[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

waldo kitty wkitty42 at ...3507...
Tue Sep 28 13:25:38 EDT 2010


On 9/28/2010 11:03, infosec posts wrote:
> I have to ask, because I must be missing something here.
>
> SID:17494 - web-client.rules -

what's the GID? i suspect it is 3??

FWIW: i see that the GID is becoming more and more important when talking about 
rules...

> alert tcp $HOME_NET any ->
> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
> Long URL Buffer Overflow attempt"; flow:established,to_server;
> urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
> 0A|"; metadata:service http; reference:bugtraq,19667;
> reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
>
> Unless I am mistaken, we got a brand new signature for something that
> was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
> broadly that I'm north of 90,000 alerts in an 8-hour overnight time
> window before I killed the signature, and still counting as the
> buffers flush out from my sensors.

ouch! that is a bit on the extreme side, isn't it :?

> Am I off my rocker, or is this a "WTF?" signature reminiscent of the
> great SMTP FP debacle in the past?

i think i missed that...





More information about the Snort-sigs mailing list