[Snort-users] RE: [Snort-sigs] Any new rules coming out ofsnort.org?

Matthew Watchinski mwatchinski at ...1935...
Thu Mar 31 12:44:08 EST 2005


Just thought I should jump in here and clarify a couple things.

On March 28th, a VRT Certified Ruleset was released to subscribers that 
contained new rules for vulnerabilities in MySQL, ARCserver, and Oracle.
3528 - MySQL CREATE Function attempt
3526 - Oracle XDB FTP Unlock overflow
3530 - ArcServe backup UDP msg 0x99 overflow

We also included new FTP Bounce rule that utilizes new detection 
capabilities that are in the 2.4 Branch of Snort. Additionally there 
were a number of updates made to previously released rules to improve 
their accuracy. For a complete list of changes see the changelog at 
http://www.snort.org/rules/docs/ruleset_changelogs/v23/changes-2005-03-28.html. 


As a side note, this ruleset includes the rules used by NSS for their 
recent Gigabit IDS Test

Registered users will be able to get this content on 4/2.  Additionally 
an updated Community Rule Pack will be out shortly.

Cheers
Matthew Watchinski
Director, Vulnerability Research Team
Sourcefire, Inc.

Arseneault, Thomas (HQP) wrote:

>I know all about how subscription vs. registered works, my point was
>that the previous poster said that there have been two releases since
>the 16th and there hasn't been, not to the general public anyway. I also
>use oinkmaster and I frequently see updates to the bleeding set but only
>once from snort.org for either the vrt or community rule sets, back near
>the 16th. I just checked the output of my update (which I have
>automatically done at 12:30 every morning) and saw no updates for vrt or
>community but oinkmaster did function properly, it processed the rule
>sets but just did not find anything had changed (Just to be sure I ran
>the update script by hand to watch for error messages that might not
>have made it into the logs and it worked flawlessly, downloaded all the
>files, unpacked them and checked for changes, found none and exited).
>
>Tom
>
>
>-----Original Message-----
>From: Briggs, Bruce [mailto:Bruce.Briggs at ...13183...] 
>Sent: Thursday, March 31, 2005 7:12 AM
>To: Arseneault, Thomas (HQP)
>Cc: snort-users
>Subject: RE: [Snort-users] RE: [Snort-sigs] Any new rules coming out
>ofsnort.org?
>
>Have you registered on the Snort site?
>If not, then you won't get updates until the next Snort release.
>http://www.snort.org/rules/
>   Subscribers receive real-time rules updates as they are available -
>Learn more about subscription highlights here 
>   Registered users can access rule updates 5 days after release to
>subscription users. 
>   Unregistered users receive a static ruleset at the time of each major
>Snort Release 
>
>I am registered, and I see some updated rules files from my Oinkmaster
>update done yesterday.
>
>Bruce
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
>Arseneault, Thomas (HQP)
>Sent: Wednesday, March 30, 2005 6:23 PM
>To: Ron Jenkins; Matt Kettler
>Cc: snort-users
>Subject: RE: [Snort-users] RE: [Snort-sigs] Any new rules coming out of
>snort.org?
>
>I just downloaded the latest ruleset from
>http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkmaster
>code>/snortrules-snapshot-2.3.tar.gz and I found that all the included
>files were dated 3/16 none were any later. I did see a see an email from
>the 28th about a "VRT Certified Rules Update" but nothing so far.
>
>Tom Arseneault
>Security Engineer
>Robert Half International
>
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron
>Jenkins
>Sent: Wednesday, March 30, 2005 1:43 PM
>To: Matt Kettler
>Cc: snort-users
>Subject: [Snort-users] RE: [Snort-sigs] Any new rules coming out of
>snort.org?
>
>There has been two set of rules since then for registered and
>subscribers users.
>
>
>
>-----Original Message-----
>From: snort-sigs-admin at lists.sourceforge.net
>[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt
>Kettler
>Sent: Wednesday, March 30, 2005 3:45 PM
>To: Tom Currie, Consultant
>Cc: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Any new rules coming out of snort.org?
>
>Tom Currie, Consultant wrote:
>
>  
>
>>I see that I have new rules all the time from bleeding-snort, but I
>>    
>>
>have not had
>  
>
>>any new rules from snort.org since March 16th.  (based on oinkmaster).
>>
>>I an still getting downloads of the tgz sig file, but it's frozen in
>>    
>>
>time.  Is
>  
>
>>it deprecated and I should just move on, or what?
>>
>>    
>>
>See the website:
>http://www.snort.org/rules/
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Demarc:
>A global provider of Threat Management Solutions.
>Download our HomeAdmin security software for free today!
>http://www.demarc.com/info/Sentarus/hamr30
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Demarc:
>A global provider of Threat Management Solutions.
>Download our HomeAdmin security software for free today!
>http://www.demarc.com/info/Sentarus/hamr30
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Demarc:
>A global provider of Threat Management Solutions.
>Download our HomeAdmin security software for free today!
>http://www.demarc.com/info/Sentarus/hamr30
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Demarc:
>A global provider of Threat Management Solutions.
>Download our HomeAdmin security software for free today!
>http://www.demarc.com/info/Sentarus/hamr30
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>  
>





More information about the Snort-users mailing list