[Snort-sigs] Snort-sigs Digest, Vol 75, Issue 1

PR oly562 at ...2420...
Thu Aug 2 19:56:54 EDT 2012


Greetings,

I am running acidbase on ubuntu server. 

i found this entry:

COMMUNITY SIP TCP/IP message flooding directed to SIP proxy

 ID   < Signature >   < Timestamp >   < Source Address >
 < Dest. Address >   < Layer 4 Proto >  #0-(7-1) [snort] COMMUNITY SIP
TCP/IP message flooding directed to SIP proxy 2012-08-02 06:42:12
192.168.1.14:36642 91.189.92.184:80 TCP

I am also a bit perplexed why snort and a sig that is not listed on
snort ID site:  http://www.snortid.com/snortid.asp?QueryId=1:100000160
does not yeild any results.

Could you comment on how a clean installed snort acidbase be sending out
from a source: 192.168.1.14 to a destination: 91.189.92.184:80

Notable: I have no automatic updates turned on on snort or ubuntu

Anyone care to comment? thanks guys/gals.

l8 oly anderson
snort user for like years now and I still dont know shyt.. lol.


On Thu, 2012-08-02 at 21:20 +0000,
snort-sigs-request at lists.sourceforge.net wrote:

> Send Snort-sigs mailing list submissions to
> 	snort-sigs at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
> 	snort-sigs-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-sigs-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. Sourcefire VRT Certified Snort Rules Update 2012-07-19 (Research)
>    2. little help with false positives? (Henri Reinikainen)
>    3. Sourcefire VRT Certified Snort Rules Update 2012-07-24 (Research)
>    4. request enhance old sid 3193 please (rmkml)
>    5. Re: [Emerging-Sigs] request enhance old sid 3193 please
>       (Matt Jonkman)
>    6. Sourcefire VRT Certified Snort Rules Update 2012-08-01 (Research)
>    7. Sourcefire VRT Certified Snort Rules Update 2012-08-02 (Research)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 19 Jul 2012 18:11:04 -0400 (EDT)
> From: Research <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> 	2012-07-19
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20120719221104.5A8546CC013 at ...435...>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sourcefire VRT Certified Snort Rules Update
> 
> Synopsis:
> This release adds and modifies rules in several categories.
> 
> Details:
> The Sourcefire VRT has added and modified multiple rules in the
> backdoor, botnet-cnc, chat, dos, exploit, file-identify, file-office,
> file-other, file-pdf, ftp, policy, smtp, specific-threats, web-client
> and web-php rule sets to provide coverage for emerging threats from
> these technologies.
> 
> For a complete list of new and modified rules please see:
> 
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-07-19.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFQCIOraBoqZBVJfwMRAnHaAJ0T8TPewWjUxlmGv4VOptp6oDj7kgCfTdl8
> JJWyO6jT/+ZsMs4wURs32tU=
> =b4+h
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 20 Jul 2012 08:32:03 +0300
> From: Henri Reinikainen <henri at ...3710...>
> Subject: [Snort-sigs] little help with false positives?
> To: <snort-sigs at lists.sourceforge.net>
> Message-ID: <f173bae8b9893838cab70332e36ce149 at ...3711...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> Hi
> 
> Does someone has time to educate me? Because I don't get it.
> 
> spamd-setup is running in cron hourly. Fetching spammer ip lists from 
> www.openbsd.org via http. Every time this fetch happens there's some 
> alerts triggered.
> 
> # spamd-setup -d -b
> Getting http://www.openbsd.org/spamd/traplist.gz
> blacklist uatraps 51709 entries
> Getting http://www.openbsd.org/spamd/nixspam.gz
> blacklist nixspam 40000 entries
> 
> sensitive_data: sensitive data global threshold exceeded
> sensitive_data: sensitive data - eMail addresses
> http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> 
> I've checked connection with telnet and content of those lists. There 
> is nothing even remotely like e-mail addresses (well one). Other problem 
> with this is, that those list are downloaded to server, not uploaded. If 
> I understand correctly this rule should only be working in one 
> direction.
> If I download these lists and decompress them by hand, there is no 
> decompression errors.
> 
> ipvar HOME_NET [xxx.xxx.xxx.xxx/32]
> ipvar EXTERNAL_NET !$HOME_NET
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] 
> (msg:"SENSITIVE-      DATA Email Addresses"; metadata:service http, 
> service smtp, service ftp-data      , service imap, service pop3; 
> sd_pattern:20,email; classtype:sdf; sid:5; gid      :138; rev:1;)
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Tue, 24 Jul 2012 12:34:03 -0400 (EDT)
> From: Research <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> 	2012-07-24
