[Snort-sigs] CVE-2015-0204

Y M snort at ...3751...
Tue Mar 10 05:49:42 EDT 2015

This can be inferred from the rules themselves. Looking at the rules you mentioned, logically speaking, the distinction can be made from 
- Rule direction: "external" to "home" or "home" to "external", and the associated - SSL State: ssl_state, either server_hello or client_hello.
"external" to "home" with server_hello looks for the server side while "home" to "external" with client_hello looks for the client side. Please correct me if I am wrong.
If the above holds true, then for usability purposes, may be you can modify the rules messages (using PulledPork, if you use it) to reflect client or server side alerts.
Hope this helps.
From: kestutis.malakauskas at ...3980...
To: snort-sigs at lists.sourceforge.net
Date: Tue, 10 Mar 2015 09:06:36 +0000
Subject: [Snort-sigs] CVE-2015-0204

Hello, There is SIDs with GID 1, 33686 through 33703 which covering CVE-2015-0204. I assume part of them are covering identification of vulnerable server configuration and the other part of those are covering vulnerable browsers. Is it possible to distinguish this defining which once are for vulnerable browsers and which once are for vulnerable servers? Anyone from VRT? Thanks,Kestutis Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security OperationsTel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas at ...4017... , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2Barclays.com Hotline: +370 520 62424P Please consider the environment before printing this email 
This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, please 
notify the sender immediately, delete it from your system and do not copy, 
disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by any 
third party, or from the transmission of any viruses. Replies to this e-mail may 
be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). 
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays 
Bank PLC is authorised by the Prudential Regulation Authority and regulated by 
the Financial Conduct Authority and the Prudential Regulation Authority 
(Financial Services Register No. 122702).  

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150310/50ce7da5/attachment.html>

More information about the Snort-sigs mailing list