[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-11-02

Joel Esler jesler at ...435...
Wed Nov 3 11:02:00 EDT 2010


On Wed, Nov 3, 2010 at 10:44 AM, infosec posts <infosec.posts at ...2420...>wrote:

> My update routine didn't find any changes last night, and I can't find
> any of these signatures in the tarballs I'm pulling this morning:
>
> 17808 <-> SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption
> attempt (specific-threats.rules, High)
> 17809 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
> 17810 <-> WEB-MISC potential malware - download of server32.exe
> (web-misc.rules, Medium)
> 17811 <-> WEB-MISC potential malware - download of svchost.exe
> (web-misc.rules, Medium)
> 17812 <-> WEB-MISC potential malware - download of iexplore.exe
> (web-misc.rules, Medium)
> 17813 <-> WEB-MISC potential malware - download of iprinp.dll
> (web-misc.rules, Medium)
> 17814 <-> WEB-MISC potential malware - download of winzf32.dll
> (web-misc.rules, Medium)
>
>
> I pulled 2.8.6.0, 2.8.6.1, and 2.8.9.0 a few minutes ago, but I didn't
> find the new signatures in any of them.  Now I'm getting 403/Forbidden
> on 2.8.6.0 and 2.8.9.0, so I'm going to guess that you've realized you
> forgot to actually include the new signatures again, and you're fixing
> it now?


I am running pulledpork right this very second, and I am able to grab the
rules file.  I'll check to see if the rules are in my build.

We are doing work to the website today as well, so that may affect some
downloads.

<waiting for pulledpork to get done>

Done...  grepping...

Yup, they are all there for me.  Using the subscriber set.  Do you have the
subscriber set?  Your subscription isn't expired or anything is it?


> --
> Joel Esler

302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101103/aac23517/attachment.html>


More information about the Snort-sigs mailing list