Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27

[Joel Esler <jesler () sourcefire com>]

On Tue, Sep 28, 2010 at 1:25 PM, waldo kitty <wkitty42 () windstream net>wrote:

> On 9/28/2010 11:03, infosec posts wrote:> alert tcp $HOME_NET any ->
> > $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
> > Long URL Buffer Overflow attempt"; flow:established,to_server;
> > urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
> > 0A|"; metadata:service http; reference:bugtraq,19667;
> > reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
> >
> > Unless I am mistaken, we got a brand new signature for something that
> > was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
> > broadly that I'm north of 90,000 alerts in an 8-hour overnight time
> > window before I killed the signature, and still counting as the
> > buffers flush out from my sensors.
>
> ouch! that is a bit on the extreme side, isn't it :?
Look at the vulnerability CVE for some laughs.  Shame on you IE.

Sometimes in the act of writing rules for stupid programmer mistakes, it's
hard to write a rule to catch that crazyiness.   All you have to do is issue
it a big long URL?  Seriously?

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs