Buffer Overflow 20145.4 Microsoft Office Web string-tcp informational false Components ActiveX Buffer Overflow 22121.0 System Requirements Lab multi-string high false Remote Code Execution Vulnerability 22220.0 WinDVD ActiveX Buffer meta high false Overflow Vulnerability 22220.1 WinDVD ActiveX Buffer string-tcp informational false Overflow Vulnerability 22220.2 WinDVD ActiveX Buffer string-tcp informational false Overflow Vulnerability 22259.0 GoodTech Systems Telnet string-tcp high false Server Buffer Overflow Vulnerability 25899.0 Xftp PWD Response Buffer multi-string high false Overflow Vulnerability 26339.0 TWiki Arbitrary Command service-http high false Execution 26539.0 Microsoft IIS WebDAV multi-string informational false Write Access Code Execution 26659.0 Belkin Bulldog Plus Web service-http high false Service Buffer Overflow 26780.0 ProFTP 2.9 Banner Remote string-tcp high false Buffer Overflow 27139.0 Basic Analysis and service-http medium false Security Engine BASE_path File Inclusion 27159.0 Chilkat Crypt ActiveX multi-string high false Control Arbitrary File Overwrite 27279.0 RKD Software BarCode meta high false ActiveX Control Buffer Overflow 27279.1 RKD Software BarCode string-tcp informational false ActiveX Control Buffer Overflow 27279.2 RKD Software BarCode string-tcp informational false ActiveX Control Buffer Overflow 27539.0 Juniper SSL-VPN Client meta high false ActiveX Control Buffer Overflow 27539.1 Juniper SSL-VPN Client string-tcp informational false ActiveX Control Buffer Overflow 27539.2 Juniper SSL-VPN Client string-tcp informational false ActiveX Control Buffer Overflow 27679.0 mIRC IRC URL Buffer string-tcp high false Overflow Vulnerability 27779.0 Microsoft Internet multi-string high false Explorer CreateTextRange Remote Code Execution 27919.0 Autodesk IDrop ActiveX meta high false Control Heap Memory Corruption 27919.1 Autodesk IDrop ActiveX string-tcp informational false Control Heap Memory Corruption 27940.0 Microsoft Visual Basic string-tcp high false 6.0 File Overflow 27959.0 HP LoadRunner AddFile meta high false ActiveX Buffer Overflow 27959.1 HP LoadRunner AddFile string-tcp informational false ActiveX Buffer Overflow 28020.0 InterSystems Cache HTTP service-http high false Stack Buffer Overflow 28079.0 Borland InterBase Buffer string-tcp high false Overflow Exploit 28080.0 AgentX++ Component string-tcp high false Stack-Based Buffer Overflow Vulnerability 28120.0 Omni-NFS Server Buffer multi-string high false Overflow 28121.0 IBM Lotus Domino Web service-http high false Server Accept-Language Buffer Overflow 28319.0 ActivePDF WebGrabber meta high false GetStatus Method Buffer Overflow 28319.1 ActivePDF WebGrabber string-tcp informational false GetStatus Method Buffer Overflow 28339.0 EFS Easy Chat Server string-tcp high false Authentication Request Handling Buffer Overflow 28379.0 Internet Explorer Style meta high false Object Remote Code Execution 28379.1 Internet Explorer Style string-tcp informational false Object Remote Code Execution 28379.2 Internet Explorer Style string-tcp informational false Object Remote Code Execution 28399.0 Veritas Backup Exec Name string-tcp high false Service Overflow 28719.0 Orbit Downloader Buffer multi-string medium false Overflow 28899.0 SAPgui WebViewer3D multi-string high false ActiveX Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 4063.0 Unreal Engine /secure/ string-udp high false Overflow 6769.0 Netware LSASS CIFS.NLM service-smb-ad high true Driver Overflow vanced 22199.0 BigAnt IM Server HTTP GET service-http high false Request Remote Buffer Overflow Vulnerability 22261.0 AT&T WinVNC Buffer service-http high false overflow vulnerability 22520.0 EMC Captiva QuickScan Pro multi-string high true KeyHelp ActiveX Control Buffer Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S507 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27359.0 Real-Time Streaming string-tcp high true Protocol Inspection Vulnerability 27599.0 Cisco ACE SIP Inspection atomic-ip medium true DoS 28539.0 Adobe Flash Player Exploit multi-string high true 28659.0 Internet Explorer Heap string-tcp high true Spray Code TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3045.0 Queso Sweep sweep-other-tc medium true p 3115.3 Sendmail Data Header state high false Overflow 3344.0 Windows 2000 TCP RPC DoS string-tcp medium false 3602.0 IOS Cisco Identification string-tcp informational false 3787.0 IRIX Printing System string-tcp high false Remote Command Execution 4613.1 TFTP Filename Buffer atomic-ip low false Overflow 4703.0 MSSQL Resolution Service atomic-ip high false Stack Overflow 4704.0 MSSQL Resolution Service atomic-ip high false Heap Overflow 5040.1 WWW perl interpreter service-http medium false attack 5040.2 WWW perl interpreter service-http medium false attack 5040.3 WWW perl interpreter service-http medium false attack 5046.0 WWW dumpenv.pl recon service-http low false 5138.0 Oracle