Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 3 Nov 2010 11:02:00 -0400
On Wed, Nov 3, 2010 at 10:44 AM, infosec posts <infosec.posts () gmail com>wrote:
My update routine didn't find any changes last night, and I can't find any of these signatures in the tarballs I'm pulling this morning: 17808 <-> SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption attempt (specific-threats.rules, High) 17809 <-> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low) 17810 <-> WEB-MISC potential malware - download of server32.exe (web-misc.rules, Medium) 17811 <-> WEB-MISC potential malware - download of svchost.exe (web-misc.rules, Medium) 17812 <-> WEB-MISC potential malware - download of iexplore.exe (web-misc.rules, Medium) 17813 <-> WEB-MISC potential malware - download of iprinp.dll (web-misc.rules, Medium) 17814 <-> WEB-MISC potential malware - download of winzf32.dll (web-misc.rules, Medium) I pulled 2.8.6.0, 2.8.6.1, and 2.8.9.0 a few minutes ago, but I didn't find the new signatures in any of them. Now I'm getting 403/Forbidden on 2.8.6.0 and 2.8.9.0, so I'm going to guess that you've realized you forgot to actually include the new signatures again, and you're fixing it now?
I am running pulledpork right this very second, and I am able to grab the rules file. I'll check to see if the rules are in my build. We are doing work to the website today as well, so that may affect some downloads. <waiting for pulledpork to get done> Done... grepping... Yup, they are all there for me. Using the subscriber set. Do you have the subscriber set? Your subscription isn't expired or anything is it?
-- Joel Esler
302-223-5974
------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-11-02 Research (Nov 02)
- <Possible follow-ups>
- Sourcefire VRT Certified Snort Rules Update 2010-11-02 Research (Nov 02)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 infosec posts (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 Nigel Houghton (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 waldo kitty (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 Joel Esler (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 infosec posts (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 Joel Esler (Nov 03)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-02 infosec posts (Nov 03)