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20120724163403.4FCF8D4055 at ...435...>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sourcefire VRT Certified Snort Rules Update
> 
> Synopsis:
> This release adds and modifies rules in several categories.
> 
> Details:
> The Sourcefire VRT has added and modified multiple rules in the
> backdoor, bad-traffic, blacklist, botnet-cnc, exploit, file-identify,
> file-office, file-pdf, indicator-compromise, policy, scan, spyware-put,
> web-client and web-php rule sets to provide coverage for emerging
> threats from these technologies.
> 
> For a complete list of new and modified rules please see:
> 
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-07-24.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFQDswIaBoqZBVJfwMRAhOIAJ0eh3t6YNwePdrk/CSPzBSh5NC9dwCeJ4FF
> Tp7+DYJ+0ebxWXGhGD7etlo=
> =e3Z2
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 30 Jul 2012 01:31:58 +0200 (CEST)
> From: rmkml <rmkml at ...174...>
> Subject: [Snort-sigs] request enhance old sid 3193 please
> To: Snort-sigs at lists.sourceforge.net,
> 	Emerging-sigs at ...3335...
> Message-ID: <alpine.LFD.2.01.1207300124250.1837 at ...3520...>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
> 
> Hi,
> Im request on old sid 3193 to enhance pcre,
> 
> old:
>   pcre:"/.cmd\x22.*\x26.*/smi";
> 
> new:
>   pcre:"/\.cmd\x22.*?\x26/Ui";
> 
> Fire with this URI:
>   /a.cmd"a&
>   /a.cmd%22a&
>   /a.cmd"a%26
>   /a.cmd%22a%26
> 
> Regards
> Rmkml
> 
> http://twitter.com/rmkml
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Sun, 29 Jul 2012 17:40:00 -0400
> From: Matt Jonkman <jonkman at ...829...>
> Subject: Re: [Snort-sigs] [Emerging-Sigs] request enhance old sid 3193
> 	please
> To: rmkml <rmkml at ...174...>
> Cc: Snort-sigs at lists.sourceforge.net,
> 	Emerging-sigs at ...3335...
> Message-ID:
> 	<CAMHk8W=yaFMykz=7Kc3RMbDOUQS9CKorjvZ2svtRcjB0Sp8EVg at ...2421...>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Good catch, making the change now. (2103193 in the ET set)
> 
> Matt
> 
> On Sun, Jul 29, 2012 at 7:31 PM, rmkml <rmkml at ...174...> wrote:
> > Hi,
> > Im request on old sid 3193 to enhance pcre,
> >
> > old:
> >  pcre:"/.cmd\x22.*\x26.*/smi";
> >
> > new:
> >  pcre:"/\.cmd\x22.*?\x26/Ui";
> >
> > Fire with this URI:
> >  /a.cmd"a&
> >  /a.cmd%22a&
> >  /a.cmd"a%26
> >  /a.cmd%22a%26
> >
> > Regards
> > Rmkml
> >
> > http://twitter.com/rmkml
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at ...3694...
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> > Current!
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Wed,  1 Aug 2012 13:00:38 -0400 (EDT)
> From: Research <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> 	2012-08-01
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20120801170038.3F8D26CC00F at ...435...>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sourcefire VRT Certified Snort Rules Update
> 
> Synopsis:
> This release adds and modifies rules in several categories.
> 
> Details:
> The Sourcefire VRT has added and modified multiple rules in the
> blacklist, botnet-cnc, exploit, file-identify, file-other, file-pdf,
> indicator-obfuscation, specific-threats, sql, web-client and web-misc
> rule sets to provide coverage for emerging threats from these
> technologies.
> 
> For a complete list of new and modified rules please see:
> 
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-08-01.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFQGV4DaBoqZBVJfwMRAo81AJ9zEO7PTr2B2ByPWdn9k6shZ7KsKgCdF0oc
> OhvJr8B6DqJ9R+/B0SfziWg=
> =OuJD
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Thu,  2 Aug 2012 15:33:53 -0400 (EDT)
> From: Research <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> 	2012-08-02
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20120802193353.18A2D6CC025 at ...435...>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sourcefire VRT Certified Snort Rules Update
> 
> Synopsis:
> This release adds and modifies rules in several categories.
> 
> Details:
> The Sourcefire VRT has added and modified multiple rules in the
> botnet-cnc, file-identify, indicator-obfuscation and web-php rule sets
> to provide coverage for emerging threats from these technologies.
> 
> For a complete list of new and modified rules please see:
> 
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-08-02.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFQGtNlaBoqZBVJfwMRAkf3AJ9/Omk0asIMX52PwELbS3pDzCK6FwCgnLhx
> oHhLU/dUmTNama2DimTnP9U=
> =EZZA
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> ------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> End of Snort-sigs Digest, Vol 75, Issue 1
> *****************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120802/13afc5d2/attachment.html>


More information about the Snort-sigs mailing list