[Snort-sigs] Snort-sigs Digest, Vol 45, Issue 10 - Rules Update Link.

Marcos Rodriguez mrodriguez at ...435...
Fri Feb 26 17:42:37 EST 2010


Hi All,

http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html/

It was correct on the VRT blog.



On Fri, Feb 26, 2010 at 5:26 PM,
<snort-sigs-request at lists.sourceforge.net>wrote:

> Send Snort-sigs mailing list submissions to
>        snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>        snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>        snort-sigs-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>   1. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>      (evilghost at ...3397...)
>   2. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>      (Brad Doctor)
>   3. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>      (Guise McAllaster)
>   4. Re: Sourcefire VRT Certified Snort Rules  Update  2010-02-26
>      (chris.kniseley at ...3400...)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 26 Feb 2010 15:57:04 -0600
> From: "evilghost at ...3397..." <evilghost at ...3397...>
> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>        2010-02-26
> To: Nigel Houghton <nhoughton at ...435...>
> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>
> Message-ID: <4B8843B0.7090808 at ...3397...>
> Content-Type: text/plain; charset="us-ascii"
>
> Magic?  The link in the announcement email is 404, as of now, Feb 26,
> 15:15:36 CST.
>
> >> A rule to detect attacks targeting this vulnerability is included in
> >> this release and is identified with GID 1, SID 16452.
> >>
> >> For a complete list of new and modified rules please see:
> >>
> >>
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.6 (GNU/Linux)
>
>
>
> :~$ curl -I
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> HTTP/1.1 404 Not Found
> Date: Fri, 26 Feb 2010 21:55:22 GMT
> Server: Apache
> X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
> X-Runtime: 8.98940
> Set-Cookie:
>
> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
> path=/
> Content-Length: 6674
> Status: 404 Not Found
> Content-Type: text/html; charset=utf-8
>
> >
> > Not for me.
> >
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 26 Feb 2010 15:04:43 -0700
> From: Brad Doctor <brad.doctor at ...2420...>
> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>        2010-02-26
> To: "evilghost at ...3397..." <evilghost at ...3397...>
> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>,      Nigel Houghton
>        <nhoughton at ...435...>
> Message-ID:
>        <a07586b1002261404y5d913f49h5537326435b6af23 at ...2421...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> 404 here
>
> On Fri, Feb 26, 2010 at 2:57 PM, evilghost at ...3397... <
> evilghost at ...3397...> wrote:
>
> > Magic?  The link in the announcement email is 404, as of now, Feb 26,
> > 15:15:36 CST.
> >
> > >> A rule to detect attacks targeting this vulnerability is included in
> > >> this release and is identified with GID 1, SID 16452.
> > >>
> > >> For a complete list of new and modified rules please see:
> > >>
> > >>
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> > >> -----BEGIN PGP SIGNATURE-----
> > >> Version: GnuPG v1.2.6 (GNU/Linux)
> >
> >
> >
> > :~$ curl -I
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> > HTTP/1.1 404 Not Found
> > Date: Fri, 26 Feb 2010 21:55:22 GMT
> > Server: Apache
> > X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
> > X-Runtime: 8.98940
> > Set-Cookie:
> >
> >
> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
> > path=/
> > Content-Length: 6674
> > Status: 404 Not Found
> > Content-Type: text/html; charset=utf-8
> >
> > >
> > > Not for me.
> > >
> > >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Fri, 26 Feb 2010 22:23:27 +0000
> From: Guise McAllaster <guise.mcallaster at ...2420...>
> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>        2010-02-26
> To: Nigel Houghton <nhoughton at ...435...>
> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>
> Message-ID:
>        <ab3c24b61002261423k1d8b23a3q1e684c4295c937e8 at ...2421...>
> Content-Type: text/plain; charset="windows-1252"
>
> Yes, I am getting error, "You?ve reached this page because you?ve clicked
> on
> a link that does not exist. This is probably our fault? but instead of
> showing you the basic ?404 Error? page that is confusing and doesn?t really
> explain anything, we?ve created this page to explain what went wrong" when
> trying to access the supplied link in the email.
>
> This has happened multiple times in the past and I've grown to expect it
> and
> I've gotten used to it..  Add the fact that the Feb 23 rule, "WEB-CLIENT
> Windows Media Player directory traversal via Content-Disposition attempt"
> (to be complete, this was updated Feb 25 to fixes the problem but now it is
> very exploit specific so good luck with its usefulness) alerted like a
