Enquiry Sourcefire VRT Rules Update

["Dennis Lau" <dennis.lau () citictel-cpc com>]

Dear Snort developers,

 

I found that there is basket of rules being modified and disabled by VRT.
I try to make a review on it, as I am currently using SIEM to make some
correlations. Below is the list that I summarized. 

 


I would like to know why these specific rules would be disable by VRT?
What is the reason behind? 

As some of them are common triggered by most sniffer,like  PROTOCOL-ICMP
Echo Reply

1:408

it was disabled by vrt update  

and 1:1417. 

 

Why would snort disable them? Is there any documentation that provide a
complete explanation on the change? Will the disable action affect the
snort's accuracy on vulnerability detection?

 


Name

ID

Reason


NETBIOS SMB write_andx overflow attempt

3:10161

it impacts to snort engine only


OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt

1:20258

it was disabled by vrt update


FILE-OTHER Adobe multiple products dwmapi.dll dll-load exploit attempt

1:19618

it was disabled by vrt update


PROTOCOL-ICMP Destination Unreachable Port Unreachable

1:402

it is commonly to be appeared in network


BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway
invalid RST denial of service attempt

3:15474

customer is not using isa 2004


BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory
exploit attempt

1:11257

it was disabled by vrt update


INDICATOR-COMPROMISE 403 Forbidden

1:1201

it was disabled by vrt update


INDICATOR-SHELLCODE x86 inc ecx NOOP

1:1394

it was disabled by vrt update


INDICATOR-SHELLCODE x86 setgid 0

1:649

it was disabled by vrt update


OS-WINDOWS Microsoft Windows WebDAV search overflow attempt

1:11686

it was disabled by vrt update


POLICY-OTHER web server file upload attempt

1:5708

it was disabled by vrt update


PROTOCOL-ICMP Destination Unreachable Host Unreachable

1:399

it was disabled by vrt update


PROTOCOL-ICMP Echo Reply

1:408

it was disabled by vrt update


PROTOCOL-ICMP L3retriever Ping

1:466

it was disabled by vrt update


PROTOCOL-ICMP PING

1:384

it was disabled by vrt update


PROTOCOL-ICMP Time-To-Live Exceeded in Transit

1:449

it was disabled by vrt update


PROTOCOL-ICMP traceroute

1:385

it was disabled by vrt update


SERVER-IIS encoding access

1:1010

it was disabled by vrt update


SERVER-IIS view source via translate header

1:1042

it was disabled by vrt update


SERVER-IIS Unauthorized IP Access Attempt

1:1045

it was disabled by vrt update


SERVER-ORACLE database username buffer overflow

1:13719

it was disabled by vrt update


SERVER-WEBAPP /doc/ access

1:1560

it was disabled by vrt update


SERVER-WEBAPP backup access

1:1213

it was disabled by vrt update


SERVER-WEBAPP calendar access

1:882

it was disabled by vrt update


SERVER-WEBAPP chatbox.php access

1:2305

it was disabled by vrt update


SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string
vulnerability attempt

1:2381

it was disabled by vrt update


SERVER-WEBAPP Cisco /%% DOS attempt

1:1546

it was disabled by vrt update


SERVER-WEBAPP csh access

1:862

it was disabled by vrt update


WEB-FRONTPAGE /_vti_bin/ access

1:1288

it was disabled by vrt update

 

I am looking forwards to hear your reply.


Best regards, 

Dennis Lau

 

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!