Cisco Intrusion Prevention System Signature Update S338 June 10, 2008 Copyright (C) 1999-2008 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== S338 SIGNATURE UPDATE DETAILS - NEW SIGNATURES - TUNED SIGNATURES - CAVEATS - RESOLVED CAVEATS IMPORTANT NOTES - UPCOMING E2 ENGINE UPDATE IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS - TARGET PLATFORMS AND REQUIRED VERSIONS - INSTALLATION - UNINSTALLATION - CAVEATS CSM SIGNATURE UPDATE INSTRUCTIONS - INSTALLATION - UNINSTALLATION - CAVEATS IPS MANAGER EXPRESS (IME) VERSION 6.1 S279-S337 SIGNATURE UPDATE DETAILS - NEW FEATURES - NEW SIGNATURES - TUNED SIGNATURES/RESOLVED CAVEATS - CAVEATS ======================================================================== S338 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6544.0 ActiveX Object Memory META High True Corruption Vulnerability 6544.1 ActiveX Object Memory STRING-TCP Info True Corruption Vulnerability 6545.0 WINS Local Privilege ATOMIC-IP Low True Escalation 6546.0 SNMPv3 Malformed ATOMIC-IP High True Authentication Attempt 6960.0 IE Response Cross-Domain META High True Info Disclosure 6960.1 IE Response Cross-Domain STRING-TCP Info True Info Disclosure 6960.2 IE Response Cross-Domain STRING-TCP Info True Info Disclosure 6961.0 IE HTML Objects Memory STRING-TCP High True Corruption 6963.0 MJPEG Decoder STRING-TCP High True Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== IMPORTANT NOTES UPCOMING E2 ENGINE UPDATE The next engine update (E2) will be available by June 15, 2008. After E2 is released, all new signature releases will require E2. In preparation, the following table should be reviewed to ensure that your IPS sensors have been migrated to a release that is "Eligible for Engine Update" to automatically take advantage of the new detection capabilities when the engine update is available. Currently, these are IPS 6.0(4) or 6.1(1) for 6.x sensors and 5.1(7) for 5.x sensors. Release Prior to 5.1(5)E1 5.1(7)E1 6.0(1)E1 6.0(4)E1 6.1(1)E1 5.1(5)E1 5.1(6)E1 6.0(2)E1 6.0(3)E1 Signature Support No Yes Yes Yes Yes Yes Eligible for Engine Update? No No Yes No Yes Yes The E2 engine update will only be supported on sensors running 5.1(7), 6.0(4) or 6.1(1). IPS sensors running service pack versions older than 6.0(4) or 5.1(7) must be upgraded prior to or immediately upon the release of the E2 engine update. Warning: After E2 is released, your sensors must be running release 5.1(7)E2, 6.0(4)E2 or 6.1(1)E2 to continue to install signature updates. Please note that there is a 60-day grace period after a service pack or minor release during which any engine updates will be released for both the current and previous release. After 60 days, only the current release will receive an engine update. Customers who choose to remain on an older release will be required to update to the latest service pack in order to maintain up-to-date protection. For more information on supported versions please click here: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_bulletin0900aecd80358daa.html ======================================================================== IPS 5.X AND 6.X SENSOR SIGNATURE UPDATE INSTRUCTIONS TARGET PLATFORMS AND REQUIRED VERSIONS ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S288 or later. ------------------------------------------------------------------------ ---------------------------------------------------------------------- NOTE: All signature updates are cumulative. The S338 signature update contains all previously released signature updates. This signature update may contain signatures that include protected parameters. A protected value is not visible to the user. ---------------------------------------------------------------------- The IPS-sig-S338-req-E1.pkg upgrade file can be applied to the following sensor platforms: - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230) - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2) - NM-CIDS IDS Network Module for Cisco 26xx, 3660, and 37xx Router Families. - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA) - AIM-IPS Cisco Advanced Integration Module for ISR Routers The sensor must report the version of sensor as 5.1(5)E1 or later before you can apply this signature update. To determine the current sensor version, log in to CLI and type the following command at the prompt: show version INSTALLATION ------------------------------------------------------------------------ Note: This signature update may take a while to install depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is installing as the sensor may be left in an unknown state requiring it to be reimaged. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Note: Before installing a new signature update, it is highly recommended that you back-up your configuration file to a remote system. For details, refer to the Copy command section in the applicable Command Reference Guide located at the following urls: IPS Version 6.1: http://www.cisco.com/en/US/docs/security/ips/6.1/command/reference/crCmds.html#wp458440 IPS Version 6.0: http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp458440 IPS Version 5.1: http://www.cisco.com/en/US/docs/security/ips/5.1/command/reference/crCmds.html#wp458440 ------------------------------------------------------------------------ WARNING: DO NOT REBOOT THE SENSOR DURING THE INSTALLATION PROCESS. Doing so will leave the sensor in an unknown state and may require that the sensor be re-imaged. To install the S338 signature update on a 5.1(5)E1 or later sensor: 1. Download the binary file IPS-sig-S338-req-E1.pkg to an ftp, scp, http, or https server on your network from: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup CAUTION: You must preserve the original file name. 2. Log in to the IPS CLI using an account with administrator privileges. 3. Type the following command to enter Configuration mode: configure terminal 4. Execute the upgrade command by typing the following: upgrade [URL]/IPS-sig-S338-req-E1.pkg where the [URL] is uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following: upgrade ftp://username@ip-address//directory/IPS-sig-S338-req-E1.pkg The available transport methods are: SCP, FTP, HTTP, or HTTPS 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. UNINSTALLATION To uninstall the version S338 signature update and return the sensor to its previous state, follow these steps: 1. Log in to the CLI using an account with administrator privileges. 