> schizophrenic taking a polygraph (*SourceFire trifecta is in play*).  In
> the
> two days before it was fixed, it managed to alert me on most all web
> downloads and severely throw off my statistics that I submit to the
> management.  Proventia is now being seriously considered as a replacement.
>
> I guess an "open source" [*sic*] product that has no formal technical
> support and a history of false positive is not really a viable solution for
> a world class enterprises.  No hard feelings for snort ... I like it and
> use
> it as a hobbyist and think it does many a lot of things well. :).  Please
> keep up the good work but maybe the release note link can be more accurate
> in the future?  One can only hope.
>
> Guise
>
> On Fri, Feb 26, 2010 at 9:52 PM, Nigel Houghton <nhoughton at ...435...
> >wrote:
>
> > On Fri, Feb 26, 2010 at 4:23 PM, evilghost at ...3397...
> > <evilghost at ...3397...> wrote:
> > > Changelog is 404.
> > >
> > > -evilghost
> > >
> > > Research wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >>
> > >> Sourcefire VRT Certified Snort Rules Update
> > >>
> > >> Synopsis:
> > >> The Sourcefire VRT is aware of a vulnerability affecting Microsoft
> > >> Internet Explorer.
> > >>
> > >> Details:
> > >> Microsoft Internet Explorer Command Execution:
> > >> Microsoft Internet Explorer contains a programming error that may
> allow
> > >> a remote attacker to execute commands on a vulnerable system. The
> > >> attacker needs to supply VBScript to invoke winhlp32.exe, which can
> > >> then be used to execute commands via a specially crafted .HLP file.
> > >>
> > >> A rule to detect attacks targeting this vulnerability is included in
> > >> this release and is identified with GID 1, SID 16452.
> > >>
> > >> For a complete list of new and modified rules please see:
> > >>
> > >>
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> > >> -----BEGIN PGP SIGNATURE-----
> > >> Version: GnuPG v1.2.6 (GNU/Linux)
> > >>
> > >> iD8DBQFLiDgnQcQOxItLLaMRAvEaAJ9rpY1fUgU+FqlTRm66BLe1CBJGXACfW11A
> > >> QGugTZe+7KTde2i/54mF+L0=
> > >> =DBm/
> > >> -----END PGP SIGNATURE-----
> > >>
> > >>
> > >>
> >
> ------------------------------------------------------------------------------
> > >> Download Intel® Parallel Studio Eval
> > >> Try the new software tools for yourself. Speed compiling, find bugs
> > >> proactively, and fine-tune applications for parallel performance.
> > >> See why Intel Parallel Studio got high marks during beta.
> > >> http://p.sf.net/sfu/intel-sw-dev
> > >> _______________________________________________
> > >> Snort-sigs mailing list
> > >> Snort-sigs at lists.sourceforge.net
> > >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >>
> > >>
> > >
> >
> >
> > Not for me.
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT
> > http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Fri, 26 Feb 2010 16:10:49 -0600
> From: chris.kniseley at ...3400...
> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules  Update
>        2010-02-26
> To: Brad Doctor <brad.doctor at ...2420...>
> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>,      Nigel Houghton
>        <nhoughton at ...435...>
> Message-ID:
>        <
> OFBD769558.D5E5D5D4-ON862576D6.0079CCF4-862576D6.0079D73E at ...3401...>
>
> Content-Type: text/plain; charset="us-ascii"
>
> 404 Good Buddy....
>
>
> Thanks,
> Chris
>
>
>
> From:
> Brad Doctor <brad.doctor at ...2420...>
> To:
> "evilghost at ...3397..." <evilghost at ...3397...>
> Cc:
> Snort Sigs <snort-sigs at lists.sourceforge.net>, Nigel Houghton
> <nhoughton at ...435...>
> Date:
> 02/26/2010 04:06 PM
> Subject:
> Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update    2010-02-26
>
>
>
> 404 here
>
> On Fri, Feb 26, 2010 at 2:57 PM, evilghost at ...3397... <
> evilghost at ...3397...> wrote:
> Magic?  The link in the announcement email is 404, as of now, Feb 26,
> 15:15:36 CST.
>
> >> A rule to detect attacks targeting this vulnerability is included in
> >> this release and is identified with GID 1, SID 16452.
> >>
> >> For a complete list of new and modified rules please see:
> >>
> >>
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.6 (GNU/Linux)
>
>
>
> :~$ curl -I
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
> HTTP/1.1 404 Not Found
> Date: Fri, 26 Feb 2010 21:55:22 GMT
> Server: Apache
> X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
> X-Runtime: 8.98940
> Set-Cookie:
>
> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
> path=/
> Content-Length: 6674
> Status: 404 Not Found
> Content-Type: text/html; charset=utf-8
>
> >
> > Not for me.
> >
> >
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> End of Snort-sigs Digest, Vol 45, Issue 10
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100226/b5465fd2/attachment.html>


More information about the Snort-sigs mailing list