[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-14

Bryan Arenal b.arenal at ...2420...
Wed Sep 15 11:10:53 EDT 2010


Am I the only one who noticed that when downloading this rule update, it
says that it's from August 12th?

---
# wget http://www.snort.org/pub-bin/oinkmaster.cgi/
<OINKCODE>/snortrules-snapshot-2861.tar.gz
--2010-09-15 14:55:20--  http://www.snort.org/pub-bin/oinkmaster.cgi/
<OINKCODE>/snortrules-snapshot-2861.tar.gz
Resolving www.snort.org... 68.177.102.20
Connecting to www.snort.org|68.177.102.20|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort.org/rules/*20100812*/snortrules-snapshot-2861.tar.gz?blah
[following]
--2010-09-15 14:55:21--  https://s3.amazonaws.com/snort.org/rules/*20100812*
/snortrules-snapshot-2861.tar.gz?blah
Resolving s3.amazonaws.com... 72.21.202.164
Connecting to s3.amazonaws.com|72.21.202.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
---

Sure enough, those are the timestamps in the tarball as well:

---
root at ...42... [~/tmp/rules]
# ls -ltr
total 9760
-rw-r--r-- 1 root root     396 Aug 18  2002 cgi-bin.list
-rw-r--r-- 1 root root   16724 Mar 10  2005 VRT-License.txt
-rw-r--r-- 1 root root    1327 May 16  2005 experimental.rules
-rw-r--r-- 1 root root     767 Jan 19  2010 Makefile.am
-rw-r--r-- 1 root root    1512 Aug 12 17:37 x11.rules
-rw-r--r-- 1 root root   52093 Aug 12 17:37 web-php.rules
-rw-r--r-- 1 root root  158362 Aug 12 17:37 web-misc.rules
-rw-r--r-- 1 root root   51639 Aug 12 17:37 web-iis.rules
-rw-r--r-- 1 root root   13768 Aug 12 17:37 web-frontpage.rules
-rw-r--r-- 1 root root   15411 Aug 12 17:37 web-coldfusion.rules
-rw-r--r-- 1 root root  167839 Aug 12 17:37 web-client.rules
-rw-r--r-- 1 root root  123693 Aug 12 17:37 web-cgi.rules
-rw-r--r-- 1 root root    1470 Aug 12 17:37 web-attacks.rules
-rw-r--r-- 1 root root 1921128 Aug 12 17:37 web-activex.rules
-rw-r--r-- 1 root root   26603 Aug 12 17:37 voip.rules
-rw-r--r-- 1 root root    1576 Aug 12 17:37 virus.rules
-rw-r--r-- 1 root root    5566 Aug 12 17:37 tftp.rules
-rw-r--r-- 1 root root    8067 Aug 12 17:37 telnet.rules
-rw-r--r-- 1 root root   47132 Aug 12 17:37 sql.rules
-rw-r--r-- 1 root root  552240 Aug 12 17:37 spyware-put.rules
-rw-r--r-- 1 root root  183524 Aug 12 17:37 specific-threats.rules
-rw-r--r-- 1 root root    7057 Aug 12 17:37 snmp.rules
-rw-r--r-- 1 root root   49205 Aug 12 17:37 smtp.rules
-rw-r--r-- 1 root root    8090 Aug 12 17:37 shellcode.rules
-rw-r--r-- 1 root root    5112 Aug 12 17:37 scan.rules
-rw-r--r-- 1 root root   15247 Aug 12 17:37 scada.rules
-rw-r--r-- 1 root root    3987 Aug 12 17:37 rservices.rules
-rw-r--r-- 1 root root   88695 Aug 12 17:37 rpc.rules
-rw-r--r-- 1 root root   15112 Aug 12 17:37 pop3.rules
-rw-r--r-- 1 root root    1048 Aug 12 17:37 pop2.rules
-rw-r--r-- 1 root root   36085 Aug 12 17:37 policy.rules
-rw-r--r-- 1 root root   22692 Aug 12 17:37 phishing-spam.rules
-rw-r--r-- 1 root root    6434 Aug 12 17:37 p2p.rules
-rw-r--r-- 1 root root    1493 Aug 12 17:37 other-ids.rules
-rw-r--r-- 1 root root  196992 Aug 12 17:37 oracle.rules
-rw-r--r-- 1 root root    1246 Aug 12 17:37 open-test.conf
-rw-r--r-- 1 root root    5806 Aug 12 17:37 nntp.rules
-rw-r--r-- 1 root root  214844 Aug 12 17:37 netbios.rules
-rw-r--r-- 1 root root   13432 Aug 12 17:37 mysql.rules
-rw-r--r-- 1 root root    6977 Aug 12 17:37 multimedia.rules
-rw-r--r-- 1 root root   31912 Aug 12 17:37 misc.rules
-rw-r--r-- 1 root root     199 Aug 12 17:37 local.rules
-rw-r--r-- 1 root root    1043 Aug 12 17:37 info.rules
-rw-r--r-- 1 root root   30718 Aug 12 17:37 imap.rules
-rw-r--r-- 1 root root    5474 Aug 12 17:37 icmp.rules
-rw-r--r-- 1 root root   16989 Aug 12 17:37 icmp-info.rules
-rw-r--r-- 1 root root   33679 Aug 12 17:37 ftp.rules
-rw-r--r-- 1 root root    4579 Aug 12 17:37 finger.rules
-rw-r--r-- 1 root root  121557 Aug 12 17:37 exploit.rules
-rw-r--r-- 1 root root   18664 Aug 12 17:37 dos.rules
-rw-r--r-- 1 root root   10826 Aug 12 17:37 dns.rules
-rw-r--r-- 1 root root 5042272 Aug 12 17:37 deleted.rules
-rw-r--r-- 1 root root    8239 Aug 12 17:37 ddos.rules
-rw-r--r-- 1 root root    8311 Aug 12 17:37 content-replace.rules
-rw-r--r-- 1 root root   19811 Aug 12 17:37 chat.rules
-rw-r--r-- 1 root root   23752 Aug 12 17:37 botnet-cnc.rules
-rw-r--r-- 1 root root   40034 Aug 12 17:37 blacklist.rules
-rw-r--r-- 1 root root    2830 Aug 12 17:37 bad-traffic.rules
-rw-r--r-- 1 root root  317279 Aug 12 17:37 backdoor.rules
-rw-r--r-- 1 root root    4647 Aug 12 17:37 attack-responses.rules
---

