[Snort-devel] Enquiry Sourcefire VRT Rules Update

Dennis Lau dennis.lau at ...3356...
Mon Jan 14 05:11:43 EST 2013


Dear Snort developers,

 

I found that there is basket of rules being modified and disabled by VRT.
I try to make a review on it, as I am currently using SIEM to make some
correlations. Below is the list that I summarized. 

 


I would like to know why these specific rules would be disable by VRT?
What is the reason behind? 

As some of them are common triggered by most sniffer,like  PROTOCOL-ICMP
Echo Reply

1:408

it was disabled by vrt update  

and 1:1417. 

 

Why would snort disable them? Is there any documentation that provide a
complete explanation on the change? Will the disable action affect the
snort's accuracy on vulnerability detection?

 


Name

ID

Reason


NETBIOS SMB write_andx overflow attempt

3:10161

it impacts to snort engine only


OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt

1:20258

it was disabled by vrt update


FILE-OTHER Adobe multiple products dwmapi.dll dll-load exploit attempt

1:19618

it was disabled by vrt update


PROTOCOL-ICMP Destination Unreachable Port Unreachable

1:402

it is commonly to be appeared in network


BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway
invalid RST denial of service attempt

3:15474

customer is not using isa 2004


BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory
exploit attempt

1:11257

it was disabled by vrt update


INDICATOR-COMPROMISE 403 Forbidden

1:1201

it was disabled by vrt update


INDICATOR-SHELLCODE x86 inc ecx NOOP

1:1394

it was disabled by vrt update


INDICATOR-SHELLCODE x86 setgid 0

1:649

it was disabled by vrt update


OS-WINDOWS Microsoft Windows WebDAV search overflow attempt

1:11686

it was disabled by vrt update


POLICY-OTHER web server file upload attempt

1:5708

it was disabled by vrt update


PROTOCOL-ICMP Destination Unreachable Host Unreachable

1:399

it was disabled by vrt update


PROTOCOL-ICMP Echo Reply

1:408

it was disabled by vrt update


PROTOCOL-ICMP L3retriever Ping

1:466

it was disabled by vrt update


PROTOCOL-ICMP PING

1:384

it was disabled by vrt update


PROTOCOL-ICMP Time-To-Live Exceeded in Transit

1:449

it was disabled by vrt update


PROTOCOL-ICMP traceroute

1:385

it was disabled by vrt update


SERVER-IIS encoding access

1:1010

it was disabled by vrt update


SERVER-IIS view source via translate header

1:1042

it was disabled by vrt update


SERVER-IIS Unauthorized IP Access Attempt

1:1045

it was disabled by vrt update


SERVER-ORACLE database username buffer overflow

1:13719

it was disabled by vrt update


SERVER-WEBAPP /doc/ access

1:1560

it was disabled by vrt update


SERVER-WEBAPP backup access

1:1213

it was disabled by vrt update


SERVER-WEBAPP calendar access

1:882

it was disabled by vrt update


SERVER-WEBAPP chatbox.php access

1:2305

it was disabled by vrt update


SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string
vulnerability attempt

1:2381

it was disabled by vrt update


SERVER-WEBAPP Cisco /%% DOS attempt

1:1546

it was disabled by vrt update


SERVER-WEBAPP csh access

1:862

it was disabled by vrt update


WEB-FRONTPAGE /_vti_bin/ access

1:1288

it was disabled by vrt update

 

I am looking forwards to hear your reply.


Best regards, 

Dennis Lau

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130114/94b9226b/attachment.html>


More information about the Snort-devel mailing list