2. Type the following command to enter Configuration mode: configure terminal 3. Type the following command to start the downgrade: downgrade ------------------------------------------------------------------------ Note: The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Please do not reboot the sensor while the signature update is occurring as the sensor may be left in an unknown state requiring the sensor to be reimaged. ------------------------------------------------------------------------ CAVEATS None. ======================================================================== CSM/ IPS MC SIGNATURE UPDATE INSTRUCTIONS You can only apply the IPS-CS-MGR-sig-S338-req-E1.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or later. ------------------------------------------------------------------------ Note: Beginning with S288, signature updates have a minimum required version of 5.1(5)E1. You must be running IPS version 5.1(5)E1 or later to install signature update S288 or later. ------------------------------------------------------------------------ INSTALLATION To install the version S338 signature update on CSM or IPS MC, follow these steps: 1. Download the appropriate signature update ZIP file, to the /MDC/etc/ids/updates directory on the server where you have installed CSM/ IPS MC from the following website: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids 2. Start IPS MC from the CiscoWorks Server desktop. 3 Select Configuration > Updates. 4. In the TOC, select Update Network IDS/IPS Signatures. 5. In the TOC, select Submit. 6. Select a file from the Update File list box and click Apply. 7. Select the sensor(s) you want to update and click Next. 8. Enter Job Name (optional) and select Schedule Type: Immediate or Scheduled. If Scheduled is selected then set the start time of the update. 9. Click Next to continue. 10. Verify the Summary is correct. Use the Back button to correct an incorrect entry. 11. Click Finish. Check the progress viewer to track the installation of sigupdate to the sensor. UNINSTALLATION To uninstall a signature update that was installed using IPS MC, follow the uninstallation instructions listed in the SENSOR SIGNATURE UPDATE INSTRUCTIONS sections of this document. CAVEATS None. ======================================================================== IPS MANAGER EXPRESS (IME) VERSION 6.1 The Cisco IPS Manager Express (IME) is a powerful all-in-one IPS management application. With one application, you can provision, monitor, troubleshoot, and generate reports for as many as five IDS, IPS, or IOS IPS devices. NOTE: While IME can be used to monitor sensor devices running Cisco IPS 5.0 and later, some of the newer features and functionality included in IME are only supported on sensors running Cisco IPS Version 6.1 or later. IME includes the following features: - Real-time and historical events monitoring - Customizable dashboards - Integrated configuration management * - Health monitoring console * - RSS Feeds - Video Help - Reporting - Startup Wizard * - Integrated tools (ping, traceroute, whois, DNS) * Only supported on sensors running Cisco IPS 6.1 and later. IME Version 6.1 can be downloaded from CCO at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime Refer to the readme for installation instructions and more details inluding instructions on migrating from IEV to IME. The following additional applications can be used for event monitoring: - IPS Event Viewer (IEV) Version 5.2 - CLI - IDM - CS MARS Refer to the user documentation available at the following URL for more details regarding IEV, CLI and IDM: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html For more information on CS-MARS, visit: http://www.cisco.com/en/US/products/ps6241/index.html ======================================================================== S337 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6270.0 HP OpenView Network Node STRING-TCP High True Manager Integer Overflow 6272.0 Novell iPrint Client STRING-TCP High True ActiveX Buffer Overflow 6274.0 McAfee ePolicy Orchestrator ATOMIC-IP High True Format String TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5894.0 Storm Worm STRING-TCP Info False 6527.0 Microsoft Publisher Invalid STRING-TCP High True Memory Reference RCE DETAILS 5894.0 was disabled by default. 6527.0 was modified to increase signature fidelity. CAVEATS None. ======================================================================== S336 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6959.0 Adobe Flash Null Pointer STRING-TCP High True Dereference TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S335 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6543.0 CiscoWorks Common Services SERVICE-HTTP High True Arbitrary Code Injection 6944.0 CUPS CGI Compile Search SERVICE-HTTP High True Overflow TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S334 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6271.0 VMWare ActiveX Arbitrary File Access STRING-TCP High True 6273.0 Microsoft Works ActiveX WkImgSrv.dll Insecure Function STRING-TCP High True 6299.0 Namo ActiveSquare6 ActiveX Vulnerability STRING-TCP High True 6788.0 SonicWALL SSL VPN Client Remote ActiveX Vulnerability META High True 6788.1 SonicWALL SSL VPN Client Remote ActiveX Vulnerabilities STRING-TCP Info True 6788.2 SonicWALL SSL VPN Client Remote ActiveX Vulnerability STRING-TCP Info True 6788.3 SonicWALL SSL VPN Client Remote ActiveX Vulnerabilities META High True 6788.4 SonicWALL SSL VPN Client Remote ActiveX Vulnerability STRING-TCP Medium True 6940.0 RealPlayer ActiveX Remote Code Execution META High True 6940.1 RealPlayer ActiveX Remote Code Execution STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S333 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6540.0 CUCM Certificate Trust List Memory Consumption DOS STRING-TCP Medium True 6954.0 CUCM SIP Stack DoS STRING-TCP High True 6954.1 CUCM SIP Stack DoS ATOMIC-IP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S332 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6269.0 HP Openview Operations Buffer Overflow STRING-TCP High True 6539.0 Microsoft Malware Protection Engine DoS STRING-TCP Medium True 6539.1 Microsoft Malware Protection Engine DoS STRING-TCP Medium True 6541.0 Microsoft Project Malformed File Exploit STRING-TCP High True 6951.0 Word Drawing Object Vulnerability STRING-TCP High True 6952.0 Word Cascading Style Sheet (CSS) Vulnerability STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6257.0 DHCP Client DoS ATOMIC-IP Medium True Detail: The regex of the signature was modified to increase fidelity. CAVEATS None. ======================================================================== S331 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6936.0 UCM Disaster Recovery STRING-TCP High True Framework Command Execution CAVEATS None. ======================================================================== S330 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6246.0 Gateway Weblaunch Activex Control STRING-TCP High True 6246.1 Gateway Weblaunch Activex Control STRING-TCP High True 6259.0 HP Linux Printing And Imaging hpssd Command Injection STRING-TCP High True 6526.0 Lighttpd FastCGI Header Overrun SERVICE-HTTP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6242.0 Trend Micro ServerProtect eng50.dll Stack Overflow SERVICE-MSRPC High True CSCso73898 Detail: The regex of the signature was changed to increase fidelity. 