Application Server service-http medium false Shared Library Overflow 5170.0 Null Byte In HTTP Request service-http low false 5170.1 Null Byte In HTTP Request service-http low false 5280.0 IIS idq.dll Directory service-http low false Traversal 5510.0 Cisco TFTPD Directory atomic-ip high false Traversal 5511.0 Ascend Denial of Service atomic-ip low false 5559.0 FTP Format String string-tcp high false 5679.0 Oracle TNS Listener atomic-ip medium false Denial Of Service 5681.0 ISC DHCP Deamon Buffer atomic-ip high false Overflow 5689.0 MSSQL Resolution Service atomic-ip medium false Keep-Alive DoS 5745.0 FTP REST command string-tcp low false CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S506 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 28099.0 Microsoft SMB Pool multi-string high true Overflow Vulnerability 28141.0 Internet Explorer HTML string-tcp high true Memory Corruption Vulnerability 28159.0 Microsoft Word Record multi-string high true Parsing Vulnerability 28179.0 SMB Variable Validation string-tcp high true Vulnerability 28199.0 Word RTF Parsing Buffer string-tcp high true Overflow 28201.0 Word RTF Parsing Engine string-tcp high true Memory Corruption 28299.0 Microsoft Silverlight string-tcp high true Memory Corruption Vulnerability 28300.0 Microsoft Word HTML string-tcp high true Linked Objects Memory Corruption 28359.0 Microsoft Excel Memory multi-string high true Corruption 28360.0 Microsoft Movie Maker multi-string high true Memory Corruption Vulnerability 28361.0 Windows MPEG Audio string-tcp high true Decoder Buffer Overflow 28439.0 Microsoft Windows SMB2 string-tcp high true Stack Exhaustion Vulnerability 28481.0 Msxml2.XMLHTTP.3.0 meta high true Response Handling Memory Corruption Exploit 28481.1 Msxml2.XMLHTTP.3.0 string-tcp informational true Response Handling Memory Corruption Exploit 28481.2 Msxml2.XMLHTTP.3.0 service-http informational true Response Handling Memory Corruption Exploit 28481.3 Msxml2.XMLHTTP.3.0 string-tcp informational true Response Handling Memory Corruption Exploit 28485.0 Microsoft Internet string-tcp high true Explorer Uninitialized Memory Corruption Vulnerability 28486.0 Microsoft Internet multi-string high true Explorer Uninitialized Memory Corruption Vulnerability 28499.0 Microsoft Silverlight and multi-string high true Microsoft .NET Framework Vulnerability 28601.0 Windows Cinepak Codec multi-string high true Decompression Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S505 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 22841.0 Novell GroupWise string-tcp high false Messenger Stack Overflow 24120.0 Cisco ASA RPC atomic-ip high true Vulnerability 24140.0 Cisco ASA RPC atomic-ip high true Vulnerability 24159.0 Cisco ASA RPC atomic-ip high true Vulnerability 25421.0 Java string-tcp high true HsbParser.getSoundBank Stack Overflow 27160.0 SAP Business One 2005 string-tcp high false License Manager Buffer Overflow 27219.0 Crafted IKE Message atomic-ip medium true Denial of Service Vulnerability 27499.0 PeaZip 2.6.1 Zip string-tcp high false Processing Command Injection 28139.0 SIP Inspection Denial of atomic-ip medium true Service Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3172.0 Ftp Cwd Overflow string-tcp high true 3537.0 MailEnable HTTP string-tcp high false Authorization Buffer Overflow 7288.0 ASUS DPC Proxy Buffer string-tcp high false Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S504 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24979.0 Symantec Norton Personal multi-string high false Firewall 2004 ActiveX Control Buffer Overflow 26960.0 CA eTrust PestPatrol multi-string medium false Anti-Spyware ActiveX Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 16416.0 MS IE Remote Code string-tcp high true Execution 16957.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 16958.0 Microsoft PowerPoint string-tcp high true Remote Code Execution 17153.0 Microsoft PowerPoint RCE string-tcp high true Vulnerability 18421.0 Microsoft Office Excel string-tcp high true Remote Code Execution 19219.2 DirectShow QuickTime string-tcp informational true Media Processing Arbitrary Code Execution 19219.4 DirectShow QuickTime string-tcp informational true Media Processing Arbitrary Code Execution 19384.4 DirectX Pointer string-tcp informational true Validation Vulnerability 24579.1 MS Office Excel XLSX File string-tcp high true Parsing Code Execution 26379.0 Microsoft .NET XML atomic-ip high false Signature Syntax and Processing Vulnerability CAVEATS None. Modified signature(s) detail: The following signatures have bee tuned to improve performance: 26379-0,24579-1,19384-4,19219-4,19219-2,18421-0,17153-0,16958-0,16957-0 Signature 16416-0 has been retired. ================================================================================================= S503 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27839.0 Windows LNK File Code multi-string high true Execution 27839.1 