[Snort-sigs] Snort-sigs Digest, Vol 45, Issue 10 - Rules Update Link.

Guise McAllaster guise.mcallaster at ...2420...
Fri Feb 26 17:55:05 EST 2010


Correct, if you are referring to the Feb 23 release.  That is two updates
ago….  Recent history seems to show that version numbers are quite a source
of confusion for SourceFire.

Guise

On Fri, Feb 26, 2010 at 10:42 PM, Marcos Rodriguez <
mrodriguez at ...435...> wrote:

> Hi All,
>
> http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html/
>
> It was correct on the VRT blog.
>
>
>
> On Fri, Feb 26, 2010 at 5:26 PM, <snort-sigs-request at lists.sourceforge.net
> > wrote:
>
>> Send Snort-sigs mailing list submissions to
>>        snort-sigs at lists.sourceforge.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> or, via email, send a message with subject or body 'help' to
>>        snort-sigs-request at lists.sourceforge.net
>>
>> You can reach the person managing the list at
>>        snort-sigs-owner at lists.sourceforge.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-sigs digest..."
>>
>>
>> Today's Topics:
>>
>>   1. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>>      (evilghost at ...3397...)
>>   2. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>>      (Brad Doctor)
>>   3. Re: Sourcefire VRT Certified Snort Rules Update   2010-02-26
>>      (Guise McAllaster)
>>   4. Re: Sourcefire VRT Certified Snort Rules  Update  2010-02-26
>>      (chris.kniseley at ...3400...)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 26 Feb 2010 15:57:04 -0600
>> From: "evilghost at ...3397..." <evilghost at ...3397...>
>> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>>        2010-02-26
>> To: Nigel Houghton <nhoughton at ...435...>
>> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID: <4B8843B0.7090808 at ...3397...>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Magic?  The link in the announcement email is 404, as of now, Feb 26,
>> 15:15:36 CST.
>>
>> >> A rule to detect attacks targeting this vulnerability is included in
>> >> this release and is identified with GID 1, SID 16452.
>> >>
>> >> For a complete list of new and modified rules please see:
>> >>
>> >>
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>>
>>
>> :~$ curl -I
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> HTTP/1.1 404 Not Found
>> Date: Fri, 26 Feb 2010 21:55:22 GMT
>> Server: Apache
>> X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
>> X-Runtime: 8.98940
>> Set-Cookie:
>>
>> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
>> path=/
>> Content-Length: 6674
>> Status: 404 Not Found
>> Content-Type: text/html; charset=utf-8
>>
>> >
>> > Not for me.
>> >
>> >
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Fri, 26 Feb 2010 15:04:43 -0700
>> From: Brad Doctor <brad.doctor at ...2420...>
>> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>>        2010-02-26
>> To: "evilghost at ...3397..." <evilghost at ...3397...>
>> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>,      Nigel Houghton
>>        <nhoughton at ...435...>
>> Message-ID:
>>        <a07586b1002261404y5d913f49h5537326435b6af23 at ...2421...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> 404 here
>>
>> On Fri, Feb 26, 2010 at 2:57 PM, evilghost at ...3397... <
>> evilghost at ...3397...> wrote:
>>
>> > Magic?  The link in the announcement email is 404, as of now, Feb 26,
>> > 15:15:36 CST.
>> >
>> > >> A rule to detect attacks targeting this vulnerability is included in
>> > >> this release and is identified with GID 1, SID 16452.
>> > >>
>> > >> For a complete list of new and modified rules please see:
>> > >>
>> > >>
>> >
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> > >> -----BEGIN PGP SIGNATURE-----
>> > >> Version: GnuPG v1.2.6 (GNU/Linux)
>> >
>> >
>> >
>> > :~$ curl -I
>> >
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> > HTTP/1.1 404 Not Found
>> > Date: Fri, 26 Feb 2010 21:55:22 GMT
>> > Server: Apache
>> > X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
>> > X-Runtime: 8.98940
>> > Set-Cookie:
>> >
>> >
>> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
>> > path=/
>> > Content-Length: 6674
>> > Status: 404 Not Found
>> > Content-Type: text/html; charset=utf-8
>> >
>> > >
>> > > Not for me.
>> > >
>> > >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download Intel® Parallel Studio Eval
>> > Try the new software tools for yourself. Speed compiling, find bugs
>> > proactively, and fine-tune applications for parallel performance.
>> > See why Intel Parallel Studio got high marks during beta.
>> > http://p.sf.net/sfu/intel-sw-dev
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Fri, 26 Feb 2010 22:23:27 +0000
>> From: Guise McAllaster <guise.mcallaster at ...2420...>
>> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>>        2010-02-26
>> To: Nigel Houghton <nhoughton at ...435...>
>> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID:
>>        <ab3c24b61002261423k1d8b23a3q1e684c4295c937e8 at ...2421...>
>> Content-Type: text/plain; charset="windows-1252"
>>
>> Yes, I am getting error, "You?ve reached this page because you?ve clicked
>> on
>> a link that does not exist. This is probably our fault? but instead of
>> showing you the basic ?404 Error? page that is confusing and doesn?t
>> really
>> explain anything, we?ve created this page to explain what went wrong" when
>> trying to access the supplied link in the email.
>>
>> This has happened multiple times in the past and I've grown to expect it
>> and
>> I've gotten used to it..  Add the fact that the Feb 23 rule, "WEB-CLIENT
>> Windows Media Player directory traversal via Content-Disposition attempt"
