[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-06-05

Nigel Houghton nhoughton at ...435...
Mon Jun 7 10:52:03 EDT 2010

On Mon, Jun 7, 2010 at 9:41 AM, infosec posts <infosec.posts at ...2420...> wrote:
> Greetings,
> Unless I'm mistaken, there is not a "complete list  of new and
> modified rules" available at the link referenced below.
> These bulletins used to list the SIDs/GIDs for the SO rules in the
> update package, like so:
> http://seclists.org/snort/2010/q2/668
> More recent bulletins seem to have quit listing the SO rules in the
> update, and I haven't been able to find a changelog on the website
> that indicates what new SO rules should be in our update packages.
> For example, since this update only includes SO rules, the changelogs
> linked on the site are blank/empty
> (http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_0/changes-2010-06-05.html).
>  This makes it difficult to determine what the new rules are and
> verify that they have been deployed correctly.
> If this information is available somewhere, I'd be happy if someone
> could point me to it; otherwise, could Sourcefire resume listing SO
> rule SIDs/GIDs in these signature update bulletins, or in the
> changelogs on the webiste?
> On Sat, Jun 5, 2010 at 4:44 PM, Research <research at ...435...> wrote:
>> Hash: SHA1
>> Sourcefire VRT Certified Snort Rules Update
>> Synopsis:
>> This release adds rules to the web-client category for 0-day attacks in
>> multiple Adobe products.
>> Details:
>> The Sourcefire VRT has become aware of a 0-day vulnerability in
>> multiple
>> Adobe products.
>> For a complete list of new and modified rules please see:
>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06-05.html
>> Version: GnuPG v1.2.6 (GNU/Linux)
>> iD8DBQFMCsUkQcQOxItLLaMRAlE9AJ9YkbREqvv83NB93XJron/3OJ6I0wCeOF9p
>> q/3lG08MwBOI0HxyRyuGOaY=
>> =ipeW
>> -----END PGP SIGNATURE-----
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs

We have not ever listed the shared object rules in the changelog. We
are in the process of changing that, it has not been high on the
priority list since most people use a tool like Pulled Pork to manage
their rules (it produces a changelog that has the shared object rules

Tools like Pulled Pork and Oinkmaster also have the advantage of
producing a changelog that is specific to your environment and not
just a difference between the current and last set of rules produced.

The changelogs on snort.org are there for a quick verification of what
is new and yes, they should include the shared object rules. We are
aware of the problem and like I said, it is on the todo list to fix
and we will do so.

Nigel Houghton
Head Mentalist
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

More information about the Snort-sigs mailing list