Windows LNK File Code meta high true Execution 27839.2 Windows LNK File Code service-smb-ad informational true Execution vanced 27839.3 Windows LNK File Code service-smb-ad informational true Execution vanced TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S502 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 17259.1 VideoLAN VLC Media Player string-tcp high false TiVo Demultiplexer Buffer Overflow Vulnerability 19199.1 Computer Associates string-tcp high false BrightStor ARCServe Backup LGServer Buffer Overflow 22139.0 GAMSoft Telsrv DoS string-tcp medium false Vulnerability 25859.0 Trellian FTP PASV string-tcp high false Response Buffer Overflow Vulnerability 26060.0 VLC Media Player SMB URI string-tcp high false Handling Remote Buffer Overflow Vulnerability 26519.0 Windows VUPlayer M3U string-tcp high false Buffer Overflow Vulnerability 26760.0 AOL ICQ ActiveX Remote multi-string high false Code Execution 27199.0 Cisco Internet Streamer service-http medium true Directory Traversal TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5738.1 Windows ACS Registry string-tcp informational false Access 5738.4 Windows ACS Registry meta medium false Access 5759.0 VNC Authentication Bypass string-tcp informational false 5759.2 VNC Authentication Bypass service-generi informational false c 5759.3 VNC Authentication Bypass meta high false 7291.0 VideoLAN VLC Media Player meta high false WAV Processing Integer Overflow 7291.1 VideoLAN VLC Media Player string-tcp informational false WAV Processing Integer Overflow 7296.0 Word RTF Object Parsing string-tcp high false Vulnerability 7297.0 MS Word Memory Corruption string-tcp high false Vulnerability 7298.0 MS Visual Basic Flexgrid meta high false Control Buffer Overflow 7298.1 MS Visual Basic Flexgrid string-tcp informational false Control Buffer Overflow 7300.1 Sharepoint Access Control string-tcp high false Vulnerability 7301.0 Excel Global Array Memory string-tcp high false Corruption 7307.0 MS SQL Server meta high false sp_replwritetovarbin memory overwrite 7307.1 MS SQL Server string-tcp informational false sp_replwritetovarbin memory overwrite 7307.2 MS SQL Server string-tcp informational false sp_replwritetovarbin memory overwrite 7308.0 DLL Memory Protection string-tcp high false Bypass 7415.0 OpenLDAP BER Decoding DoS string-tcp high false 7419.0 Visual Basic ActiveX meta high false Control RCE 7419.1 Visual Basic ActiveX string-tcp informational false Control RCE 7426.0 Shell32 ActiveX meta high false Vulnerability 7426.1 Shell32 ActiveX string-tcp informational false Vulnerability 7427.0 Shell32 ActiveX meta high false Vulnerability 7427.1 Shell32 ActiveX string-tcp informational false Vulnerability 7432.0 Word RTF Object Parsing meta high false Remote Code Execution 7432.1 Word RTF Object Parsing string-tcp informational false Remote Code Execution 7432.2 Word RTF Object Parsing string-tcp informational false Remote Code Execution 7436.0 File Format Parsing string-tcp high false Remote Code Execution 7438.0 MS DataGrid Control string-tcp high false Memory Corruption CAVEATS None. Modified signature(s) detail: The following signatures have been retired: 7438-0 MS DataGrid Control Memory Corruption 7436-0 File Format Parsing Remote Code Execution 7432-2 Word RTF Object Parsing Remote Code Execution 7432-1 Word RTF Object Parsing Remote Code Execution 7432-0 Word RTF Object Parsing Remote Code Execution 7427-1 Shell32 ActiveX Vulnerability 7427-0 Shell32 ActiveX Vulnerability 7426-1 Shell32 ActiveX Vulnerability 7426-0 Shell32 ActiveX Vulnerability 7419-1 Visual Basic ActiveX Control RCE 7419-0 Visual Basic ActiveX Control RCE 7415-0 OpenLDAP BER Decoding DoS 7308-0 DLL Memory Protection Bypass 7307-2 MS SQL Server sp_replwritetovarbin memory overwrite 7307-1 MS SQL Server sp_replwritetovarbin memory overwrite 7307-0 MS SQL Server sp_replwritetovarbin memory overwrite 7301-0 Excel Global Array Memory Corruption 7300-1 Sharepoint Access Control Vulnerability 7298-1 MS Visual Basic Flexgrid Control Buffer Overflow 7298-0 MS Visual Basic Flexgrid Control Buffer Overflow 7297-0 MS Word Memory Corruption Vulnerability 7296-0 Word RTF Object Parsing Vulnerability 7291-1 VideoLAN VLC Media Player WAV Processing Integer Overflow 7291-0 VideoLAN VLC Media Player WAV Processing Integer Overflow 5759-3 VNC Authentication Bypass 5759-2 VNC Authentication Bypass 5759-0 VNC Authentication Bypass 5738-4 Windows ACS Registry Access 5738-1 Windows ACS Registry Access ================================================================================================= S501 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27259.0 Windows Media Format meta high false Remote Code Execution 27259.1 Windows Media Format string-tcp informational false Remote Code Execution 27259.2 Windows Media Format string-tcp informational false Remote Code Execution 27259.3 Windows Media Format string-tcp informational false