11236.0 MSN File Transfer Proposal ReceivedSTRING-TCP Info False Apr142008 Detail: The regex of the signature was changed to increase fidelity. CAVEATS None. ======================================================================== S329 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6537.0 Kraken Botnet Traffic ATOMIC-IP High True 6537.1 Kraken Botnet Traffic ATOMIC-IP High True 6794.0 CA BrightStor ARCserve META High True Backup Listservcntrl ActiveX Overflow 6794.1 CA BrightStor ARCserve STRING-TCP Info True Backup Listservcntrl ActiveX Overflow 6936.1 UCM Disaster Recovery Framework Command Execution STRING-TCP High True 6942.0 Yahoo ActiveX Buffer Overflow META High True 6942.1 Yahoo ActiveX Buffer Overflow STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6934.0 GDI Buffer Overflow STRING-TCP High True CSCso75230 Detail: The regex of the signature was changed to increase fidelity. 6935.0 CVE-2008-1086 ActiveX STRING-TCP High True CSCso70249 Killbit Update Detail: The regex of the signature was changed to increase fidelity. CAVEATS None. ======================================================================== S328 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6793.0 Microsoft Windows GDI Image Handling STRING-TCP High True 6793.1 Microsoft Windows GDI Image Handling STRING-TCP High True 6922.0 VBScript/JScript Remote Code Execution STRING-TCP High True 6934.0 GDI Buffer Overflow STRING-TCP High True 6935.0 CVE-2008-1086 ActiveX Killbit Update STRING-TCP High True 6937.0 IE File Handling Memory Corruption STRING-TCP High True 6939.0 Microsoft Project Remote Code Execution STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S327 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6936.0 UCM Disaster STRING-TCP High True Recovery Framework Command Execution TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S326 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6530.0 SynCE Command Injection STRING-TCP High True 6532.0 Perdition IMAP Proxy STRING-TCP High True str_vwrite Format String 6533.0 Computer Associates STRING-TCP High True BrightStor ARCserve Backup Discovery Service 6535.0 Facebook Photo Uploader META High True ActiveX Control 6535.1 Facebook Photo Uploader STRING-TCP Info True ActiveX Control 6536.0 Aurigma ImageUploader META High True ActiveX Control 6536.1 Aurigma ImageUploader STRING-TCP Info True ActiveX Control TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S325 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6534.0 Symantec Backup Exec ActiveX Control META High True 6534.1 Symantec Backup Exec ActiveX Control STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6926.1 Cisco IOS DLSw DoS SERVICE-GENERIC Medium True CSCso43389 CAVEATS None. ======================================================================== S324 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6926.0 Cisco IOS DLSw DoS SERVICE-GENERIC Medium True 6926.1 Cisco IOS DLSw DoS SERVICE-GENERIC Medium True 6931.0 Virtual-Access Interface Exhaustion DoS STRING-TCP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S323 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6265.0 Microsoft Jet Database Engine Buffer Overflow STRING-TCP High True 6266.0 Excel Malformed Header STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S322 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6260.0 VERITAS Storage ATOMIC-IP High True Foundation Administrator Buffer Overflow TUNED SIGNATURES There are no tuned signatures for this release. ======================================================================== S321 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6262.0 Cisco Secure Access Control STRING-TCP High True Server CGI Buffer Overflow 6263.0 XSS in Cisco ACS Server SERVICE-HTTP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS Caveats: Signatures 1306.6, 1330.19, 1330.20, 1330.21 have been enabled as of 6.0(4) however due to DDTS CSCso02772 they will not be visible in CSM/IDM, and will not generate an alert in MARS/IEV. They will be released in an upcoming build. ======================================================================== S320 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6261.0 ISC DHCP Remote DoS ATOMIC-IP Medium True 6264.0 Excel Malformed Header STRING-TCP High True 6278.0 Office Web Components META High True DataSource Vulnerability 6278.1 Office Web Components STRING-TCP Info True DataSource Vulnerability 6278.2 Office Web Components STRING-TCP Info True DataSource Vulnerability 6509.0 Microsoft DXmedia SDK6 META High True ActiveX Control 6509.1 Microsoft DXmedia SDK6 STRING-TCP Info True ActiveX Control 6509.2 Microsoft DXmedia SDK6 STRING-TCP Info True ActiveX Control 6513.0 Macrovision FlexNet META Medium True DownloadManager Insecure Methods 6513.1 Macrovision FlexNet STRING-TCP Info True DownloadManager Insecure Methods 6513.2 Macrovision FlexNet STRING-TCP Info True DownloadManager Insecure Methods 6528.0 Oracle Application Server SERVICE-HTTP Medium True 10G EmChartBeam Remote Directory Traversal 6786.0 Microsoft PowerPoint Memory STRING-TCP High True Corruption Vulnerability 6787.0 Microsoft Office Cell STRING-TCP High True Parsing Memory Corruption Vulnerability 6928.0 Microsoft Outlook mailto STRING-TCP High True URI Remote Code Execution 6929.0 Microsoft Excel Memory STRING-TCP High True Corruption 6930.0 Office Web Components META High True URL Parsing Vulnerability 6930.1 Office Web Components URL STRING-TCP Info True Parsing Vulnerability 6930.2 Office Web Components URL STRING-TCP Info True Parsing Vulnerability TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS Caveats: Signatures 1306.6, 1330.19, 1330.20, 1330.21 have been enabled as of 6.0(4) however due to DDTS CSCso02772 they will not be visible in CSM/IDM, and will not generate an alert in MARS/IEV. They will be released in an upcoming build. ======================================================================== S319 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5850.1 Snort DCE/RPC