<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div class="acompli_signature">If by "DC" you mean Defence Center, then there is a way to view the rules body, given that permissions allow analysts to do that.</div>
<div class="acompli_signature"><br>
</div>
<div class="acompli_signature">The above is not based on my experience, just demos/documents I have read about DC.</div>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, Mar 10, 2015 at 3:08 AM -0700, <span dir="ltr"><<a href="mailto:kestutis.malakauskas@...3980..." target="_blank">kestutis.malakauskas@...3980...</a>></span> wrote:<br>
<br>
</div>
<style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif"}
span.x_MsoHyperlink
        {color:blue;
        text-decoration:underline}
span.x_MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline}
p.x_MsoAcetate, li.x_MsoAcetate, div.x_MsoAcetate
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif"}
p.x_ecxmsonormal, li.x_ecxmsonormal, div.x_ecxmsonormal
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif"}
p.x_ecxmsoplaintext, li.x_ecxmsoplaintext, div.x_ecxmsoplaintext
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif"}
p.x_ecxmsochpdefault, li.x_ecxmsochpdefault, div.x_ecxmsochpdefault
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif"}
span.x_ecxmsohyperlink
        {}
span.x_ecxmsohyperlinkfollowed
        {}
span.x_ecxemailstyle17
        {}
span.x_ecxplaintextchar
        {}
p.x_ecxmsonormal1, li.x_ecxmsonormal1, div.x_ecxmsonormal1
        {margin-right:0cm;
        margin-left:0cm;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif"}
span.x_ecxmsohyperlink1
        {color:blue;
        text-decoration:underline}
span.x_ecxmsohyperlinkfollowed1
        {color:purple;
        text-decoration:underline}
p.x_ecxmsoplaintext1, li.x_ecxmsoplaintext1, div.x_ecxmsoplaintext1
        {margin-right:0cm;
        margin-left:0cm;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif"}
span.x_ecxemailstyle171
        {font-family:"Calibri","sans-serif";
        color:windowtext}
span.x_ecxplaintextchar1
        {font-family:"Calibri","sans-serif"}
p.x_ecxmsochpdefault1, li.x_ecxmsochpdefault1, div.x_ecxmsochpdefault1
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Calibri","sans-serif"}
span.x_EmailStyle32
        {font-family:"Calibri","sans-serif";
        color:#1F497D}
span.x_BalloonTextChar
        {font-family:"Tahoma","sans-serif"}
.x_MsoChpDefault
        {font-size:10.0pt}
div.x_WordSection1
        {}
-->
</style>
<div lang="EN-GB" link="blue" vlink="purple">
<div class="x_WordSection1">
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Thanks,</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Yes this is correct, this is the way I imagine it as well, the issue was that not all the rules are triggered so far, which our analysts could examine.
 Without the rule being triggered on  DC our analysts can’t see the exact rule so naturally they can’t identify this distinction which is seen only if you can examine the rules itself. So I thought maybe someone has the separation done already for those and
 could provide which SIDs correspond to which (server side, client side).</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Regards,</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Kestutis
</span></p>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<div>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations</span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Tel +370 5 251 1847 | Mobile +370 652 89466 | Email
<a href="mailto:kestutis.malakauskas@...3980...">kestutis.malakauskas@...253...3980...</a></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Barclays ,
</span><span lang="LT" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">8th Floor | Balčikonio str. 7</span><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F"> |
</span><span lang="EN-US" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Vilnius | Lithuania
</span><b><span lang="EN-US" style="font-size:8.0pt; font-family:"Calibri","sans-serif"; color:#7F7F7F">GMT+2</span></b><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F"></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Barclays.com</span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F"> </span></p>
<p class="x_MsoNormal"><b><span lang="EN-US" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Hotline: +370 520 62424</span></b><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:#1F497D"></span></p>
<p class="x_MsoNormal" style="margin-right:0cm; margin-bottom:5.0pt; margin-left:0cm; text-autospace:none">
<span style="font-size:10.0pt; font-family:Webdings; color:green">P</span><span style="font-size:10.0pt; color:green">
</span><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:green">Please consider the environment before printing this email</span><b><span lang="EN-US" style="font-size:11.0pt; font-family:"Barclays Sans"; color:#1F497D"></span></b></p>
</div>
<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="x_MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> Y M [mailto:snort@...3751...]
