[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-06-05

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Mon Jun 7 12:03:33 EDT 2010


Infosec posts,

Sourcefire has always struggled when it comes to changelogs.  In my
experience, it is just something that you have to accept and then move
on.  Kind of like how we all have come to accept with a grain of salt
all the, "we're working on it", "it is just around the corner", and
"we have some very exciting things in the works" lines.  I mean, Snort
3 has been "just around the corner" since what, 2006?  Sometimes you
just have to accept the current reality instead of trying to change
it.

-L0rd Ch0de1m0rt
 2 Peter 3:8

On 6/7/10, Nigel Houghton <nhoughton at ...435...> wrote:
> On Mon, Jun 7, 2010 at 11:26 AM, infosec posts <infosec.posts at ...2420...>
> wrote:
>> In lieu of adjusting the published changelog format, a quick listing
>> of the new SO SIDs/GIDs in the update bulletin (as you have done in
>> the past) should be relatively painless to implement, and would
>> satisfy my needs, without requiring increased priority over the other
>> features you are working on.
>>
>> My update tools do produce an environment-specific changelog, but
>> sometimes there are issues with the deployment, either on my side or
>> the VRT side.  For example, there was the issue in April where SO
>> rules that were supposed to be there were not included in the update
>> package.  The only reason I knew anything was missing was because the
>> update bulletin listed the specific SO rules that were supposed to
>> have been included with the update.
>>
>> A comprehensive, rather than partial, listing of what is supposed to
>> be in a given update can help with validation and troubleshooting.  I
>> would think this would be benificial for others in the community, but
>> maybe it's just me.
>>
>>
>> On Mon, Jun 7, 2010 at 9:52 AM, Nigel Houghton <nhoughton at ...435...>
>> wrote:
>>> On Mon, Jun 7, 2010 at 9:41 AM, infosec posts <infosec.posts at ...2420...>
>>> wrote:
>>>> Greetings,
>>>>
>>>> Unless I'm mistaken, there is not a "complete list  of new and
>>>> modified rules" available at the link referenced below.
>>>>
>>>> These bulletins used to list the SIDs/GIDs for the SO rules in the
>>>> update package, like so:
>>>> http://seclists.org/snort/2010/q2/668
>>>>
>>>> More recent bulletins seem to have quit listing the SO rules in the
>>>> update, and I haven't been able to find a changelog on the website
>>>> that indicates what new SO rules should be in our update packages.
>>>> For example, since this update only includes SO rules, the changelogs
>>>> linked on the site are blank/empty
>>>> (http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_0/changes-2010-06-05.html).
>>>>  This makes it difficult to determine what the new rules are and
>>>> verify that they have been deployed correctly.
>>>>
>>>> If this information is available somewhere, I'd be happy if someone
>>>> could point me to it; otherwise, could Sourcefire resume listing SO
>>>> rule SIDs/GIDs in these signature update bulletins, or in the
>>>> changelogs on the webiste?
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Jun 5, 2010 at 4:44 PM, Research <research at ...435...>
>>>> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>>
>>>>> Sourcefire VRT Certified Snort Rules Update
>>>>>
>>>>> Synopsis:
>>>>> This release adds rules to the web-client category for 0-day attacks in
>>>>> multiple Adobe products.
>>>>>
>>>>> Details:
>>>>> The Sourcefire VRT has become aware of a 0-day vulnerability in
>>>>> multiple
>>>>> Adobe products.
>>>>>
>>>>> For a complete list of new and modified rules please see:
>>>>>
>>>>> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06-05.html
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.2.6 (GNU/Linux)
>>>>>
>>>>> iD8DBQFMCsUkQcQOxItLLaMRAlE9AJ9YkbREqvv83NB93XJron/3OJ6I0wCeOF9p
>>>>> q/3lG08MwBOI0HxyRyuGOaY=
>>>>> =ipeW
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>>> lucky parental unit.  See the prize list and enter to win:
>>>>> http://p.sf.net/sfu/thinkgeek-promo
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>
>>>
>>>
>>> We have not ever listed the shared object rules in the changelog. We
>>> are in the process of changing that, it has not been high on the
>>> priority list since most people use a tool like Pulled Pork to manage
>>> their rules (it produces a changelog that has the shared object rules
>>> listed).
>>>
>>> Tools like Pulled Pork and Oinkmaster also have the advantage of
>>> producing a changelog that is specific to your environment and not
>>> just a difference between the current and last set of rules produced.
>>>
>>> The changelogs on snort.org are there for a quick verification of what
>>> is new and yes, they should include the shared object rules. We are
>>> aware of the problem and like I said, it is on the todo list to fix
>>> and we will do so.
>>>
>>> --
>>> Nigel Houghton
>>> Head Mentalist
>>> SF VRT
>>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>>>
>>
>
>
> The advisory released at the weekend was the only one that hasn't
> listed the specific SID of the shared object rule in the note itself.
> We were in a rush to complete the rule release and neglected to add
> the information to the advisory. Hopefully this didn't impact folks
> too much, it was a simple error of omission in a rapid response to a
> zero day issue.
>
> If we had put the GID and SID in the changelog I'm guessing it
> wouldn't have been as much of a problem. Like I said, we're in the
> process of changing a couple of things to add that information, moving
> forward we'll try to be a little more diligent when getting emergency
> releases out.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list