Remote Code Execution 27259.4 Windows Media Format meta high false Remote Code Execution 27259.5 Windows Media Format string-tcp informational false Remote Code Execution 27259.6 Windows Media Format meta high false Remote Code Execution 27259.7 Windows Media Format string-tcp informational false Remote Code Execution TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6070.0 Windows Media Format meta high false Remote Code Execution 6070.1 Windows Media Format string-tcp informational false Remote Code Execution 6070.2 Windows Media Format string-tcp informational false Remote Code Execution 6070.3 Windows Media Format string-tcp informational false Remote Code Execution 6070.4 Windows Media Format meta high false Remote Code Execution 6070.5 Windows Media Format string-tcp informational false Remote Code Execution 6070.6 Windows Media Format meta high false Remote Code Execution 6070.7 Windows Media Format string-tcp informational false Remote Code Execution 6280.0 Messenger Information string-tcp low false Disclosure Vulnerability 6281.0 Malformed EPS Filter string-tcp high false Vulnerability 6282.1 Malformed PICT Filter string-tcp high false Vulnerability 6410.0 IE Unsafe Memory Operation meta high false 6410.1 IE Unsafe Memory Operation string-tcp informational false 6410.2 IE Unsafe Memory Operation string-tcp informational false 6780.0 IE Argument Handling meta high false Memory Corruption Vulnerability 6780.2 IE Argument Handling string-tcp informational false Memory Corruption Vulnerability 6960.0 IE Response Cross-Domain meta high false Info Disclosure 6960.1 IE Response Cross-Domain string-tcp informational false Info Disclosure 6960.2 IE Response Cross-Domain string-tcp informational false Info Disclosure 6970.0 DirectShow SAMI Parsing meta high false Remote Code Execution 6970.1 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6970.2 DirectShow SAMI Parsing meta high false Remote Code Execution 6970.3 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6970.4 DirectShow SAMI Parsing string-tcp informational false Remote Code Execution 6971.0 Generic Exploit Component string-tcp informational false 6990.0 Visual Studio meta high false Msmask32.ocx ActiveX Buffer Overflow 6990.1 Visual Studio string-tcp informational false Msmask32.ocx ActiveX Buffer Overflow 6990.2 Visual Studio string-tcp informational false Msmask32.ocx ActiveX Buffer Overflow 6990.3 Visual Studio meta informational false Msmask32.ocx ActiveX Buffer Overflow 6990.4 Visual Studio string-tcp informational false Msmask32.ocx ActiveX Buffer Overflow 6990.5 Visual Studio string-tcp informational false Msmask32.ocx ActiveX Buffer Overflow 7221.0 Hierarchical FlexGrid meta high false Control Memory Corruption 7221.1 Hierarchical FlexGrid string-tcp informational false Control Memory Corruption 7221.2 Hierarchical FlexGrid string-tcp informational false Control Memory Corruption 7231.0 Windows Media Encoder 9 meta high false Remote Code Execution 7231.1 Windows Media Encoder 9 string-tcp informational false Remote Code Execution 7231.2 Windows Media Encoder 9 string-tcp informational false Remote Code Execution 7255.0 MSXML Chunked Request meta high false Vulnerability 7255.1 MSXML Chunked Request string-tcp informational false Vulnerability 7255.2 MSXML Chunked Request string-tcp informational false Vulnerability CAVEATS None. Modified signature(s) detail: 7255-2: This signature was retired. 7255-1: This signature was retired. 7255-0: This signature was retired. 7231-2: This signature was retired. 7231-1: This signature was retired. 7231-0: This signature was retired. 7221-2: This signature was retired. 7221-1: This signature was retired. 7221-0: This signature was retired. 6990-5: This signature was retired. 6990-4: This signature was retired. 6990-3: This signature was retired. 6990-2: This signature was retired. 6990-1: This signature was retired. 6990-0: This signature was retired. 6970-4: This signature was retired. 6970-3: This signature was retired. 6970-2: This signature was retired. 6970-1: This signature was retired. 6970-0: This signature was retired. 6960-2: This signature was retired. 6960-1: This signature was retired. 6960-0: This signature was retired. 6780-2: This signature was retired. 6780-0: This signature was retired. 6410-2: This signature was retired. 6410-1: This signature was retired. 6410-0: This signature was retired. 6282-1: This signature was retired. 6281-0: This signature was retired. 6280-0: This signature was retired. 6971-0: Obsoleted by 27259-0. 6070-7: Obsoleted by 27259-7. 6070-6: Obsoleted by 27259-6. 6070-5: Obsoleted by 27259-5. 6070-4: Obsoleted by 27259-4. 6070-3: Obsoleted by 27259-3. 6070-2: Obsoleted by 27259-2. 6070-1: Obsoleted by 27259-1. 