[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-06-05

Nigel Houghton nhoughton at ...435...
Mon Jun 7 11:40:55 EDT 2010


On Mon, Jun 7, 2010 at 11:26 AM, infosec posts <infosec.posts at ...2420...> wrote:
> In lieu of adjusting the published changelog format, a quick listing
> of the new SO SIDs/GIDs in the update bulletin (as you have done in
> the past) should be relatively painless to implement, and would
> satisfy my needs, without requiring increased priority over the other
> features you are working on.
>
> My update tools do produce an environment-specific changelog, but
> sometimes there are issues with the deployment, either on my side or
> the VRT side.  For example, there was the issue in April where SO
> rules that were supposed to be there were not included in the update
> package.  The only reason I knew anything was missing was because the
> update bulletin listed the specific SO rules that were supposed to
> have been included with the update.
>
> A comprehensive, rather than partial, listing of what is supposed to
> be in a given update can help with validation and troubleshooting.  I
> would think this would be benificial for others in the community, but
> maybe it's just me.
>
>
> On Mon, Jun 7, 2010 at 9:52 AM, Nigel Houghton <nhoughton at ...435...> wrote:
>> On Mon, Jun 7, 2010 at 9:41 AM, infosec posts <infosec.posts at ...2420...> wrote:
>>> Greetings,
>>>
>>> Unless I'm mistaken, there is not a "complete list  of new and
>>> modified rules" available at the link referenced below.
>>>
>>> These bulletins used to list the SIDs/GIDs for the SO rules in the
>>> update package, like so:
>>> http://seclists.org/snort/2010/q2/668
>>>
>>> More recent bulletins seem to have quit listing the SO rules in the
>>> update, and I haven't been able to find a changelog on the website
>>> that indicates what new SO rules should be in our update packages.
>>> For example, since this update only includes SO rules, the changelogs
>>> linked on the site are blank/empty
>>> (http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_0/changes-2010-06-05.html).
>>>  This makes it difficult to determine what the new rules are and
>>> verify that they have been deployed correctly.
>>>
>>> If this information is available somewhere, I'd be happy if someone
>>> could point me to it; otherwise, could Sourcefire resume listing SO
>>> rule SIDs/GIDs in these signature update bulletins, or in the
>>> changelogs on the webiste?
>>>
>>>
>>>
>>>
>>> On Sat, Jun 5, 2010 at 4:44 PM, Research <research at ...435...> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>>
>>>> Sourcefire VRT Certified Snort Rules Update
>>>>
>>>> Synopsis:
>>>> This release adds rules to the web-client category for 0-day attacks in
>>>> multiple Adobe products.
>>>>
>>>> Details:
>>>> The Sourcefire VRT has become aware of a 0-day vulnerability in
>>>> multiple
>>>> Adobe products.
>>>>
>>>> For a complete list of new and modified rules please see:
>>>>
>>>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06-05.html
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.2.6 (GNU/Linux)
>>>>
>>>> iD8DBQFMCsUkQcQOxItLLaMRAlE9AJ9YkbREqvv83NB93XJron/3OJ6I0wCeOF9p
>>>> q/3lG08MwBOI0HxyRyuGOaY=
>>>> =ipeW
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>> lucky parental unit.  See the prize list and enter to win:
>>>> http://p.sf.net/sfu/thinkgeek-promo
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>
>>
>>
>> We have not ever listed the shared object rules in the changelog. We
>> are in the process of changing that, it has not been high on the
>> priority list since most people use a tool like Pulled Pork to manage
>> their rules (it produces a changelog that has the shared object rules
>> listed).
>>
>> Tools like Pulled Pork and Oinkmaster also have the advantage of
>> producing a changelog that is specific to your environment and not
>> just a difference between the current and last set of rules produced.
>>
>> The changelogs on snort.org are there for a quick verification of what
>> is new and yes, they should include the shared object rules. We are
>> aware of the problem and like I said, it is on the todo list to fix
>> and we will do so.
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>>
>


The advisory released at the weekend was the only one that hasn't
listed the specific SID of the shared object rule in the note itself.
We were in a rush to complete the rule release and neglected to add
the information to the advisory. Hopefully this didn't impact folks
too much, it was a simple error of omission in a rapid response to a
zero day issue.

If we had put the GID and SID in the changelog I'm guessing it
wouldn't have been as much of a problem. Like I said, we're in the
process of changing a couple of things to add that information, moving
forward we'll try to be a little more diligent when getting emergency
releases out.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-sigs mailing list