Preprocessor ATOMIC-IP High True Vulnerability 5918.0 AskJeeves Toolbar ActiveX META High True Buffer Overflow 5918.1 AskJeeves Toolbar ActiveX STRING-TCP Info True Buffer Overflow 5920.0 Apple Quicktime STRING-TCP High True VRPanoSampleAtom Heap Overflow 6760.0 RealPlayer ActiveX Buffer META High True Overflow 6760.1 RealPlayer ActiveX Buffer STRING-TCP Info True Overflow 6760.2 RealPlayer ActiveX Buffer STRING-TCP Low True Overflow 6773.0 WordPerfect X3 Printer STRING-TCP High True Selection Vulnerability 6784.3 Adobe PDF Code Execution STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5602.0 Windows System32 Directory SERVICE-SMB Medium True CSCsm92938 File Creation ADVANCED 6767.0 Microsoft Windows RSH STRING-TCP High True CSCsm93323 Daemon Stack Overflow Details: Both signatures were modified to increase fidelity. CAVEATS Caveats: Signatures 1306.6, 1330.19, 1330.20, 1330.21 have been enabled as of 6.0(4) however due to DDTS CSCso02772 they will not be visible in CSM/IDM, and will not generate an alert in MARS/IEV. They will be released in an upcoming build. ======================================================================== S318 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6236.0 AMI Pro File Buffer STRING-TCP High True Overflow 6242.0 Trend Micro ServerProtect SERVICE-MSRPC High True eng50.dll Stack Overflow 6512.0 Macrovision FlexNet META High True isusweb.dll DownloadAndExecute Method 6512.1 Macrovision FlexNet STRING-TCP Info True isusweb.dll DownloadAndExecute Method 6512.2 Macrovision FlexNet STRING-TCP Info True isusweb.dll DownloadAndExecute Method 6784.0 Adobe PDF Code Execution STRING-TCP High True 6784.1 Adobe PDF Code Execution STRING-TCP High True 6784.2 Adobe PDF Code Execution STRING-TCP High True 6785.0 Microsoft Visual Basic VBP META High True File Processing Buffer Overflow 6785.1 Microsoft Visual Basic VBP STRING-TCP Info True File Processing Buffer Overflow 6785.2 Microsoft Visual Basic VBP STRING-TCP Info True File Processing Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6767.0 Microsoft Windows RSH STRING-TCP High True CSCsm75486 Daemon Stack Overflow Details: Signature regex has been modified to increase fidelity. 6771.0 Microsoft Windows WebDAV STRING-TCP High True CSCsm75491 Mini Redirector Details: Signature regex has been modified to increase fidelity. 6780.2 IE Argument Handling STRING-TCP Info True CSCsm80785 Memory Corruption Vulnerability Details: Signature regex has been modified to increase fidelity. CAVEATS None. ======================================================================== S317 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6775.1 Microsoft Office Works Converter STRING-TCP High True Remote Code Execution 6781.0 SIP Proxy Response Overflow ATOMIC-IP High True 6782.0 SIP MIME Request Boundary Overflow ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6776.0 Microsoft Works Converter Input STRING-TCP High True Validation Remote Code Execution Details: The name of the signature was modified to correct a typo. CAVEATS None. ======================================================================== S316 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5921.0 Apple Quicktime Color STRING-TCP High True Table Overflow 6249.0 Visual Studio 6 STRING-TCP High True Activex Exploit 6257.0 DHCP Client DoS ATOMIC-IP Medium True 6258.0 Microsoft IE HTML Rendering STRING-TCP High True Memory Corruption 6527.0 Microsoft Publisher STRING-TCP High True Invalid Memory Reference RCE 6771.0 Microsoft Windows WebDAV STRING-TCP High True Mini Redirector 6775.0 Microsoft Office Works STRING-TCP High True Converter Remote Code Execution 6776.0 Microsoft Works STRING-TCP High True Converter Input Validation Remote Code Execution 6777.0 Windows OLE Automation META High True Remote Code Execution 6777.1 Windows OLE STRING-TCP Info True Automation Remote Code Execution 6777.2 Windows OLE Automation STRING-TCP Info True Remote Code Execution 6778.0 Microsoft Works Converter STRING-TCP High True Index Table Vulnerability 6780.0 IE Argument Handling Memory META High True Corruption Vulnerability 6780.1 IE Argument Handling Memory STRING-TCP Info True Corruption Vulnerability 6780.2 IE Argument Handling Memory STRING-TCP Info True Corruption Vulnerability 6923.0 Word Memory Corruption META High True Vulnerability 6923.1 Word Memory Corruption STRING-TCP Info True Vulnerability 6924.0 MS Publisher Remote Code STRING-TCP High True Execution 6925.0 IE Property META High True Memory Corruption 6925.1 IE Property STRING-TCP Info True Memory Corruption 6925.2 IE Property STRING-TCP Info True Memory Corruption 6925.3 IE Property STRING-TCP Info True Memory Corruption TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 11204.0 Jabber Activity STRING-TCP Low False CSCsh81056 Details: An additional port was added to the detection range. CAVEATS None. ======================================================================== S315 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6228.0 Mac OSX Software Update Remote Code Execution META High True 6228.1 Mac OSX Software Update Remote Code Execution STRING-TCP Info True 6228.2 Mac OSX Software Update Remote Code Execution STRING-TCP Info True 6228.3 Mac OSX Software Update Remote Code Execution STRING-TCP Info True 6229.0 MS SQL Server sqldmo.dll Overflow META High True 6229.1 MS SQL Server sqldmo.dll Overflow STRING-TCP Info True 6229.2 MS SQL Server sqldmo.dll Overflow STRING-TCP Info True 6235.0 Apple Quicktime SMIL Overflow STRING-TCP High True 6449.0 Apache Tomcat Mod_jk Stack Overflow SERVICE-HTTP High True 6767.0 Microsoft Windows RSH Daemon Stack Overflow STRING-TCP High True 6768.0 Samba WINS Remote Code Execution Vulnerability META High True 6768.1 Samba WINS Remote Code Execution Vulnerability ATOMIC-IP Info True 6768.2 Samba WINS Remote Code Execution Vulnerability ATOMIC-IP Info True 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB High True ADVANCED TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S314 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6510.0 GOM Player ActiveX Control Buffer Overflow META High True 6510.1 GOM Player ActiveX Control Buffer Overflow STRING-TCP Info True 6510.2 GOM Player ActiveX Control Buffer Overflow STRING-TCP Info True 6764.0 Cisco PIX and ASA Time-to-Live DoS ATOMIC-IP Medium False 6764.1 Cisco PIX and ASA Time-to-Live DoS ATOMIC-IP Medium False 6765.0 Cisco Application Velocity System Default Passwords SERVICE-HTTP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S313 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6171.0 HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution