Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Spam] Re: Possible FP 17363

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 26 Oct 2010 12:45:48 -0400
When new rules, or updated rules are released, they are released into the subscriber package for 30 days, which, like I 
said is available for a personal subscription for 29$ a year. After the 30-days from release they are rolled over to 
the free registered feed. 

J


Sent from my iPhone

On Oct 26, 2010, at 12:11 PM, "Weir, Jason" <jason.weir () nhrs org> wrote:


funny you used the term bleeding edge.... 
 
I'll let Joel explain the different rule sets available from VRT but if you are getting your bleeding edge rules from 
Emerging Threats...
 
-J
-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com] 
Sent: Tuesday, October 26, 2010 12:06 PM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363

So let me understand this.  My understanding of the Subscription Rules were that these were the latest and greatest 
bleeding edge rules…especially for 0-day items, new malware, trojans, etc.  The Subscription Rules also contained 
“fixed” rules?

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Tuesday, October 26, 2010 8:55 AM
To: Lay, James
Cc: snort-sigs () lists sourceforge net
Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
Importance: Low

 

Pastebin.

 

However, you aren't receiving the rule yet because it has not come out of the 30 day window for registered users.

 

J

 

On Oct 26, 2010, at 10:48 AM, Lay, James wrote:




Thank you.

 

Oinkmaster.conf:

 

url = http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2900.tar.gz

url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz

path = /bin:/usr/bin:/usr/local/bin

update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

skipfile local.rules

skipfile deleted.rules

skipfile snort.conf

disablesid 
100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,2003602,1390,1394,17246,17276,17297,17363

 

The snort.conf file is kinda beefy…what’s the best method to put this online?  Thanks again.

 

James

 

From: Weir, Jason [mailto:jason.weir () nhrs org] 
Sent: Tuesday, October 26, 2010 8:21 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Possible FP 17363

 

have to see your oinkmaster.conf and snort.con

 

-J

-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com] 
Sent: Tuesday, October 26, 2010 10:13 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363

Hrmm….that’s confusing then…oinkmaster says:

 

Loading /usr/local/etc/snort/oinkmaster.conf

Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2900.tar.gz... done.

Archive successfully downloaded, unpacking... done.

Downloading file from http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz... done.

Archive successfully downloaded, unpacking... done.

Setting up rules structures... done.

Processing downloaded rules... disabled 8, enabled 0, modified 0, total=21693

Setting up rules structures... done.

Comparing new files to the old ones... done.

Updating local rules files... done.

 

Yet:

[08:11:48 me@ids:~/rules$] sudo grep 17363 *.rules

web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG 
volume name memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|"; byte_test:2,>,254,12,relative; 
metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0197; 
classtype:attempted-user; sid:17363; rev:1;)

 

Are rules not getting updated in 2900?  Or is my oinkmaster not doing what it’s supposed to do?  Thanks for any help.

 

James

 

From: Alex Kirk [mailto:akirk () sourcefire com] 
Sent: Monday, October 25, 2010 10:44 AM
To: rmkml
Cc: Lay, James; snort-sigs () lists sourceforge net; rmkml () free fr
Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
Importance: Low

 

Actually, this rule is currently at rev:3 - adding a flowbit check and some additional bytes to the content match - 
due to earlier false positive reports. If you get further FPs with the current revision of the rule, please let us 
know.

On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr> wrote:

Hi James,
maybe for "small" reduce FP add "isdataat:255,relative;" after byte_test()?
another maybe null byte are separator? and instead "isdataat:255,relative; content:!"|00|"; within:255;" ?
Regards
Rmkml

PS: http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: