[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-06-05
nhoughton at ...435...
Mon Jun 7 11:40:55 EDT 2010
On Mon, Jun 7, 2010 at 11:26 AM, infosec posts <infosec.posts at ...2420...> wrote:
> In lieu of adjusting the published changelog format, a quick listing
> of the new SO SIDs/GIDs in the update bulletin (as you have done in
> the past) should be relatively painless to implement, and would
> satisfy my needs, without requiring increased priority over the other
> features you are working on.
> My update tools do produce an environment-specific changelog, but
> sometimes there are issues with the deployment, either on my side or
> the VRT side. For example, there was the issue in April where SO
> rules that were supposed to be there were not included in the update
> package. The only reason I knew anything was missing was because the
> update bulletin listed the specific SO rules that were supposed to
> have been included with the update.
> A comprehensive, rather than partial, listing of what is supposed to
> be in a given update can help with validation and troubleshooting. I
> would think this would be benificial for others in the community, but
> maybe it's just me.
> On Mon, Jun 7, 2010 at 9:52 AM, Nigel Houghton <nhoughton at ...435...> wrote:
>> On Mon, Jun 7, 2010 at 9:41 AM, infosec posts <infosec.posts at ...2420...> wrote:
>>> Unless I'm mistaken, there is not a "complete list of new and
>>> modified rules" available at the link referenced below.
>>> These bulletins used to list the SIDs/GIDs for the SO rules in the
>>> update package, like so:
>>> More recent bulletins seem to have quit listing the SO rules in the
>>> update, and I haven't been able to find a changelog on the website
>>> that indicates what new SO rules should be in our update packages.
>>> For example, since this update only includes SO rules, the changelogs
>>> linked on the site are blank/empty
>>> This makes it difficult to determine what the new rules are and
>>> verify that they have been deployed correctly.
>>> If this information is available somewhere, I'd be happy if someone
>>> could point me to it; otherwise, could Sourcefire resume listing SO
>>> rule SIDs/GIDs in these signature update bulletins, or in the
>>> changelogs on the webiste?
>>> On Sat, Jun 5, 2010 at 4:44 PM, Research <research at ...435...> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> Sourcefire VRT Certified Snort Rules Update
>>>> This release adds rules to the web-client category for 0-day attacks in
>>>> multiple Adobe products.
>>>> The Sourcefire VRT has become aware of a 0-day vulnerability in
>>>> Adobe products.
>>>> For a complete list of new and modified rules please see:
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.2.6 (GNU/Linux)
>>>> -----END PGP SIGNATURE-----
>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>> lucky parental unit. See the prize list and enter to win:
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>> We have not ever listed the shared object rules in the changelog. We
>> are in the process of changing that, it has not been high on the
>> priority list since most people use a tool like Pulled Pork to manage
>> their rules (it produces a changelog that has the shared object rules
>> Tools like Pulled Pork and Oinkmaster also have the advantage of
>> producing a changelog that is specific to your environment and not
>> just a difference between the current and last set of rules produced.
>> The changelogs on snort.org are there for a quick verification of what
>> is new and yes, they should include the shared object rules. We are
>> aware of the problem and like I said, it is on the todo list to fix
>> and we will do so.
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
The advisory released at the weekend was the only one that hasn't
listed the specific SID of the shared object rule in the note itself.
We were in a rush to complete the rule release and neglected to add
the information to the advisory. Hopefully this didn't impact folks
too much, it was a simple error of omission in a rapid response to a
zero day issue.
If we had put the GID and SID in the changelog I'm guessing it
wouldn't have been as much of a problem. Like I said, we're in the
process of changing a couple of things to add that information, moving
forward we'll try to be a little more diligent when getting emergency
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
More information about the Snort-sigs