[Snort-sigs] Snort VRT Updates Questions/Concerns

Colin Grady colin.grady at ...2420...
Thu Nov 16 21:45:22 EST 2006

I'm looking at the latest Snort VRT rules advisory and trying to figure out
what the 'State Change Rules' section means in the Change Log (
Based on what is provided, it would seem that signatures are being changed
from an Enabled to a Disabled state, or from a Disabled to an Enabled state
-- but that doesn't seem to be the case.

Below is a few lines from the Change Log:

State change rules:
1233 <-> Disabled <-> WEB-CLIENT Outlook EML access (web-client.rules)
1284 <-> Disabled <-> WEB-CLIENT readme.eml download attempt (
1290 <-> Disabled <-> WEB-CLIENT readme.eml autoload attempt (
1735 <-> Disabled <-> WEB-CLIENT XMLHttpRequest attempt (web-client.rules)

Looking at the first signature referenced (1233 - WEB-CLIENT Outlook EML
access), I don't see any changes since the last VRT release and the revision
number is the same.

Also, in the 'New Rules' section is obviously the new rules that were
introduced in the release. Below are the first few lines from this section:

New rules:
9129 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX CLSID access (
9130 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX CLSID unicode
access (web-client.rules)
9131 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX function call
access (web-client.rules)

Based on the above, I would assume that those three signatures are all
disabled by default. However, when I look at the rules themselves, only the
last one (9131) is actually disabled:

sys1:~/rules$ grep 9129 *.rules | cut -d : -f 2 | awk '{ print $1 }'
sys1:~/rules$ grep 9130 *.rules | cut -d : -f 2 | awk '{ print $1 }'
sys1:~/rules$ grep 9131 *.rules | cut -d : -f 2 | awk '{ print $1 }'

This seems WAY wrong.

Any insight would be appreciated, and thanks in advance.

Colin Grady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061116/79bbb267/attachment.html>

More information about the Snort-sigs mailing list