Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27
From: infosec posts <infosec.posts () gmail com>
Date: Tue, 28 Sep 2010 10:03:17 -0500
I have to ask, because I must be missing something here. SID:17494 - web-client.rules - alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) Unless I am mistaken, we got a brand new signature for something that was patched in 2006 (IE 6.0 SP1 on WinXP XP1). It was also written so broadly that I'm north of 90,000 alerts in an 8-hour overnight time window before I killed the signature, and still counting as the buffers flush out from my sensors. Am I off my rocker, or is this a "WTF?" signature reminiscent of the great SMTP FP debacle in the past? On Mon, Sep 27, 2010 at 4:23 PM, Research <research () sourcefire com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: As a result of ongoing research, the Sourcefire VRT has added and modified multiple rules in the chat, dns, exploit, ftp, imap, misc, netbios, oracle, policy, pop3, rpc, specific-threats sql, tftp, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-09-27.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFMoQeuQcQOxItLLaMRAjfSAJ48UoGNn5OA6BwZuHAKG2q4AgZPxACgpRxl cHkrx29GrpOy24o1Ao+o5PI= =02Sl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-09-27 Research (Sep 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Alex Kirk (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Eoin Miller (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Nigel Houghton (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Joel Esler (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 L0rd Ch0de1m0rt (Sep 29)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)