[Snort-sigs] CVE-2015-0204

kestutis.malakauskas at ...3980... kestutis.malakauskas at ...3980...
Tue Mar 10 07:34:18 EDT 2015


Thanks Joel,

That's good to know, will address this as I had an impression this might cause segregation of duties issues as the permission would also allow analysts to edit rules.

Appreciate,
Kestutis

Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations
Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas at ...202....3980...<mailto:kestutis.malakauskas at ...3980...>
Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2
Barclays.com

Hotline: +370 520 62424
P Please consider the environment before printing this email

From: Joel Esler (jesler) [mailto:jesler at ...3865...]
Sent: 10 March 2015 13:27
To: snort at ...3751...
Cc: Malakauskas, Kestutis : RBB COO; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] CVE-2015-0204

Your analysts can only read the rules if they have rules permissions in the account settings.
--
Joel Esler
Sent from my iPhone

On Mar 10, 2015, at 6:42 AM, "snort at ...3751...<mailto:snort at ...3751...>" <snort at ...3751...<mailto:snort at ...3751...>> wrote:
If by "DC" you mean Defence Center, then there is a way to view the rules body, given that permissions allow analysts to do that.

The above is not based on my experience, just demos/documents I have read about DC.


On Tue, Mar 10, 2015 at 3:08 AM -0700, <kestutis.malakauskas at ...3980...<mailto:kestutis.malakauskas at ...3980...>> wrote:

Thanks,



Yes this is correct, this is the way I imagine it as well, the issue was that not all the rules are triggered so far, which our analysts could examine. Without the rule being triggered on  DC our analysts can't see the exact rule so naturally they can't identify this distinction which is seen only if you can examine the rules itself. So I thought maybe someone has the separation done already for those and could provide which SIDs correspond to which (server side, client side).



Regards,

Kestutis



Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations

Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas at ...202....3980...<mailto:kestutis.malakauskas at ...3980...>

Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2

Barclays.com<http://Barclays.com>



Hotline: +370 520 62424

P Please consider the environment before printing this email



From: Y M [mailto:snort at ...3751...]
Sent: 10 March 2015 11:50
To: Malakauskas, Kestutis : RBB COO
Cc: snort-sigs
Subject: RE: [Snort-sigs] CVE-2015-0204



This can be inferred from the rules themselves. Looking at the rules you mentioned, logically speaking, the distinction can be made from



- Rule direction: "external" to "home" or "home" to "external", and the associated

- SSL State: ssl_state, either server_hello or client_hello.



"external" to "home" with server_hello looks for the server side while "home" to "external" with client_hello looks for the client side. Please correct me if I am wrong.



If the above holds true, then for usability purposes, may be you can modify the rules messages (using PulledPork, if you use it) to reflect client or server side alerts.



Hope this helps.



________________________________

From: kestutis.malakauskas at ...3980...<mailto:kestutis.malakauskas at ...4019....>
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Date: Tue, 10 Mar 2015 09:06:36 +0000
Subject: [Snort-sigs] CVE-2015-0204

Hello,



There is SIDs with GID 1, 33686 through 33703 which covering CVE-2015-0204. I assume part of them are covering identification of vulnerable server configuration and the other part of those are covering vulnerable browsers. Is it possible to distinguish this defining which once are for vulnerable browsers and which once are for vulnerable servers?



Anyone from VRT?



Thanks,

Kestutis



Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations

Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas at ...202....3980...<mailto:kestutis.malakauskas at ...3980...>

Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2

Barclays.com<http://Barclays.com>



Hotline: +370 520 62424

P Please consider the environment before printing this email



This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).

------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150310/185523ff/attachment.html>


More information about the Snort-sigs mailing list