[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

infosec posts infosec.posts at ...2420...
Tue Sep 28 11:03:17 EDT 2010

I have to ask, because I must be missing something here.

SID:17494 - web-client.rules - alert tcp $HOME_NET any ->
$EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
Long URL Buffer Overflow attempt"; flow:established,to_server;
urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
0A|"; metadata:service http; reference:bugtraq,19667;
reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)

Unless I am mistaken, we got a brand new signature for something that
was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
broadly that I'm north of 90,000 alerts in an 8-hour overnight time
window before I killed the signature, and still counting as the
buffers flush out from my sensors.

Am I off my rocker, or is this a "WTF?" signature reminiscent of the
great SMTP FP debacle in the past?

On Mon, Sep 27, 2010 at 4:23 PM, Research <research at ...435...> wrote:
> Hash: SHA1
> Sourcefire VRT Certified Snort Rules Update
> Synopsis:
> This release adds and modifies rules in several categories.
> Details:
> As a result of ongoing research, the Sourcefire VRT has added and
> modified multiple rules in the chat, dns, exploit, ftp, imap, misc,
> netbios, oracle, policy, pop3, rpc, specific-threats sql, tftp,
> web-activex, web-client and web-misc rule sets to provide coverage for
> emerging threats from these technologies.
> For a complete list of new and modified rules please see:
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-09-27.html
> Version: GnuPG v1.2.6 (GNU/Linux)
> cHkrx29GrpOy24o1Ao+o5PI=
> =02Sl
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list