[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-11-02

Joel Esler jesler at ...435...
Wed Nov 3 11:11:30 EDT 2010


Just an FYI.  I don't have access to the subscriber list, so I don't know
who is expired and who is not, I just made a guess based off of a similar
experience recently.

Thanks.



On Wed, Nov 3, 2010 at 11:08 AM, infosec posts <infosec.posts at ...2420...>wrote:

> I had forgotten that we have a subscription issue (organizational
> problem on our side), so I'll apologize for making a false assumption.
>  Thanks for the response.
>
> On Wed, Nov 3, 2010 at 10:02 AM, Joel Esler <jesler at ...435...> wrote:
> > On Wed, Nov 3, 2010 at 10:44 AM, infosec posts <infosec.posts at ...2420...>
> > wrote:
> >>
> >> My update routine didn't find any changes last night, and I can't find
> >> any of these signatures in the tarballs I'm pulling this morning:
> >>
> >> 17808 <-> SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption
> >> attempt (specific-threats.rules, High)
> >> 17809 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules,
> Low)
> >> 17810 <-> WEB-MISC potential malware - download of server32.exe
> >> (web-misc.rules, Medium)
> >> 17811 <-> WEB-MISC potential malware - download of svchost.exe
> >> (web-misc.rules, Medium)
> >> 17812 <-> WEB-MISC potential malware - download of iexplore.exe
> >> (web-misc.rules, Medium)
> >> 17813 <-> WEB-MISC potential malware - download of iprinp.dll
> >> (web-misc.rules, Medium)
> >> 17814 <-> WEB-MISC potential malware - download of winzf32.dll
> >> (web-misc.rules, Medium)
> >>
> >>
> >> I pulled 2.8.6.0, 2.8.6.1, and 2.8.9.0 a few minutes ago, but I didn't
> >> find the new signatures in any of them.  Now I'm getting 403/Forbidden
> >> on 2.8.6.0 and 2.8.9.0, so I'm going to guess that you've realized you
> >> forgot to actually include the new signatures again, and you're fixing
> >> it now?
> >
> >
> > I am running pulledpork right this very second, and I am able to grab the
> > rules file.  I'll check to see if the rules are in my build.
> >
> > We are doing work to the website today as well, so that may affect some
> > downloads.
> >
> > <waiting for pulledpork to get done>
> >
> > Done...  grepping...
> >
> > Yup, they are all there for me.  Using the subscriber set.  Do you have
> the
> > subscriber set?  Your subscription isn't expired or anything is it?
> >
> >>
> >> --
> >> Joel Esler
> >
> > 302-223-5974
> >
>



-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101103/7c7d3f3c/attachment.html>


More information about the Snort-sigs mailing list