[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-14

Nigel Houghton nhoughton at ...435...
Wed Sep 15 11:33:49 EDT 2010


On Wed, 15 Sep 2010 09:10:53 -0600, Bryan Arenal wrote:
> Am I the only one who noticed that when downloading this rule update, 
> it says that it's from August 12th?  
> 
> ---
> # wget 
> 
http://www.snort.org/pub-bin/oinkmaster.cgi/<OINKCODE>/snortrules-snapshot-2861.tar.gz 
> --2010-09-15 14:55:20--  
> 
http://www.snort.org/pub-bin/oinkmaster.cgi/<OINKCODE>/snortrules-snapshot-2861.tar.gz
> Resolving www.snort.org... 68.177.102.20
> Connecting to www.snort.org|68.177.102.20|:80... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: 
> 
https://s3.amazonaws.com/snort.org/rules/20100812/snortrules-snapshot-2861.tar.gz?blah 
> [following]
> --2010-09-15 14:55:21--  
> 
https://s3.amazonaws.com/snort.org/rules/20100812/snortrules-snapshot-2861.tar.gz?blah
> Resolving s3.amazonaws.com... 72.21.202.164
> Connecting to s3.amazonaws.com|72.21.202.164|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> ---
> 
> Sure enough, those are the timestamps in the tarball as well:
> 
> ---
> root at ...42... [~/tmp/rules]
> # ls -ltr
> total 9760
> -rw-r--r-- 1 root root     396 Aug 18  2002 cgi-bin.list
> -rw-r--r-- 1 root root   16724 Mar 10  2005 VRT-License.txt
> -rw-r--r-- 1 root root    1327 May 16  2005 experimental.rules
> -rw-r--r-- 1 root root     767 Jan 19  2010 Makefile.am
> -rw-r--r-- 1 root root    1512 Aug 12 17:37 x11.rules
> -rw-r--r-- 1 root root   52093 Aug 12 17:37 web-php.rules
> -rw-r--r-- 1 root root  158362 Aug 12 17:37 web-misc.rules
> -rw-r--r-- 1 root root   51639 Aug 12 17:37 web-iis.rules
> -rw-r--r-- 1 root root   13768 Aug 12 17:37 web-frontpage.rules
> -rw-r--r-- 1 root root   15411 Aug 12 17:37 web-coldfusion.rules
> -rw-r--r-- 1 root root  167839 Aug 12 17:37 web-client.rules
> -rw-r--r-- 1 root root  123693 Aug 12 17:37 web-cgi.rules
> -rw-r--r-- 1 root root    1470 Aug 12 17:37 web-attacks.rules
> -rw-r--r-- 1 root root 1921128 Aug 12 17:37 web-activex.rules
> -rw-r--r-- 1 root root   26603 Aug 12 17:37 voip.rules
> -rw-r--r-- 1 root root    1576 Aug 12 17:37 virus.rules
> -rw-r--r-- 1 root root    5566 Aug 12 17:37 tftp.rules
> -rw-r--r-- 1 root root    8067 Aug 12 17:37 telnet.rules
> -rw-r--r-- 1 root root   47132 Aug 12 17:37 sql.rules
> -rw-r--r-- 1 root root  552240 Aug 12 17:37 spyware-put.rules
> -rw-r--r-- 1 root root  183524 Aug 12 17:37 specific-threats.rules
> -rw-r--r-- 1 root root    7057 Aug 12 17:37 snmp.rules
> -rw-r--r-- 1 root root   49205 Aug 12 17:37 smtp.rules
> -rw-r--r-- 1 root root    8090 Aug 12 17:37 shellcode.rules
> -rw-r--r-- 1 root root    5112 Aug 12 17:37 scan.rules
> -rw-r--r-- 1 root root   15247 Aug 12 17:37 scada.rules
> -rw-r--r-- 1 root root    3987 Aug 12 17:37 rservices.rules
> -rw-r--r-- 1 root root   88695 Aug 12 17:37 rpc.rules
> -rw-r--r-- 1 root root   15112 Aug 12 17:37 pop3.rules
> -rw-r--r-- 1 root root    1048 Aug 12 17:37 pop2.rules
> -rw-r--r-- 1 root root   36085 Aug 12 17:37 policy.rules
> -rw-r--r-- 1 root root   22692 Aug 12 17:37 phishing-spam.rules
> -rw-r--r-- 1 root root    6434 Aug 12 17:37 p2p.rules
> -rw-r--r-- 1 root root    1493 Aug 12 17:37 other-ids.rules
> -rw-r--r-- 1 root root  196992 Aug 12 17:37 oracle.rules
> -rw-r--r-- 1 root root    1246 Aug 12 17:37 open-test.conf
> -rw-r--r-- 1 root root    5806 Aug 12 17:37 nntp.rules
> -rw-r--r-- 1 root root  214844 Aug 12 17:37 netbios.rules
> -rw-r--r-- 1 root root   13432 Aug 12 17:37 mysql.rules
> -rw-r--r-- 1 root root    6977 Aug 12 17:37 multimedia.rules
> -rw-r--r-- 1 root root   31912 Aug 12 17:37 misc.rules
> -rw-r--r-- 1 root root     199 Aug 12 17:37 local.rules
> -rw-r--r-- 1 root root    1043 Aug 12 17:37 info.rules
> -rw-r--r-- 1 root root   30718 Aug 12 17:37 imap.rules
> -rw-r--r-- 1 root root    5474 Aug 12 17:37 icmp.rules
> -rw-r--r-- 1 root root   16989 Aug 12 17:37 icmp-info.rules
> -rw-r--r-- 1 root root   33679 Aug 12 17:37 ftp.rules
> -rw-r--r-- 1 root root    4579 Aug 12 17:37 finger.rules
> -rw-r--r-- 1 root root  121557 Aug 12 17:37 exploit.rules
> -rw-r--r-- 1 root root   18664 Aug 12 17:37 dos.rules
> -rw-r--r-- 1 root root   10826 Aug 12 17:37 dns.rules
> -rw-r--r-- 1 root root 5042272 Aug 12 17:37 deleted.rules
> -rw-r--r-- 1 root root    8239 Aug 12 17:37 ddos.rules
> -rw-r--r-- 1 root root    8311 Aug 12 17:37 content-replace.rules
> -rw-r--r-- 1 root root   19811 Aug 12 17:37 chat.rules
> -rw-r--r-- 1 root root   23752 Aug 12 17:37 botnet-cnc.rules
> -rw-r--r-- 1 root root   40034 Aug 12 17:37 blacklist.rules
> -rw-r--r-- 1 root root    2830 Aug 12 17:37 bad-traffic.rules
> -rw-r--r-- 1 root root  317279 Aug 12 17:37 backdoor.rules
> -rw-r--r-- 1 root root    4647 Aug 12 17:37 attack-responses.rules
> ---
> 
> Seriously, WTF?

Well, your seriously wtf is that you have the registered rule set, not 
the subscriber set.

If you have a subscription, then you need to get in touch with 
snort-sub at ...3053...

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-sigs mailing list