[Snort-sigs] duplicate rules (16412 and 16413) ?

Nerijus Krukauskas nkrukauskas at ...2420...
Thu Jun 17 08:27:10 EDT 2010


Yes, my bad. Anyway they fire at the same time. Question for
Sourcefire folks: can this be covered with one rule? As now it seems
redundant to have two...

On 2010-06-17, Rodrigo Montoro(Sp0oKeR) <spooker at ...2420...> wrote:
> It's not the same (differents CVE's)
>
> 16412 TextByteAtom
>
> http://www.snortid.com/snortid.asp?QueryId=16412
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0033
>
> 16413 TextCharsAtom
>
> http://www.snortid.com/snortid.asp?QueryId=16413
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0034
>
> Regards,
>
> On Thu, Jun 17, 2010 at 7:32 AM, Nerijus Krukauskas
> <nkrukauskas at ...2420...> wrote:
>> Are these two the duplicates of each other? OK, I admit I haven't
>> looked into the code (both are SO rules, and heck I've no idea if the
>> source _is_ available). But the message is the same and references
>> too. And they fire in sync.
>>
>> WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code
>> execution attempt [sid 16412]
>> WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code
>> execution attempt [sid 16413]
>>
>> --
>> http://nk99.org/
>>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>


-- 
http://nk99.org/




More information about the Snort-sigs mailing list