STRING-TCP High True 6224.0 Windows IGMP Overflow ATOMIC-IP High True 6755.0 Windows Remote Kernel TCP/IP ICMP Vulnerability ATOMIC-IP Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S312 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6017.3 DirectShow SAMI Parsing Remote Code Execution META High True 6017.4 DirectShow SAMI Parsing Remote Code Execution STRING-TCP Info True 6017.5 DirectShow SAMI Parsing Remote Code Execution STRING-TCP Info True 6412.0 Malformed BGP Message ATOMIC-IP Medium True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 6030.0 Microsoft Windows Message Queuing Service Code Execution SERVICE-MSRPC High True CSCsl77366 Details: The regex was modified to increase fidelity. CAVEATS None. ======================================================================== S311 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6017.0 DirectShow SAMI Parsing Remote META High True Code Execution 6017.1 DirectShow SAMI Parsing Remote STRING-TCP Info True Code Execution 6017.2 DirectShow SAMI Parsing Remote STRING-TCP Info True Code Execution 6030.0 Microsoft Windows Message SERVICE-MSRPC High True Queuing Service Code Execution 6069.0 Windows Media Format Remote META High True Code Execution 6069.1 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.2 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.3 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.4 Windows Media Format Remote META High True Code Execution 6069.5 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.6 Windows Media Format Remote META High True Code Execution 6069.7 Windows Media Format Remote STRING-TCP Info True Code Execution 6069.8 Windows Media Format Remote STRING-TCP Info True Code Execution 6403.0 IE Uninitialized Memory META High True Corruption 6403.1 IE Uninitialized Memory STRING-TCP Info True Corruption 6406.0 DirectShow WAV Parsing Remote STRING-TCP High True Code Execution 6408.0 IE DHTML Memory Corruption META High True 6408.1 IE DHTML Memory Corruption STRING-TCP Info True 6409.0 IE Invalid Object Memory META High True Corruption 6409.1 IE Invalid Object Memory STRING-TCP Info True Corruption 6409.2 IE Invalid Object Memory STRING-TCP Info True Corruption 6410.0 IE Unsafe Memory Operation META High True 6410.1 IE Unsafe Memory Operation STRING-TCP Info True 6410.2 IE Unsafe Memory Operation STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5928.0 CSA for Windows System Driver SERVICE- High True Remote Buffer Overflow SMB-ADVANCED Vulnerability CAVEATS None. ======================================================================== S310 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5915.0 Microsoft FoxPro ActiveX STRING-TCP High True Vulnerability 5928.0 CSA for Windows System SERVICE-SMB- High True Driver Remote Buffer ADVANCED Overflow Vulnerability 5985.0 Quicktime RTSP Content-Type STRING-TCP High True Excessive Length TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3115.0 Sendmail Data Header STATE High False Overflow Details: This signature was retired. CAVEATS None. ======================================================================== S309 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5478.0 Microsoft Exchange SMTP Overflow STRING-TCP High True CSCsl20094 Details: Signature regex has been modified to increase fidelity. 5478.1 Microsoft Exchange SMTP Overflow STRING-TCP High True CSCsl20094 Details: Signature regex has been modified to increase fidelity. 5684.2 Malformed SIP Packet ATOMIC-IP High True CSCsl01844 Details: Signature regex has been modified to increase fidelity. 5894.1 Storm Worm ATOMIC-IP High True Details: Signature regex and event counts were modified to increase fidelity. CAVEATS None. ======================================================================== S308 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5878.0 VBE Object ID Buffer Overflow STRING-TCP High True 5889.0 NeoTrace ActiveX Buffer STRING-TCP High True Overflow 5909.0 Browser Address Bar Spoofing STRING-TCP Medium True Attack 5916.0 URL Handler Vulnerability STRING-TCP High True 5919.0 Microsoft Kodak Image Viewer STRING-TCP High True Overflow The following signatures were modified via DDTS CSCsk71144 to be set to DISABLED and RETIRED: 5146.1,5146.2,5146.3, 5146.4, 5146.5,5146.6,5146.7, 5146.8,5146.9,5146.10,5146.11,5146.12,5146.13,5146.14,5146.15,5146.16,5146.17. The following signatures were modified to be set to DISABLED and RETIRED: 3254.0,3254.1,3347.0,5045.0,5047.0,5159.0, 5188.1,5188.3,5247.0,5364.0, 5406.0,5423.0,5425.0,5427.0,5432.0,5437.0,5441.0,5441.1,5453.0,5460.0,5461.0, 5462.0, 5545.0,5545.1,5554.0,5556.0,5610.0,5638.0,5678.0,5695.0,5722.0,5729.0, 5729.1, 5734.0, 5735.0, 5753.0, 5768.0, 5777.0, 12025.0, 12025.1, 12026.0 CAVEATS None. ======================================================================== S307 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5910.0 CUCM Centralized TFTP File Locator Service Buffer Overflow SERVICE-HTTP Medium True 5912.0 CUCM SIP INVITE UDP Denial of Service ATOMIC-IP Medium True 5913.0 PIX/ASA/FWSM MGCP DoS MULTI-STRING Medium True 5913.1 PIX/ASA/FWSM MGCP DoS MULTI-STRING Medium True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S306 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 6068.0 Cisco Wireless Control STRING-TCP Medium True System Administrative Default Password TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S305 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5809.0 DCERPC Authentication DoS META Medium True 5809.1 DCERPC Authentication DoS STRING-TCP Info True 5809.2 DCERPC Authentication DoS STRING-TCP Info True 5809.3 DCERPC Authentication DoS STRING-TCP Info True 5903.0 MS SharePoint XSS META Medium True 5903.1 MS SharePoint XSS SERVICE-HTTP Info True 5903.2 MS SharePoint XSS STRING-TCP Info True 5905.0 Microsoft Internet Explorer STRING-TCP Low True Address Bar Spoof 5905.1 Microsoft Internet Explorer STRING-TCP Low True Address Bar Spoof 5906.0 Microsoft Malformed Word STRING-TCP High True Document Code Execution 5908.0 NNTP Overflow META High True 5908.1 NNTP Overflow STRING-TCP Info True 5908.2 NNTP Overflow STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S304 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3338.0 Windows RPC Race Condition SERVICE-MSRPC High True CSCsk73541 Exploitation Details: The SFR for this signature was lowered to 80 and the opcode was set to 0. CAVEATS None. ======================================================================== S303 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5880.0 Sun Java Web Start JNLP File Stack Overflow STRING-TCP High True 5885.0 EnjoySAP