[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26

Guise McAllaster guise.mcallaster at ...2420...
Fri Feb 26 17:23:27 EST 2010


Yes, I am getting error, "You’ve reached this page because you’ve clicked on
a link that does not exist. This is probably our fault… but instead of
showing you the basic ‘404 Error’ page that is confusing and doesn’t really
explain anything, we’ve created this page to explain what went wrong" when
trying to access the supplied link in the email.

This has happened multiple times in the past and I've grown to expect it and
I've gotten used to it..  Add the fact that the Feb 23 rule, "WEB-CLIENT
Windows Media Player directory traversal via Content-Disposition attempt"
(to be complete, this was updated Feb 25 to fixes the problem but now it is
very exploit specific so good luck with its usefulness) alerted like a
schizophrenic taking a polygraph (*SourceFire trifecta is in play*).  In the
two days before it was fixed, it managed to alert me on most all web
downloads and severely throw off my statistics that I submit to the
management.  Proventia is now being seriously considered as a replacement.

I guess an "open source" [*sic*] product that has no formal technical
support and a history of false positive is not really a viable solution for
a world class enterprises.  No hard feelings for snort ... I like it and use
it as a hobbyist and think it does many a lot of things well. :).  Please
keep up the good work but maybe the release note link can be more accurate
in the future?  One can only hope.

Guise

On Fri, Feb 26, 2010 at 9:52 PM, Nigel Houghton <nhoughton at ...435...>wrote:

> On Fri, Feb 26, 2010 at 4:23 PM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
> > Changelog is 404.
> >
> > -evilghost
> >
> > Research wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Sourcefire VRT Certified Snort Rules Update
> >>
> >> Synopsis:
> >> The Sourcefire VRT is aware of a vulnerability affecting Microsoft
> >> Internet Explorer.
> >>
> >> Details:
> >> Microsoft Internet Explorer Command Execution:
> >> Microsoft Internet Explorer contains a programming error that may allow
> >> a remote attacker to execute commands on a vulnerable system. The
> >> attacker needs to supply VBScript to invoke winhlp32.exe, which can
> >> then be used to execute commands via a specially crafted .HLP file.
> >>
> >> A rule to detect attacks targeting this vulnerability is included in
> >> this release and is identified with GID 1, SID 16452.
> >>
> >> For a complete list of new and modified rules please see:
> >>
> >>
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.6 (GNU/Linux)
> >>
> >> iD8DBQFLiDgnQcQOxItLLaMRAvEaAJ9rpY1fUgU+FqlTRm66BLe1CBJGXACfW11A
> >> QGugTZe+7KTde2i/54mF+L0=
> >> =DBm/
> >> -----END PGP SIGNATURE-----
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Download Intel® Parallel Studio Eval
> >> Try the new software tools for yourself. Speed compiling, find bugs
> >> proactively, and fine-tune applications for parallel performance.
> >> See why Intel Parallel Studio got high marks during beta.
> >> http://p.sf.net/sfu/intel-sw-dev
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >
>
>
> Not for me.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100226/d4b1d7d0/attachment.html>


More information about the Snort-sigs mailing list