Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 28 Sep 2010 13:42:53 -0400
On Tue, Sep 28, 2010 at 1:25 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 9/28/2010 11:03, infosec posts wrote:> alert tcp $HOME_NET any ->$EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) Unless I am mistaken, we got a brand new signature for something that was patched in 2006 (IE 6.0 SP1 on WinXP XP1). It was also written so broadly that I'm north of 90,000 alerts in an 8-hour overnight time window before I killed the signature, and still counting as the buffers flush out from my sensors.ouch! that is a bit on the extreme side, isn't it :?
Look at the vulnerability CVE for some laughs. Shame on you IE. Sometimes in the act of writing rules for stupid programmer mistakes, it's hard to write a rule to catch that crazyiness. All you have to do is issue it a big long URL? Seriously?
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-09-27 Research (Sep 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Alex Kirk (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Eoin Miller (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Nigel Houghton (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Joel Esler (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 L0rd Ch0de1m0rt (Sep 29)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)