kweditcontrol.kwedit Stack Overflow STRING-TCP High True 5902.0 AIM Message HTML Injection STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3338.0 Windows RPC Race Condition Exploitation SERVICE-MSRPC High True CSCsj62336 Details: alert-frequency set to fire-once and summary-key set to AxBx. 3531.0 Cisco IOS Telnet DoS SERVICE-GENERIC High True CSCsk45744 Details: sig-fidelity-rating set to 75 and sig-description updated. The following signatures were modified via DDTS CSCsk64356 to remove hidden ports: 5561-2, 5641-0, 5641-1, 5716-0, 5727-0, 5731-1, 5731-2, 5732-1, 5732-2, 5766-0 and 5775-1. The following signatures were modified via DDTS CSCsk50822 to remove hidden ports: 5861-0, 5861-1, 5863-1, 5863-2, 5864-0, 5888-0, 6130-1, 6130-2, 6130-4, 6130-7, 6130-8 and 6130-10. The following signatures were modified via DDTS CSCsk48393 to remove hidden ports: 5776-3, 5797-1, 5797-2, 5797-3, 5799-1, 5799-2, 5799-3, 5799-5, 5799-6, 5814-1, 5814-2, 5822-1 and 5822-2. The following signatures were modified via DDTS CSCsk65780 to remove hidden ports: 5830-0, 5831-0, 5835-0, 5835-1, 5835-3, 5835-4, 5835-6, 5835-7, 5839-0, 5857-1 and 5857-2. CAVEATS None. ======================================================================== S302 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5890.0 Long IMAP SUBSCRIBE Command STRING-TCP High True 5893.0 Cisco IP Phone Remote Denial of Service META Medium True 5893.1 Cisco IP Phone Remote Denial of Service ATOMIC-IP Info True 5893.2 Cisco IP Phone Remote Denial of Service ATOMIC-IP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S301 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5435.0 Crystal Reports Remote Code STRING-TCP High True Execution 5898.0 Microsoft Agent HTTP Code META High True Execution 5899.0 MSN Messenger Webcam Buffer ATOMIC-IP High True Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5773.0 Simple PHP Blog SERVICE-HTTP Low False Unauthorized File Access 5773.1 Simple PHP Blog SERVICE-HTTP Low False Unauthorized File Access 5806.0 Winny P2P Connection META Low False Activity 5806.1 Winny P2P Connection SERVICE-GENERIC Info False Activity 5806.2 Winny P2P Connection SERVICE-GENERIC Info False Activity 5806.3 Winny P2P Connection SERVICE-GENERIC Info False Activity 5828.0 Apache Server Side Cross SERVICE-HTTP Medium False Site Scripting 12001.0 Bonzi Buddy Spyware Beacon SERVICE-HTTP Low False 12002.0 SaveNow Ad Request SERVICE-HTTP Low False 12002.1 SaveNow Ad Request SERVICE-HTTP Low False 12003.0 Ezula Spyware SERVICE-HTTP Low False 12004.0 Cydoor Spyware SERVICE-HTTP Low False 12005.0 Hotbar Activity SERVICE-HTTP Low False 12005.1 Hotbar Activity SERVICE-HTTP Low False 12006.0 Linkgrabber99 Activity SERVICE-HTTP Low False 12008.0 180solutions Adware SERVICE-HTTP Low False 12009.0 MarketScore Activity SERVICE-HTTP Low False 12010.0 GAIN Adware Activity SERVICE-HTTP Low False 12011.0 TOPicks Activity SERVICE-HTTP Low False 12013.0 ISTbar Toolbar Activity SERVICE-HTTP Low False 12014.0 KeenValue Spyware SERVICE-HTTP Low False 12014.1 KeenValue Spyware SERVICE-HTTP Low False 12015.0 ShopAtHomeSelect Agent SERVICE-HTTP Low False Activity 12015.1 ShopAtHomeSelect Agent SERVICE-HTTP Low False Activity 12016.0 SearchRelevancy Spyware SERVICE-HTTP Low False 12017.0 TSA Activity SERVICE-HTTP Low False 12018.0 Toprebate Activity SERVICE-HTTP Low False 12019.0 SideFind Activity SERVICE-HTTP Low False 12020.0 WindUpdates Activity SERVICE-HTTP Low False 12021.0 Internet Optimizer Activity SERVICE-HTTP Low False 12023.0 DAP Activity SERVICE-HTTP Low False 12023.1 DAP Activity SERVICE-HTTP Low False 12024.0 New.net Activity SERVICE-HTTP Low False CAVEATS None. ======================================================================== S300 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5703.0 Video Surveillance IP STRING-TCP High True Gateway Encoder/Decoder Telnet Authentication Vulnerability 5816.1 TOR Client Activity MULTI-STRING Low True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5873.0 Microsoft Speech API 4 STRING-TCP High True CSCsk29135 ActiveX Overflow 5874.0 Microsoft Speech API 4 STRING-TCP High True CSCsk29135 ActiveX Overflow 5483.0 IE Content Advisor Buffer STRING-TCP High False Overflow 5490.0 Firefox JavaScript IFRAME STRING-TCP High False Exploitation 6011.0 Internet Explorer FTP STRING-TCP High False Command Injection 11210.0 AIM / ICQ Through HTTP SERVICE-HTTP Info False Proxy 11210.1 AIM / ICQ Through HTTP STRING-TCP Info False Proxy CAVEATS None. ======================================================================== S299 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5892.0 Motive Communications STRING-TCP High True ActiveUtils Buffer Overflow TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5810.0 SecureCRT SSH1 Buffer STRING-TCP High True CSCsk23856 Overflow Details: The Exact-match-offset parameter has been increased to increase fidelity. 5894.0 Storm Worm STRING-TCP High True CSCsk23846 Details: The regular expression of this signature has been modified to increase fidelity. CAVEATS None. ======================================================================== S298 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5894.0 Storm Worm STRING-TCP High True 5894.1 Storm Worm ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 1315.0 ACK w/o TCP Stream NORMALIZER Info True CSCsj18685 Details: sig-string-info spelling error corrected. 3123.0 NetBus Pro Traffic ATOMIC-IP Medium False Details: Signature set DISABLED and RETIRED. 5884.1 IOS NHRP Buffer Overflow SERVICE-GENERIC High True CSCsk08883 Details: The instruction set for this signature has been updated to increase its fidelity. CAVEATS None. ======================================================================== S297 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5683.0 Vista Feed Headlines Gadget Remote Code Execution META High True 5683.1 Vista Feed Headlines Gadget Remote Code Execution STRING-TCP Info True 5683.2 Vista Feed Headlines Gadget Remote Code Execution STRING-TCP Info True 5887.0 Microsoft PDWizard ActiveX Overflow STRING-TCP High True 5888.0 TLBINF32.DLL COM Object Instantiation STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3166.0 FTP USER Suspicious Length STRING-TCP High True CSCsk01172 Description: Signature regex has been modified to increase fidelity. 5561.0 Windows SMTP Overflow META High True CSCsk02763 Description: The meta-key has been modified to display victim address. 