[Snort-sigs] Sourcefire VRT Certified Snort Rules Update2010-04-13

Jeff Nathan jeff at ...95...
Wed Apr 14 15:30:45 EDT 2010


Is there some reason you feel like it's your duty to be a complete
douchebag and shit on this list every time you get a bug up your ass?

Any time you're ready to contribute to a large, complex open source
project please let me know.  Then I can occasionally toss some hand
grenade emails onto your list.

Asshat.

-Jeff

On Wed, Apr 14, 2010 at 2:49 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> They're not here either.  To be honest the whole VRT deployment process
> reminds me of some Rube Goldberg machine that is perpetually in some
> state of being broken.  VRT is like Ubuntu when it was based on Debian
> Sid.  It's *almost* good and usable and from time to time you can get
> things done in spite of it.  I'd like to think the 30-day delayed
> Registered User VRT packs are like the Ubuntu LTS, it's still unstable
> but it's usually working somehow.
>
> I will comment that without fail, there's *always* some epic failure in
> the VRT release.  I really look forward to them like a sadist.  Whether
> it be a non-existent change log, the implementation of new features
> without announcement crashing older versions of Snort in the same
> branch, release announcements before the archive even fully exists on
> the webserver and you're serving up truncated tar-gzips, signatures that
> map the network like those that detect on "SMTP HELO", VRT shared_object
> rules which do not contain pre-built binaries for the current download
> release on Snort.org, etc.
>
> I like to think the guys go out the night before the VRT release, get
> really *really* wasted, and come in the next day and push out some
> goodness, then sit back and high-five each-other everytime an issue like
> this comes out.  Then they go back and light up cigars with $100 bills
> out of the VRT subscription vault.
>
> I pulled the VRT archive yesterday Nigel.  They're not there.
>
> -evilghost
>
> infosec posts wrote:
>> It's great that VRT can be so timely with IDS signatures for patch
>> Tuesday.  Unfortunately, it doesn't appear that the SO rules they
>> wrote this time actually made it into the ruleset they released
>> yesterday.  Did anyone else actually get these rules?  I certainly
>> can't find them in my download.  I did get the updated non-SO rules.
>>
>>
>> From: Research <research () sourcefire com>
>> Date: Tue, 13 Apr 2010 14:17:37 -0400 (EDT)
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Sourcefire VRT Certified Snort Rules Update
>>
>> Synopsis:
>> The Sourcefire VRT is aware of vulnerabilities affecting products from
>> Microsoft Corporation.
>>
>> Details:
>> Microsoft Security Advisory (MS10-019):
>> The Microsoft CAB Subject Interface Package (SIP) implementation
>> contains a programming error that may allow a remote attacker to bypass
>> the authentication mechanism.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16530.
>>
>> Microsoft Security Advisory (MS10-020):
>> The Microsoft implementation of the SMB protocol contains programming
>> errors that may allow a remote attacker to execute code on an affected
>> system.
>>
>> Rules to detect attacks targeting these vulnerabilities are included in
>> this release and are identified with GID 3, SIDs 16531, 16532, 16539
>> and 16540.
>>
>> Microsoft Security Advisory (MS10-023):
>> Microsoft Publisher contains a programming error that may allow a
>> remote attacker to execute code on an affected system.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16542.
>>
>> Microsoft Security Advisory (MS10-024):
>> The Microsoft SMTP service is prone to a Denial of Service condition
>> that may be triggered by a remote attacker.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16534.
>>
>> Microsoft Security Advisory (MS10-025):
>> The Microsoft Windows Media Service suffers from a programming error
>> that may allow a remote attacker to execute code on an affected system.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16541.
>>
>> Microsoft Security Advisory (MS10-026):
>> Microsoft Windows Media Player contains a programming error that may
>> allow a remote attacker to execute code on an affected system.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16543.
>>
>> Microsoft Security Advisory (MS10-027):
>> Microsoft Windows Media Player contains a programming error that may
>> allow a remote attacker to execute code on an affected system via an
>> ActiveX control.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16537.
>>
>> Microsoft Security Advisory (MS10-028):
>> Microsoft Visio suffers from programming errors that may allow a remote
>> attacker to execute code on an affected system.
>>
>> Rules to detect attacks targeting these vulnerabilities are included in
>> this release and are identified with GID 3, SIDs 16535 and 16536.
>>
>> Microsoft Security Advisory (MS10-029):
>> The Microsoft implementation of IPv6 contains a programming error that
>> may allow a remote attacker to spoof connections to an affected host.
>>
>> A rule to detect attacks targeting this vulnerability is included in
>> this release and is identified with GID 3, SID 16533.
>>
>> For a complete list of new and modified rules please see:
>>
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-04-13.html
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>> iD8DBQFLxLVBQcQOxItLLaMRAtYsAJ9Uf1k22CyZtytMSKcR3dDo6GaT7QCeK1Gj
>> +jAO1JxvJ4Ner69HCVjtKPs=
>> =yRyG
>> -----END PGP SIGNATURE-----
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list