[Snort-users] SID 16367

Alex Kirk akirk at ...1935...
Mon Jan 25 12:56:18 EST 2010


It's an SO rule, so you're not going to see the rule itself anywhere in the
rules download. The .so file will be in
so_rules/precompiled/<OS>/<platform>/<Snort Version>/web_client.so,
i.e. so_rules/precompiled/Ubuntu-6.01.1/i386/2.8.5.1/web_client.so. A stub
rule should be in the so_rules/web_client.rules file.

That said, one thing I've seen happen repeatedly (and done myself) is that
someone grabbed the registered user release instead of the subscriber
release (it's the lower thing on the page when you hit the download rules
button, and it just seems obvious), and the registered release won't have
that rule yet (there's a 30-day delay).

On Mon, Jan 25, 2010 at 12:29 PM, Document Retention <
document.retention at ...11827...> wrote:

> Hello,
>
> I am unable to find the new IE zero day exploit rule withing the latest VRT
> ruleset.  The VRT guys said they added it on the 15th.
> http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html/
>
> Am I missing something?  Where is the rule?
>
>
> Thanks,
>
>
> Doc
>
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100125/f92122b0/attachment.html>


More information about the Snort-users mailing list