6070-0: Obsoleted by 27259-0. ================================================================================================= S500 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 27060.0 Access ActiveX Control multi-string high true Vulnerability 27119.0 Microsoft Outlook SMB string-tcp high true Attachment Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 3315.0 Microsoft Windows 9x string-tcp high false NetBIOS NULL Name Vulnerability 6282.0 Malformed PICT Filter string-tcp high false Vulnerability 6298.1 Creative Software string-tcp informational false AutoUpdate Engine ActiveX Stack-Overflow 6760.1 RealPlayer ActiveX Buffer string-tcp informational false Overflow 6760.2 RealPlayer ActiveX Buffer string-tcp low false overflow 7291.2 VideoLAN VLC Media Player string-tcp informational false WAV Processing Integer Overflow 11002.0 Gnutella Server Reply string-tcp low false 11006.0 Gnucleus File Request string-tcp low false 11249.0 Gadu-Gadu IM Message Sent string-tcp informational false 11250.0 Gadu-Gadu IM Message string-tcp informational false Received 16213.1 Orbit Downloader URL string-tcp informational false Processing Stack Buffer Overflow 16213.2 Orbit Downloader URL string-tcp informational false Processing Stack Buffer Overflow 16233.0 ClamAV AntiVirus CHM File multi-string high false Handling Denial of Service 16235.0 ClamAV AntiVirus CHM File multi-string high false Handling Denial of Service 19381.1 Embedded OpenType Font string-tcp high false Heap Overflow Vulnerability 19382.1 Embedded OpenType Font string-tcp high false Integer Overflow Vulnerability 26599.0 Microsoft Windows Help string-tcp high true and Support Center Whitelist Bypass Vulnerability CAVEATS None. Modified signature(s) detail: This following signatures were disabled and retired: 6282-0, 6298-1, 6760-1, 6760-2, 7291-2, 11002-0, 11006-0, 11249-0, 11250-0, 16213-1, 16213-2, 16233-0, 16235-0, 19381-1, 19382-1, 3315-0 ================================================================================================= S499 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26819.0 Adobe Reader and Acrobat multi-string high false Vulnerability 26879.0 Adobe PDF File Containing string-tcp high true Malicous Flash File 26881.0 Adobe Acrobat Reader string-tcp high true Vulnerability 26882.0 Adobe Acrobat Reader string-tcp high true Vulnerability 26885.0 Adobe Acrobat and Reader string-tcp high true File Validation Vulnerability 26886.0 Adobe Acrobat and Reader multi-string high true Memory Corruption 26887.0 Adobe PDF File Parsing multi-string high true Arbitrary Code Execution 26899.0 Adobe Reader Vulnerability string-tcp high true 26900.0 Adobe Reader Vulnerability multi-string high true 26901.0 Adobe PDF Launch Action string-tcp high true Exploits 26919.0 Acrobat PDF Arbitrary string-tcp high true Code Execution Vulnerability 26940.0 Adobe PDF Document multi-string high true Validation Memory Corruption Exploit TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5801.1 Quicktime JPEG Code multi-string high false Execution Overflow 5821.0 DirectAnimation ActiveX meta high false Memory Corruption 5821.1 DirectAnimation ActiveX string-tcp informational false Memory Corruption 5821.2 DirectAnimation ActiveX string-tcp informational false Memory Corruption 6795.0 Panda ActiveScan ActiveX meta high false Overflow 6976.0 Microsoft Powerpoint 2003 string-tcp high false Viewer Buffer Overflow 6995.0 GDI EMF Memory Corruption string-tcp high false Vulnerability 6997.0 OneNote Uniform Resource string-tcp high false Locator Validation Error Vulnerability 7235.0 CoolPlayer m3u Playlist string-tcp high false Stack Overflow 7271.0 GDI+ VML Buffer Overrun string-tcp high false Vulnerability 11004.0 Bearshare File Request string-tcp low false 11032.0 Share TCP Detected service-p2p low true 15733.0 MS Excel Invalid Object string-tcp high true Arbitrary Code Execution 15996.0 Apple QuickTime VR Track string-tcp high false Header Atom Corruption 19460.0 CA ARCserve Backup string-tcp high false LGServer Handshake Buffer Overflow 21319.1 Novell Client For Windows string-tcp medium false 2000/XP ActiveX Remote DoS Vulnerability 21459.0 Media Runtime Heap string-tcp high true Corruption Vulnerability 26199.0 AgentX++ Component string-tcp high false Integer Overflow CAVEATS None. Modified signature(s) detail: 26199-0: This signature was retired 21459-0: This signature was modified to improve performance 21319-1: This signature was retired 19460-0: This signature was retired 15996-0: This signature was retired 15733-0: This signature was modified to improve performance 11032-0: Benign triggers information was updated in this signature 11004-0: This signature was retired 7271-0: This signature was retired 7235-0: This signature was retired 6997-0: This signature was retired 6995-0: This signature was retired 6976-0: This signature was retired 6795-0: This signature was retired 5821-2: This signature was retired 5821-1: This signature was retired 5821-0: This signature was retired 5801-1: This signature was retired ================================================================================================= S498 