5727.0 Cisco VPN 3000 Concentrator HTTP Attack Vulnerability STRING-TCP High False Description: The signature has been set to DISABLED and RETIRED. CAVEATS ======================================================================== S296 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5884.1 IOS NHRP Buffer Overflow SERVICE-GENERIC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS ======================================================================== S295 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5684.0 Malformed SIP Packet ATOMIC-IP Medium True 5684.1 Malformed SIP Packet STRING-TCP Medium True 5684.2 Malformed SIP Packet ATOMIC-IP High True 5684.3 Malformed SIP Packet ATOMIC-IP Medium True 5684.4 Malformed SIP Packet STRING-TCP Medium True 5684.5 Malformed SIP Packet STRING-UDP Medium True 5684.6 Malformed SIP Packet ATOMIC-IP Medium True 5884.0 IOS NHRP Buffer Overflow SERVICE-GENERIC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS ======================================================================== S294 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES The S294 signature update contains the following modified signatures SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3527.0 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.1 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.2 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 3527.4 UW imapd Overflows STRING-TCP High True Description: Signature parameter min-match-length was reduced from 1000 to 850. 5474.0 SQL Query in HTTP Request SERVICE-HTTP Low True CSCsj41253 Description: Signature regex modified to enhance detection capabilities. 5769.0 Malformed HTTP Request STRING-TCP Medium True CSCsj82872 Description: Signature regex modified to increase fidelity. The following signatures were set DISABLED and RETIRED for 5.x and 6.x platforms: 3716.0 GDI+ JPEG Buffer Overflow 3716.1 GDI+ JPEG Buffer Overflow 4151.0 BOBAX Virus Activity 4151.1 BOBAX Virus Activity 5402.0 Internet Explorer URL Spoofing 5476.0 HTML Application Execution 5552.0 Windows Media Player Skin File Code Execution Vulnerability 5693.0 Metafile Buffer Overflow 5693.1 Metafile Buffer Overflow 5694.0 Enhanced Metafile Buffer Overflow ======================================================================== S293 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5877.0 IE Protocol Handler Command Execution STRING-TCP High True CAVEATS None. ======================================================================== S292 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5876.0 WinZip ActiveX Control Instantiation STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5408.0 Windows HCP URI Parsing STRING-TCP High False CSCsj42837 Script Exec Details: This signature is being retired to resolve ddts CSCsj42837 5408.1 Windows HCP URI Parsing STRING-TCP High False CSCsj42837 Script Exec Details: This signature is being retired to resolve ddts CSCsj42837 5418.0 IIS Cross Site STRING-TCP Low False CSCsj42837 Scripting .htw Details: This signature is being retired to resolve ddts CSCsj42837 5456.0 Internet Explorer 5 STRING-TCP Medium False CSCsj42837 ie5filex Exploit Details: This signature is being retired to resolve ddts CSCsj42837 5515.0 IE DHTML Edit Control STRING-TCP Low False CSCsj42837 Details: This signature is being retired to resolve ddts CSCsj42837 5551.0 Outlook Web Access Cross STRING-TCP High False CSCsj42837 Site Scripting Vulnerability Details: This signature is being retired to resolve ddts CSCsj42837 5557.0 Windows ICC Color Management STRING-TCP Info True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5557.1 Windows ICC Color Management STRING-TCP Medium True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5557.2 Windows ICC Color Management META High True CSCsj08650 Module Vulnerability Details: The parameters in signature 5557 subsigs 0-2 have been modified to increase fidelity. 5692.0 Macromedia Flash Overflow STRING-TCP High False CSCsj42837 Details: This signature is being retired to resolve ddts CSCsj42837 5868.0 IE Navigation Cancel Page STRING-TCP Medium True CSCsj37443 Spoofing Vulnerability Details: The regex of this signature has been modified to increase fidelity. 6253.0 POP3 Authorization Failure STRING-TCP Info True CSCsj37628 Details: The regex of this signature has been modified to increase fidelity. CAVEATS None. ======================================================================== S291 SIGNATURE UPDATE DETAILS TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5829.0 Invalid SSL Packet SERVICE-GENERIC Medium True CSCsi10673 Details: The intermediate instructions has been modified to increase fidelity. The signature name has changed. 5871.0 Urlmon.dll COM Object STRING-TCP High True CSCsj31189 Instantiation Details: The signature has been modified to increase fidelity. The signature name has changed. CAVEATS None. ======================================================================== S290 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5775.1 MHTML Redirection STRING-TCP Low True 5868.0 IE Navigation Cancel Page Spoofing Vulnerability STRING-TCP Medium True 5869.0 Internet Explorer CSS Tag Memory Corruption STRING-TCP High True 5870.0 Win32 API Vulnerability STRING-TCP High True 5871.0 License Manager ActiveX Control Instantiation STRING-TCP High True 5873.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True 5874.0 Microsoft Speech API 4 ActiveX Overflow STRING-TCP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3403.0 Telnet Excessive Environment Options STRING-TCP High False CSCsj21903 Details: The signature was disabled and retired. CAVEATS None. ======================================================================== S289 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3328.0 Windows SMB/RPC NoOp Sled STRING-TCP Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5596.0 Windows SMB/RPC NoOp Sled SERVICE-SMB-ADVANCED Medium True CSCsj06346 Details: The regex of this signature has been modified to improve signature fidelity. 