Snort mailing list archives

Re: Question regarding SNORT Rule

From: "Filice II, Anthony via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 15 Jan 2020 19:51:00 +0000

Thank you for the information

Anthony C Filice II
313-656-3472 Desk

From: Alex McDonnell <amcdonnell () sourcefire com>
Sent: Wednesday, January 15, 2020 2:48 PM
To: Filice II, Anthony <Anthony.FiliceII () Ally com>
Cc: snort-sigs () lists snort org
Subject: Re: [Snort-sigs] Question regarding SNORT Rule

External Email: Do not click any links or open any attachments unless you trust the sender and know the content is safe.

The rules show up as disabled simply because they are not enabled in the balanced policy. I believe they are enabled in 
balanced for the next build (tomorrow)

thanks
Alex McDonnell
Talos

On Wed, Jan 15, 2020 at 2:24 PM Filice II, Anthony via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () 
lists snort org>> wrote:
All,

Question regarding Microsoft Vulnerability CVE-2020-0601: A coding deficiency exists in Microsoft Windows CryptoAPI 
that may lead to spoofing.

Why is this disabled in the new rules

1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt 
(os-windows.rules)
* 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt 
(os-windows.rules)
* 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt 
(os-windows.rules)
* 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt 
(os-windows.rules)

Anthony C Filice II
IPS/NAC Engineer
IPR-IPR-SEC-F1840
313-656-3472 desk
702-287-6732 cell

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Question regarding SNORT Rule Filice II, Anthony via Snort-sigs (Jan 15)
- Re: Question regarding SNORT Rule Joel Esler (jesler) via Snort-sigs (Jan 15)
- Re: Question regarding SNORT Rule Alex McDonnell (Jan 15)
  - Re: Question regarding SNORT Rule Filice II, Anthony via Snort-sigs (Jan 15)