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26719.0 Adobe Flash Player Memory multi-string high true Corruption Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S497 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5506.2 Back Orifice Ping atomic-ip medium false 6494.0 IMAP APPEND Date Buffer string-tcp high false Overflow 21919.0 Domino Server IMAP string-tcp high true Mailbox Name Buffer Overflow 24959.0 HP OpenView Storage Data string-tcp high true Protector Buffer Overflow 25079.0 HP LoadRunner 9.0 ActiveX multi-string medium false AddFolder Buffer Overflow 25119.0 Oracle Secure Enterprise service-http high false Search Cross Site Scripting 25422.0 Sun Directory Server 7.0 string-tcp medium true core_get_proxyauth_dn Denial Of Service 25619.0 UltraVNC VNCViewer string-tcp high false Authenticate Buffer Overflow 25679.0 Microsoft Word mso.dll string-tcp high false LsCreateLine Memory Corruption 25739.0 Test-Cgi File Access service-http low false Vulnerability 26199.0 AgentX++ Component string-tcp high true Integer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6767.0 Microsoft Windows RSH string-tcp high true Daemon Stack Overflow 6930.2 Office Web Components URL string-tcp informational true Parsing Vulnerability 6969.0 Microsoft Word Smart Tag string-tcp high true Corruption Exploit 6972.0 Rosoft Media Player string-tcp high true Overflow 7235.0 CoolPlayer m3u Playlist string-tcp high false Stack Overflow 7242.0 Windows GDI+ Denial of string-tcp medium true Service 7246.0 Microsoft Excel string-tcp high true Spreadsheet Buffer Overflow 7264.3 Adobe util.printf string-tcp high true JavaScript Stack Buffer Overflow 7301.0 Excel Global Array Memory string-tcp high true Corruption 7308.0 DLL Memory Protection string-tcp high true Bypass CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S496 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5406.2 Illegal MHTML URL string-tcp high false 5464.4 Computer Associates string-tcp high false License Suite Network Buffer Overflow 20004.1 Microsoft Internet multi-string high true Explorer Malformed Web Page Handling Vulnerability 21220.0 BEA Weblogic Server string-tcp high true Console-help.portal Cross-Site Scripting 24519.0 Firebird SQL string-tcp medium false op_connect_request Denial of Service 24863.0 IBM Access Support string-tcp high true ActiveX Stack Overflow Exploit 24919.0 Arugizer Trojan string-tcp high false 25780.0 FTP STOR rhost string-tcp medium true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5845.0 Word Memory Corruption string-tcp high true Exploit 6278.1 Office Web Components string-tcp informational true DataSource Vulnerability 6281.0 Malformed EPS Filter string-tcp high true Vulnerability 6541.0 Microsoft Project string-tcp high true Malformed File Exploit 6784.0 Adobe PDF Code Execution string-tcp high true 6785.1 Microsoft Visual Basic string-tcp informational true VBP File Processing Buffer Overflow 6793.1 Microsoft Windows GDI string-tcp high true Image Handling 6923.1 Word Memory Corruption string-tcp informational true Vulnerability 17077.2 PowerPoint Legacy File string-tcp high true Format 21459.0 Media Runtime Heap string-tcp high true Corruption Vulnerability 21920.0 Microsoft Excel Remote string-tcp high true Code Execution 22039.0 Microsoft Excel Remote string-tcp high true Code Execution 22739.0 Microsoft GdiPlus EMF string-tcp medium true Denial Of Service PoC CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S495 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26021.0 Cisco UCCX Information service-http medium true Disclosure Vulnerability 26460.3 Malicious Adobe File multi-string high true Exploit 26599.0 Microsoft Windows Help string-tcp high true and Support Center Whitelist Bypass Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S494 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26460.0 Malicious Adobe File multi-string high true Exploit 26460.1 Malicious Adobe File multi-string high true Exploit 26460.2 Malicious Adobe File multi-string high true Exploit TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S493 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26179.0 IE Memory Corruption string-tcp high true Vulnerability 26200.0 Microsoft Excel Memory multi-string high true Corruption 26201.0 Microsoft Excel Memory multi-string high true Corruption 26202.0 Microsoft Windows string-tcp high true Malicious ActiveX Instantiation 26219.0 Microsoft Excel Memory multi-string high true Corruption 26220.0 Microsoft Excel EDG multi-string high true Memory Corruption 26221.0 Microsoft Office Remote string-tcp high true Code Execution Vulnerability 26240.0 Microsoft Office Excel multi-string high true Code Execution Vulnerability 26241.0 Microsoft Office Memory string-tcp high true Corruption 26259.0 SharePoint Server 2007 string-tcp high true Help Page Processing