5751.0 Ultr@VNC Client Overflow STRING-TCP High True CSCsg34564 Details: The regex of this signature has been modified to improve signature fidelity. CAVEATS None. ======================================================================== S288 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5866.0 IBM Lotus Domino IMAP CRAM-MD5 Overflow STRING-TCP High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S287 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5843.0 CA BrightStor Tape Engine Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S286 SIGNATURE UPDATE DETAILS NEW SIGNATURES There are no new signatures for this release. TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True CSCsi84401 Details: The regex of this signature has been modified to improve signature fidelity. The following signatures have been retired to resolve CSCsi84693: SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5642.0 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.1 DirectShow Overflow STRING-TCP Info False CSCsi84693 5642.2 DirectShow Overflow STRING-TCP Medium False CSCsi84693 5642.3 DirectShow Overflow META High False CSCsi84693 6004.0 IOS HTTP Server Iframe Command Injection STRING-TCP High False CSCsi84693 CAVEATS None. ======================================================================== S285 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5860.0 IOS FTPd Successful Login META Low True 5860.1 IOS FTPd Successful Login STRING-TCP Info True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S284 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5840.2 Internet Explorer CLSID Code Execution STRING-TCP High True 5862.0 Outlook Web Access UTF Character Script Execution MULTI-STRING High True 5863.0 Internet Explorer CAPICOM.Certificates Remote Code Execution META High True 5863.1 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5863.2 Internet Explorer CAPICOM.Certificates Remote Code Execution STRING-TCP Info True 5864.0 Exchange Server IMAP Literal Processing Vulnerability STRING-TCP Medium True 5865.0 Microsoft WMS Arbitrary File Rewrite Vulnerability META High True 5865.1 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True 5865.2 Microsoft WMS Arbitrary File Rewrite Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5840.0 Internet Explorer CLSID Code Execution STRING-TCP High True CSCsi55663 Details: Regex was modified to increase fidelity. 5689.0 MSSQL Resolution Service ATOMIC-IP Medium True CSCsi74017 Keep-Alive DoS Details: To increase fidelity, udp-valid-length parameter for this signature has been modified from 2 to 2-30000. The following signatures have been retired to resolved CSCsi70742 : SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 3161.0 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3161.1 FTP realpath Buffer Overflow STRING-TCP High False CSCsi70742 3235.0 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3235.1 showHelp CHM File Execution Weakness STRING-TCP High False CSCsi70742 3252.0 Microsoft Agent ActiveX Control STRING-TCP Low False CSCsi70742 3340.0 Windows Shell External Handler STRING-TCP High False CSCsi70742 3346.0 Windows TSShutdn.exe Attempt STRING-TCP Info False CSCsi70742 3353.0 SMB Request Overflow STRING-TCP Medium False CSCsi70742 3353.1 SMB Request Overflow META High False CSCsi70742 3353.2 SMB Request Overflow META High False CSCsi70742 3409.0 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.1 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 3409.2 Telnet Over Non-standard Ports STRING-TCP Info False CSCsi70742 5407.0 IIS PCT Overflow STRING-TCP High False CSCsi70742 5409.0 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5409.1 Microsoft HCP Remote Code Execution STRING-TCP High False CSCsi70742 5446.0 Internet Explorer Install Engine Overflow STRING-TCP High False CSCsi70742 5645.0 SSH URI Handler STRING-TCP Low False CSCsi70742 5730.0 Winamp Playlist File Handling Buffer Overflow STRING-TCP High False CSCsi70742 5774.0 Windows Media Player PNG Processing Remote Code Execution STRING-TCP High False CSCsi70742 5793.0 SMB Server Driver Remote Execution STRING-TCP High False CSCsi70742 5818.0 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.2 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.4 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.6 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.8 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 5818.10 Metasploit Shellcode Encoder STRING-TCP Medium False CSCsi70742 CAVEATS None. ======================================================================== S283 SIGNATURE UPDATE DETAILS NEW SIGNATURES PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED 5.x,6.x 5855.0 Helix Remote Code Execution STRING-TCP High True 5.x,6.x 5861.0 Cisco CNS Netflow Collection SERVIE-HTTP High True Engine Default Password 5.x,6.x 5861.1 Cisco CNS Netflow Collection STRING-TCP High True Engine Default Password TUNED SIGNATURES PLATFORM SIGID SIGNAME DDTS 5.x,6.x 5858.4 DNS Server RPC Interface Buffer Overflow CSCsi56228 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S282 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.1 DNS Server RPC Interface Buffer Overflow META High True 5858.2 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.3 DNS Server RPC Interface Buffer Overflow STRING-TCP Info True 5858.4 DNS Server RPC Interface Buffer Overflow ATOMIC-IP High True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True CSCsi53171 Details: Regex was modified to increase fidelity. CAVEATS None. ======================================================================== S281 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5858.0 DNS Server RPC Interface Buffer Overflow SERVICE-MSRPC High True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S280 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5851.0 WCS Administrative Directory Access SERVICE-HTTP Low True TUNED SIGNATURES There are no tuned signatures for this release. CAVEATS None. ======================================================================== S279 SIGNATURE UPDATE DETAILS NEW SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED 5748.4 Non-SMTP Session Start STRING-TCP Info True 5748.5 Non-SMTP Session Start STRING-TCP Info True 5848.0 Content Management Service Cross-site Scripting SERVICE-HTTP High True 5849.0 Microsoft Content Management Server Vulnerability SERVICE-HTTP High True 5854.1 Cisco CUCM/CUPS Denial of Service Vulnerability STRING-TCP Medium True 5856.0 Agent URL Parsing Remote Code Execution META High True 5856.1 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5856.2 Agent URL Parsing Remote Code Execution STRING-TCP Info True 5857.0 UPnP Memory Corruption Vulnerability META High True 5857.1 UPnP Memory Corruption Vulnerability STRING-TCP Info True 5857.2 UPnP Memory Corruption Vulnerability STRING-TCP Info True TUNED SIGNATURES SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS 5606.0 SMB Authorization Failure SERVICE-SMB-ADVANCED Info True CSCsi28135 Details: Event count set to 3. 5748.0 Non-SMTP Session Start META Low True CSCsi13918 Details: Additional component signatures were added to increase signature fidelity. 5788.0 ICCP Invalid TPKT Protocol STRING-TCP Low False CSCsi41363 Details: Regex was modified for cross-platform support. 5846.0 FTP 230 Reply Code STRING-TCP Info True CSCsi30977 Details: Regex was modified to increase fidelity. CAVEATS None.