[Snort-users] apparent discrepancies at http://www.snort.org/vrt/

Nigel Houghton nhoughton at ...1935...
Thu Feb 12 14:22:08 EST 2009


On Thu, Feb 12, 2009 at 2:09 PM, Tim Maletic <tmaletic at ...11827...> wrote:
> At http://www.snort.org/vrt/advisories/vrt-rules-2009-02-10.html, we
> see the following GID|SIDs listed:
> GID 3, SIDs 15304 and 15305.
> GID 3, SIDs 15301 and 15302.
> GID 1, SIDs 15127 through 15144.
> GID 3, SIDs 15298, 15299 and 15303.
>
> But at http://www.snort.org/vrt/docs/ruleset_changelogs/2_8/changes-2009-02-10.html,
> we see this list:
>
> New rules:
> 15307 <-> WEB-ACTIVEX Microsoft Animation Control ActiveX clsid access
> (web-activex.rules, High)
> 15308 <-> WEB-ACTIVEX Microsoft Animation Control ActiveX clsid
> unicode access (web-activex.rules, High)
> 15309 <-> WEB-ACTIVEX Microsoft Animation Control ActiveX function
> call access (web-activex.rules, High)
> 15310 <-> WEB-ACTIVEX Microsoft Animation Control ActiveX function
> call unicode access (web-activex.rules, High)
> 15311 <-> WEB-ACTIVEX Research In Motion AxLoader ActiveX clsid access
> (web-activex.rules, High)
> 15312 <-> WEB-ACTIVEX Research In Motion AxLoader ActiveX clsid
> unicode access (web-activex.rules, High)
> 15313 <-> WEB-ACTIVEX Research In Motion AxLoader ActiveX function
> call access (web-activex.rules, High)
> 15314 <-> WEB-ACTIVEX Research In Motion AxLoader ActiveX function
> call unicode access (web-activex.rules, High)
> 15315 <-> WEB-ACTIVEX Akamai DownloadManager ActiveX clsid access
> (web-activex.rules, High)
> 15316 <-> WEB-ACTIVEX Akamai DownloadManager ActiveX clsid unicode
> access (web-activex.rules, High)
> 15317 <-> WEB-ACTIVEX Akamai DownloadManager ActiveX function call
> access (web-activex.rules, High)
> 15318 <-> WEB-ACTIVEX Akamai DownloadManager ActiveX function call
> unicode access (web-activex.rules, High)
>
> Can someone explain the discrepancy?  Why do the SIDs in the advisory
> not appear in the changelog?

Yes, we are aware of this issue. The shared object rules are not
reflected in the changelog. All shared object rules are listed in the
advisory for the rule release though as you found out.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list