<br>
<b>Sent:</b> 10 March 2015 11:50<br>
<b>To:</b> Malakauskas, Kestutis : RBB COO<br>
<b>Cc:</b> snort-sigs<br>
<b>Subject:</b> RE: [Snort-sigs] CVE-2015-0204</span></p>
</div>
</div>
<p class="x_MsoNormal"> </p>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">This can be inferred from the rules themselves. Looking at the rules you mentioned, logically speaking, the distinction can be made from </span></p>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">- Rule direction: "external" to "home" or "home" to "external", and the associated </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">- SSL State: ssl_state, either server_hello or client_hello.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">"external" to "home" with server_hello looks for the server side while "home" to "external" with client_hello looks for the client side. Please correct me if I am wrong.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">If the above holds true, then for usability purposes, may be you can modify the rules messages (using PulledPork, if you use it) to reflect client or server side alerts.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">Hope this helps.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<div>
<div class="x_MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri","sans-serif"">
<hr size="2" width="100%" align="center" id="x_stopSpelling">
</span></div>
<p class="x_MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri","sans-serif"">From: kestutis.malakauskas@...3980...<br>
To: snort-sigs@lists.sourceforge.net<br>
Date: Tue, 10 Mar 2015 09:06:36 +0000<br>
Subject: [Snort-sigs] CVE-2015-0204</span></p>
<div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">Hello,</span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">There is SIDs with GID 1, 33686 through 33703 which covering CVE-2015-0204. I assume part of them are covering identification of vulnerable server configuration and the other part of those
 are covering vulnerable browsers. Is it possible to distinguish this defining which once are for vulnerable browsers and which once are for vulnerable servers?</span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">Anyone from VRT?</span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">Thanks,</span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">Kestutis</span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations</span><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Tel +370 5 251 1847 | Mobile +370 652 89466 | Email
<a href="mailto:kestutis.malakauskas@...3980...">kestutis.malakauskas@...253...3980...</a></span><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Barclays ,
</span><span lang="LT" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">8th Floor | Balčikonio str. 7</span><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F"> |
</span><span lang="EN-US" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Vilnius | Lithuania
</span><b><span lang="EN-US" style="font-size:8.0pt; font-family:"Calibri","sans-serif"; color:#7F7F7F">GMT+2</span></b><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Barclays.com</span><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F"> </span><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal"><b><span lang="EN-US" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:#7F7F7F">Hotline: +370 520 62424</span></b><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt; font-family:Webdings; color:green">P</span><span style="font-size:10.0pt; color:green">
</span><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:green">Please consider the environment before printing this email</span><span style="font-family:"Calibri","sans-serif""></span></p>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span></p>
</div>
<p class="x_MsoNormal"><span style="font-family:"Calibri","sans-serif"">This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee,
 or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.<br>
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission
 of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.<br>
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.<br>
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct
 Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). 
<br>
<br>
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software
 development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now.
<a href="http://goparallel.sourceforge.net/">http://goparallel.sourceforge.net/</a><br>
_______________________________________________ Snort-sigs mailing list <a href="mailto:Snort-sigs@lists.sourceforge.net">
Snort-sigs@lists.sourceforge.net</a> <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">
https://lists.sourceforge.net/lists/listinfo/snort-sigs</a> <a href="http://www.snort.org">
http://www.snort.org</a> Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> for the latest news about Snort!</span></p>
</div>
</div>
</div>
</div>
<p>This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender
 immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.</p>
<p>Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission
 of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.</p>
<p>Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.</p>
<p>Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct
 Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). 
</p>
</div>
</body>
</html>