Denial Of Service 26279.0 Microsoft Excel Record multi-string high true Stack Corruption Vulnerability 26280.0 Microsoft DirectShow string-tcp high true Media File Decompression Memory Corruption 26281.0 Microsoft Excel Memory multi-string high true Corruption Vulnerability 26299.0 Microsoft DirectShow string-tcp high true Media File Processing Arbitrary Code Execution Vulnerability 26300.0 Microsoft June 2010 string-tcp high true Killbit Update 26319.0 Microsoft Excel Remote string-tcp high true Code Execution 26359.0 Internet Explorer Zone string-tcp high true Bypass 26379.0 Microsoft .NET XML atomic-ip high true Signature Syntax and Processing Vulnerability 26380.0 Microsoft Excel Record multi-string high true Memory Corruption Vulnerability 26400.0 Microsoft Excel Memory multi-string high true Corruption Exploit 26401.0 Microsoft Internet string-tcp low true Explorer 8 XSS 26402.0 Microsoft Internet string-tcp high true Explorer Memory Corruption Exploit 26419.0 Excel String Variable string-tcp high true Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S492 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5577.1 SMB Secure NULL Login service-smb-ad informational true Attempt vanced 23879.0 Cisco Network Building multi-string medium true Mediator Unauthorized Information Access 24241.0 Cisco Network Building service-http high true Mediator Default Credentials 24739.0 Cisco Network Building service-http high true Mediator HTTP Privilege Escalation TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S491 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 26080.0 Microsoft Windows multi-string medium true Canonical Display Driver Denial of Service TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S490 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 25962.0 Cisco PGW 2200 Softswitch atomic-ip medium true Malformed MGCP Packet Vulnerability 25979.0 Malformed SIP Message DoS string-tcp high true 25999.0 Malformed SIP Packet atomic-ip high false Denial of Service TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 20481.0 Malformed SIP Message string-tcp medium false 20481.1 Malformed SIP Message atomic-ip medium false CAVEATS None. Modified signature(s) detail: The following signatures have modified signature descriptions: 20481-0 Malformed SIP Message 20481-1 Malformed SIP Message ================================================================================================= S489 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 25919.0 Microsoft VBA Remote Code multi-string high true Execution 25959.0 Microsoft Windows Mail string-tcp high true POP3 Remote Code Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S488 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 23781.0 IBM DB2 Universal string-tcp high true Database XMLQUERY Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5477.0 Possible Heap Payload string-tcp low true Construction 5477.1 Possible Heap Payload string-tcp low true Construction 5920.0 Apple Quicktime string-tcp high true VRPanoSampleAtom Heap Overflow 6111.0 RPC RUSESRD Sweep meta medium true 6986.0 Microsoft IE HTML Objects string-tcp high true Memory Corruption Exploit 20183.0 AVI Integer Overflow string-tcp high true Vulnerability 20183.1 AVI Integer Overflow string-tcp high true Vulnerability CAVEATS None. Modified signature(s) detail: The following signatures are modified to reduce SFR: 6111-0 RPC RUSESRD Sweep The following signatures have modified regexes: 5920-0 Apple Quicktime VRPanoSampleAtom Heap Overflow 5477-1 Possible Heap Payload Construction 5477-0 Possible Heap Payload Construction 6986-0 Microsoft IE HTML Objects Memory Corruption Exploit 20183-1 AVI Integer Overflow Vulnerability 20183-0 AVI Integer Overflow Vulnerability ================================================================================================= S487 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 25839.0 Sharepoint Server 2007 XSS service-http high true TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S486 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 22899.0 Redhat Directory Server service-http high true HTTP Header Parsing Overflow 23359.0 Microsoft IE string-tcp high false Uninitialized Layout Memory Corruption Vulnerability 25419.0 BigAnt IM Server USV string-tcp high false Request Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S485 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 15017.1 Oracle Secure Backup service-http high false Login.php Command Injection 24300.0 Quicktime Video File string-tcp high false Remote Code Execution 24620.0 ET Trojan service-http high true TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5329.0 Apache/mod_ssl Worm Probe service-http high false 15012.0 Oracle BEA WebLogic service-http medium true Server Apache Connector Buffer Overflow CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S484 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 