Snort mailing list archives
Enquiry Sourcefire VRT Rules Update
From: "Dennis Lau" <dennis.lau () citictel-cpc com>
Date: Mon, 14 Jan 2013 18:11:43 +0800 (HKT)
Dear Snort developers, I found that there is basket of rules being modified and disabled by VRT. I try to make a review on it, as I am currently using SIEM to make some correlations. Below is the list that I summarized. I would like to know why these specific rules would be disable by VRT? What is the reason behind? As some of them are common triggered by most sniffer,like PROTOCOL-ICMP Echo Reply 1:408 it was disabled by vrt update and 1:1417. Why would snort disable them? Is there any documentation that provide a complete explanation on the change? Will the disable action affect the snort's accuracy on vulnerability detection? Name ID Reason NETBIOS SMB write_andx overflow attempt 3:10161 it impacts to snort engine only OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt 1:20258 it was disabled by vrt update FILE-OTHER Adobe multiple products dwmapi.dll dll-load exploit attempt 1:19618 it was disabled by vrt update PROTOCOL-ICMP Destination Unreachable Port Unreachable 1:402 it is commonly to be appeared in network BAD-TRAFFIC Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt 3:15474 customer is not using isa 2004 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt 1:11257 it was disabled by vrt update INDICATOR-COMPROMISE 403 Forbidden 1:1201 it was disabled by vrt update INDICATOR-SHELLCODE x86 inc ecx NOOP 1:1394 it was disabled by vrt update INDICATOR-SHELLCODE x86 setgid 0 1:649 it was disabled by vrt update OS-WINDOWS Microsoft Windows WebDAV search overflow attempt 1:11686 it was disabled by vrt update POLICY-OTHER web server file upload attempt 1:5708 it was disabled by vrt update PROTOCOL-ICMP Destination Unreachable Host Unreachable 1:399 it was disabled by vrt update PROTOCOL-ICMP Echo Reply 1:408 it was disabled by vrt update PROTOCOL-ICMP L3retriever Ping 1:466 it was disabled by vrt update PROTOCOL-ICMP PING 1:384 it was disabled by vrt update PROTOCOL-ICMP Time-To-Live Exceeded in Transit 1:449 it was disabled by vrt update PROTOCOL-ICMP traceroute 1:385 it was disabled by vrt update SERVER-IIS encoding access 1:1010 it was disabled by vrt update SERVER-IIS view source via translate header 1:1042 it was disabled by vrt update SERVER-IIS Unauthorized IP Access Attempt 1:1045 it was disabled by vrt update SERVER-ORACLE database username buffer overflow 1:13719 it was disabled by vrt update SERVER-WEBAPP /doc/ access 1:1560 it was disabled by vrt update SERVER-WEBAPP backup access 1:1213 it was disabled by vrt update SERVER-WEBAPP calendar access 1:882 it was disabled by vrt update SERVER-WEBAPP chatbox.php access 1:2305 it was disabled by vrt update SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt 1:2381 it was disabled by vrt update SERVER-WEBAPP Cisco /%% DOS attempt 1:1546 it was disabled by vrt update SERVER-WEBAPP csh access 1:862 it was disabled by vrt update WEB-FRONTPAGE /_vti_bin/ access 1:1288 it was disabled by vrt update I am looking forwards to hear your reply. Best regards, Dennis Lau
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Enquiry Sourcefire VRT Rules Update Dennis Lau (Jan 19)
- Re: Enquiry Sourcefire VRT Rules Update Joel Esler (Jan 21)