Snort mailing list archives
Re: [Spam] Re: Possible FP 17363
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 26 Oct 2010 10:06:19 -0600
So let me understand this. My understanding of the Subscription Rules were that these were the latest and greatest bleeding edge rules...especially for 0-day items, new malware, trojans, etc. The Subscription Rules also contained "fixed" rules? From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, October 26, 2010 8:55 AM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: [Spam] Re: [Snort-sigs] Possible FP 17363 Importance: Low Pastebin. However, you aren't receiving the rule yet because it has not come out of the 30 day window for registered users. J On Oct 26, 2010, at 10:48 AM, Lay, James wrote: Thank you. Oinkmaster.conf: url = http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-290 0.tar.gz url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t ar.gz path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules skipfile deleted.rules skipfile snort.conf disablesid 100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,20 03602,1390,1394,17246,17276,17297,17363 The snort.conf file is kinda beefy...what's the best method to put this online? Thanks again. James From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, October 26, 2010 8:21 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Possible FP 17363 have to see your oinkmaster.conf and snort.con -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 26, 2010 10:13 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363 Hrmm....that's confusing then...oinkmaster says: Loading /usr/local/etc/snort/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2900.tar.gz... done. Archive successfully downloaded, unpacking... done. Downloading file from http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t ar.gz... done. Archive successfully downloaded, unpacking... done. Setting up rules structures... done. Processing downloaded rules... disabled 8, enabled 0, modified 0, total=21693 Setting up rules structures... done. Comparing new files to the old ones... done. Updating local rules files... done. Yet: [08:11:48 me@ids:~/rules$] sudo grep 17363 *.rules web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:1;) Are rules not getting updated in 2900? Or is my oinkmaster not doing what it's supposed to do? Thanks for any help. James From: Alex Kirk [mailto:akirk () sourcefire com] Sent: Monday, October 25, 2010 10:44 AM To: rmkml Cc: Lay, James; snort-sigs () lists sourceforge net; rmkml () free fr Subject: [Spam] Re: [Snort-sigs] Possible FP 17363 Importance: Low Actually, this rule is currently at rev:3 - adding a flowbit check and some additional bytes to the content match - due to earlier false positive reports. If you get further FPs with the current revision of the rule, please let us know. On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr> wrote: Hi James, maybe for "small" reduce FP add "isdataat:255,relative;" after byte_test()? another maybe null byte are separator? and instead "isdataat:255,relative; content:!"|00|"; within:255;" ? Regards Rmkml PS: http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded ________________________________________________________________________ _____________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------ ------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev_______________________________________ ________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs -- Joel Esler 302-223-5974
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Possible FP 17363, (continued)
- Re: Possible FP 17363 rmkml (Oct 25)
- Re: Possible FP 17363 Alex Kirk (Oct 25)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 L0rd Ch0de1m0rt (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: Possible FP 17363 Alex Kirk (Oct 25)
- Re: Possible FP 17363 rmkml (Oct 25)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)