25479.0 Java Web Start Remote multi-string high true Code Execution Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S483 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 25280.0 MPEG Layer-3 Audio multi-string high true Decoder Stack Overflow 25300.0 Microsoft Office string-tcp high true Publisher File Conversion TextBox Processing Buffer Overflow 25320.0 Microsoft Windows SMB service-smb-ad high true Client Transaction vanced Vulnerability 25320.1 Microsoft Windows SMB service-smb-ad high true Client Response Parsing vanced Vulnerability 25321.0 Microsoft Visio Remote string-tcp high true Code Execution 25339.0 Media Services string-tcp high true Stack-based Buffer Overflow Vulnerability 25359.0 Microsoft Windows Server atomic-ip high true SMTP Denial of Service 25399.0 Visio Index Calculation multi-string high true Memory Corruption 25439.0 Microsoft Windows SMB string-tcp high true Client Message Size Vulnerability 25459.0 Windows Media Player Code multi-string medium true Execution 25460.0 SMB Client Remote Code atomic-ip high true Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S482 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24179.0 Oracle Database Server string-tcp high true CREATE_TABLES SQL Injection 24381.0 IIS ExAir DoS service-http medium false 24381.1 IIS ExAir DoS service-http medium false 24381.2 IIS ExAir DoS service-http medium false 24759.0 Apple CUPS PNG Filter multi-string high false Large Image Height Integer Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S481 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24139.0 FFmpeg vmd_read_header multi-string high false Integer Overflow 25020.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution 25022.0 HTML Object Memory meta high true Corruption Vulnerability 25022.1 HTML Object Memory string-tcp informational true Corruption Vulnerability 25022.2 HTML Object Memory string-tcp informational true Corruption Vulnerability 25022.3 HTML Object Memory string-tcp informational true Corruption Vulnerability 25023.0 Microsoft Internet string-tcp high true Explorer Remote Code Execution 25024.0 Internet Explorer 7 multi-string high true Information Leak 25025.0 Internet Explorer Memory string-tcp high true Corruption 25040.0 HTML Rendering Memory string-tcp high true Corruption Vulnerability 25041.0 Microsoft IE 7.0 Race multi-string high true Condition 25042.0 Microsoft Internet meta high true Explorer Remote Code Execution 25042.1 Microsoft Internet string-tcp informational true Explorer Remote Code Execution 25042.2 Microsoft Internet string-tcp informational true Explorer Remote Code Execution 25059.0 HTML Element Cross-Domain string-tcp medium true Vulnerability TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 11032.0 Share TCP Detected service-p2p low true 11033.0 Share UDP Detected service-p2p low true CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S480 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 11032.0 Share TCP Detected service-p2p medium true 11033.0 Share UDP Detected service-p2p medium true 50002.0 ICS_TEST_FILE multi-string low true 50010.0 WORM_SOBER multi-string medium true 50010.1 WORM_SOBER multi-string medium true 50011.0 WORM_MYTOB multi-string medium true 50011.1 WORM_MYTOB multi-string medium true 50012.0 TROJ_SMALL multi-string medium true 50012.1 TROJ_SMALL multi-string medium true 50012.2 TROJ_SMALL multi-string medium true 50012.3 TROJ_SMALL multi-string medium true 50013.0 BKDR_VANBOT multi-string medium true 50013.1 BKDR_VANBOT multi-string medium true 50013.2 BKDR_VANBOT multi-string medium false 50013.3 BKDR_VANBOT multi-string medium true 50013.4 BKDR_VANBOT multi-string medium true 50013.5 BKDR_VANBOT multi-string medium true TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None. ================================================================================================= S479 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 24119.0 Cisco CUBE SIP atomic-ip high true Vulnerability 24119.0 Cisco CUBE SIP atomic-ip high true Vulnerability 24600.0 Cisco IOS SIP DoS atomic-ip medium false 24600.0 Cisco IOS SIP DoS atomic-ip medium false 24760.0 Cisco IOS SIP DoS atomic-ip medium true 24760.0 Cisco IOS SIP DoS atomic-ip medium true 24780.0 Cisco IOS Crafted LDP atomic-ip medium true Packet Denial of Service Vulnerability 24780.0 Cisco IOS Crafted LDP atomic-ip medium true Packet Denial of Service Vulnerability 24781.0 Cisco IOS Malformed SCCP atomic-ip high true Vulnerability 24781.0 Cisco IOS Malformed SCCP atomic-ip high true Vulnerability 24799.0 Cisco IOS Malformed SCCP atomic-ip high true Vulnerability 24799.0 Cisco IOS Malformed SCCP atomic-ip high true Vulnerability 24899.0 Cisco IOS Software H.323 string-tcp medium true DoS 24899.0 Cisco IOS Software H.323 string-tcp medium true DoS TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. Modified signature(s) detail: None.