[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Wed Sep 29 10:11:12 EDT 2010


Yeah, nice try, trying to shift the blame of a poorly written rule to
the MS vulnerability.  Personally, I like to think of the VRT
subscription ruleset as SourceFire's community QA testbed.  You run it
for 30 days and then they "open source" it (the words "open source"
are in quotes b/c it is not all open source) after fixing mistakes.
That is why I stopped subscribing to it.

Right now I'm seriously looking in to the newly announced Emerging
Threats Pro ruleset (http://www.emergingthreatspro.com/).  Not only is
it fully open source, it is QA'd and you can get 24/7 phone and email
support.

-L0rd Ch0de1m0rt

On Tue, Sep 28, 2010 at 12:42 PM, Joel Esler <jesler at ...435...> wrote:
>
> On Tue, Sep 28, 2010 at 1:25 PM, waldo kitty <wkitty42 at ...3507...>
> wrote:
>>
>> On 9/28/2010 11:03, infosec posts wrote:> alert tcp $HOME_NET any ->
>> > $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
>> > Long URL Buffer Overflow attempt"; flow:established,to_server;
>> > urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
>> > 0A|"; metadata:service http; reference:bugtraq,19667;
>> > reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
>> >
>> > Unless I am mistaken, we got a brand new signature for something that
>> > was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
>> > broadly that I'm north of 90,000 alerts in an 8-hour overnight time
>> > window before I killed the signature, and still counting as the
>> > buffers flush out from my sensors.
>>
>> ouch! that is a bit on the extreme side, isn't it :?
>>
>
> Look at the vulnerability CVE for some laughs.  Shame on you IE.
> Sometimes in the act of writing rules for stupid programmer mistakes, it's
>




More information about the Snort-sigs mailing list