Snort mailing list archives
Re: [Spam] Re: Possible FP 17363
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 26 Oct 2010 12:45:48 -0400
When new rules, or updated rules are released, they are released into the subscriber package for 30 days, which, like I said is available for a personal subscription for 29$ a year. After the 30-days from release they are rolled over to the free registered feed. J Sent from my iPhone On Oct 26, 2010, at 12:11 PM, "Weir, Jason" <jason.weir () nhrs org> wrote:
funny you used the term bleeding edge.... I'll let Joel explain the different rule sets available from VRT but if you are getting your bleeding edge rules from Emerging Threats... -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 26, 2010 12:06 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363 So let me understand this. My understanding of the Subscription Rules were that these were the latest and greatest bleeding edge rules…especially for 0-day items, new malware, trojans, etc. The Subscription Rules also contained “fixed” rules? From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, October 26, 2010 8:55 AM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: [Spam] Re: [Snort-sigs] Possible FP 17363 Importance: Low Pastebin. However, you aren't receiving the rule yet because it has not come out of the 30 day window for registered users. J On Oct 26, 2010, at 10:48 AM, Lay, James wrote: Thank you. Oinkmaster.conf: url = http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2900.tar.gz url = http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules skipfile deleted.rules skipfile snort.conf disablesid 100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,2003602,1390,1394,17246,17276,17297,17363 The snort.conf file is kinda beefy…what’s the best method to put this online? Thanks again. James From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, October 26, 2010 8:21 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Possible FP 17363 have to see your oinkmaster.conf and snort.con -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 26, 2010 10:13 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363 Hrmm….that’s confusing then…oinkmaster says: Loading /usr/local/etc/snort/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2900.tar.gz... done. Archive successfully downloaded, unpacking... done. Downloading file from http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.tar.gz... done. Archive successfully downloaded, unpacking... done. Setting up rules structures... done. Processing downloaded rules... disabled 8, enabled 0, modified 0, total=21693 Setting up rules structures... done. Comparing new files to the old ones... done. Updating local rules files... done. Yet: [08:11:48 me@ids:~/rules$] sudo grep 17363 *.rules web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:1;) Are rules not getting updated in 2900? Or is my oinkmaster not doing what it’s supposed to do? Thanks for any help. James From: Alex Kirk [mailto:akirk () sourcefire com] Sent: Monday, October 25, 2010 10:44 AM To: rmkml Cc: Lay, James; snort-sigs () lists sourceforge net; rmkml () free fr Subject: [Spam] Re: [Snort-sigs] Possible FP 17363 Importance: Low Actually, this rule is currently at rev:3 - adding a flowbit check and some additional bytes to the content match - due to earlier false positive reports. If you get further FPs with the current revision of the rule, please let us know. On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr> wrote: Hi James, maybe for "small" reduce FP add "isdataat:255,relative;" after byte_test()? another maybe null byte are separator? and instead "isdataat:255,relative; content:!"|00|"; within:255;" ? Regards Rmkml PS: http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: [Spam] Re: Possible FP 17363, (continued)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 L0rd Ch0de1m0rt (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)