Seriously, WTF?

On Tue, Sep 14, 2010 at 14:56, Research <research at ...435...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Sourcefire VRT Certified Snort Rules Update
>
> Synopsis:
> The Sourcefire VRT is aware of vulnerabilities affecting Microsoft and
> Adobe products.
>
> Details:
> Microsoft Security Advisory MS10-061:
> The Microsoft Windows Print Spooler service contains a programming
> error that may allow a remote attacker to execute code on an affected
> system.
>
> Rules to detect attacks targeting this vulnerability is included in
> this release and are identified with GID 3, SIDs 17252 and 17253.
>
> Microsoft Security Advisory MS10-062:
> Microsoft Windows Media Player contains a programming error that may
> allow a remote attacker to execute code on an affected system.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 3, SID 17242.
>
> Microsoft Security Advisory MS10-063:
> Microsoft Windows XP and Vista contain a programming error that may
> allow a remote attacker to execute code on an affected system via the
> use of specially crafted Uniscribe fonts.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 3, SID 17256.
>
> Microsoft Security Advisory MS10-064:
> Microsoft Outlook contains a programming error that may allow a remote
> attacker to execute code on an affected system.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 3, SID 17251.
>
> Microsoft Security Advisory MS10-065:
> Microsoft Internet Information Server (IIS) contains a programming
> error that may allow a remote attacker to execute code on an affected
> system.
>
> Rules to detect attacks targeting this vulnerability is included in
> this release and are identified with GID 3, SIDs 17254 and 17255.
>
> Microsoft Security Advisory MS10-067:
> Microsoft WordPad contains a programming error that may allow a remote
> attacker to execute code on an affected system.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 3, SID 17250.
>
> Microsoft Security Advisory MS10-068:
> Microsoft LSASS contains a programming error that may allow a remote
> attacker to execute code on an affected system.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 3, SID 17249.
>
> Adobe Security Bulletin APSA10-03:
> Adobe Flash Player contains a programming error that may allow a remote
> attacker to execute code on an affected system.
>
> A rule to detect attacks targeting this vulnerability is included in
> this release and is identified with GID 1, SID 17257.
>
> For a complete list of new and modified rules please see:
>
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-09-14.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFMj93jQcQOxItLLaMRAsX5AJ4ianhgCCaZKbrfhUEuEi/cMuoeFwCcDiKW
> p4fjDNq8FdKNeXEK0WUXPqU=
> =SaB4
> -----END PGP SIGNATURE-----
>
>
>
------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100915/00c68635/attachment.html>


More information about the Snort-sigs mailing list