>> (to be complete, this was updated Feb 25 to fixes the problem but now it
>> is
>> very exploit specific so good luck with its usefulness) alerted like a
>> schizophrenic taking a polygraph (*SourceFire trifecta is in play*).  In
>> the
>> two days before it was fixed, it managed to alert me on most all web
>> downloads and severely throw off my statistics that I submit to the
>> management.  Proventia is now being seriously considered as a replacement.
>>
>> I guess an "open source" [*sic*] product that has no formal technical
>> support and a history of false positive is not really a viable solution
>> for
>> a world class enterprises.  No hard feelings for snort ... I like it and
>> use
>> it as a hobbyist and think it does many a lot of things well. :).  Please
>> keep up the good work but maybe the release note link can be more accurate
>> in the future?  One can only hope.
>>
>> Guise
>>
>> On Fri, Feb 26, 2010 at 9:52 PM, Nigel Houghton <nhoughton at ...435...
>> >wrote:
>>
>> > On Fri, Feb 26, 2010 at 4:23 PM, evilghost at ...3397...
>> > <evilghost at ...3397...> wrote:
>> > > Changelog is 404.
>> > >
>> > > -evilghost
>> > >
>> > > Research wrote:
>> > >> -----BEGIN PGP SIGNED MESSAGE-----
>> > >> Hash: SHA1
>> > >>
>> > >>
>> > >> Sourcefire VRT Certified Snort Rules Update
>> > >>
>> > >> Synopsis:
>> > >> The Sourcefire VRT is aware of a vulnerability affecting Microsoft
>> > >> Internet Explorer.
>> > >>
>> > >> Details:
>> > >> Microsoft Internet Explorer Command Execution:
>> > >> Microsoft Internet Explorer contains a programming error that may
>> allow
>> > >> a remote attacker to execute commands on a vulnerable system. The
>> > >> attacker needs to supply VBScript to invoke winhlp32.exe, which can
>> > >> then be used to execute commands via a specially crafted .HLP file.
>> > >>
>> > >> A rule to detect attacks targeting this vulnerability is included in
>> > >> this release and is identified with GID 1, SID 16452.
>> > >>
>> > >> For a complete list of new and modified rules please see:
>> > >>
>> > >>
>> >
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> > >> -----BEGIN PGP SIGNATURE-----
>> > >> Version: GnuPG v1.2.6 (GNU/Linux)
>> > >>
>> > >> iD8DBQFLiDgnQcQOxItLLaMRAvEaAJ9rpY1fUgU+FqlTRm66BLe1CBJGXACfW11A
>> > >> QGugTZe+7KTde2i/54mF+L0=
>> > >> =DBm/
>> > >> -----END PGP SIGNATURE-----
>> > >>
>> > >>
>> > >>
>> >
>> ------------------------------------------------------------------------------
>> > >> Download Intel® Parallel Studio Eval
>> > >> Try the new software tools for yourself. Speed compiling, find bugs
>> > >> proactively, and fine-tune applications for parallel performance.
>> > >> See why Intel Parallel Studio got high marks during beta.
>> > >> http://p.sf.net/sfu/intel-sw-dev
>> > >> _______________________________________________
>> > >> Snort-sigs mailing list
>> > >> Snort-sigs at lists.sourceforge.net
>> > >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> > >>
>> > >>
>> > >
>> >
>> >
>> > Not for me.
>> >
>> > --
>> > Nigel Houghton
>> > Head Mentalist
>> > SF VRT
>> > http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download Intel® Parallel Studio Eval
>> > Try the new software tools for yourself. Speed compiling, find bugs
>> > proactively, and fine-tune applications for parallel performance.
>> > See why Intel Parallel Studio got high marks during beta.
>> > http://p.sf.net/sfu/intel-sw-dev
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Fri, 26 Feb 2010 16:10:49 -0600
>> From: chris.kniseley at ...3400...
>> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules  Update
>>        2010-02-26
>> To: Brad Doctor <brad.doctor at ...2420...>
>> Cc: Snort Sigs <snort-sigs at lists.sourceforge.net>,      Nigel Houghton
>>        <nhoughton at ...435...>
>> Message-ID:
>>        <
>> OFBD769558.D5E5D5D4-ON862576D6.0079CCF4-862576D6.0079D73E at ...3401...>
>>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> 404 Good Buddy....
>>
>>
>> Thanks,
>> Chris
>>
>>
>>
>> From:
>> Brad Doctor <brad.doctor at ...2420...>
>> To:
>> "evilghost at ...3397..." <evilghost at ...3397...>
>> Cc:
>> Snort Sigs <snort-sigs at lists.sourceforge.net>, Nigel Houghton
>> <nhoughton at ...435...>
>> Date:
>> 02/26/2010 04:06 PM
>> Subject:
>> Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update    2010-02-26
>>
>>
>>
>> 404 here
>>
>> On Fri, Feb 26, 2010 at 2:57 PM, evilghost at ...3397... <
>> evilghost at ...3397...> wrote:
>> Magic?  The link in the announcement email is 404, as of now, Feb 26,
>> 15:15:36 CST.
>>
>> >> A rule to detect attacks targeting this vulnerability is included in
>> >> this release and is identified with GID 1, SID 16452.
>> >>
>> >> For a complete list of new and modified rules please see:
>> >>
>> >>
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>>
>>
>> :~$ curl -I
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
>> HTTP/1.1 404 Not Found
>> Date: Fri, 26 Feb 2010 21:55:22 GMT
>> Server: Apache
>> X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
>> X-Runtime: 8.98940
>> Set-Cookie:
>>
>> _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;
>> path=/
>> Content-Length: 6674
>> Status: 404 Not Found
>> Content-Type: text/html; charset=utf-8
>>
>> >
>> > Not for me.
>> >
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>>
>> ------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>> End of Snort-sigs Digest, Vol 45, Issue 10
>> ******************************************
>>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100226/804b143b/attachment.html>


More information about the Snort-sigs mailing list