Re: RE: [Snort-sigs] Any new rules coming out ofsnort.org?

[Matthew Watchinski <mwatchinski () sourcefire com>]

Just thought I should jump in here and clarify a couple things.

On March 28th, a VRT Certified Ruleset was released to subscribers that 
contained new rules for vulnerabilities in MySQL, ARCserver, and Oracle.
3528 - MySQL CREATE Function attempt
3526 - Oracle XDB FTP Unlock overflow
3530 - ArcServe backup UDP msg 0x99 overflow

We also included new FTP Bounce rule that utilizes new detection 
capabilities that are in the 2.4 Branch of Snort. Additionally there 
were a number of updates made to previously released rules to improve 
their accuracy. For a complete list of changes see the changelog at 
http://www.snort.org/rules/docs/ruleset_changelogs/v23/changes-2005-03-28.html. 


As a side note, this ruleset includes the rules used by NSS for their 
recent Gigabit IDS Test

Registered users will be able to get this content on 4/2.  Additionally 
an updated Community Rule Pack will be out shortly.

Cheers
Matthew Watchinski
Director, Vulnerability Research Team
Sourcefire, Inc.

Arseneault, Thomas (HQP) wrote:

> I know all about how subscription vs. registered works, my point was
> that the previous poster said that there have been two releases since
> the 16th and there hasn't been, not to the general public anyway. I also
> use oinkmaster and I frequently see updates to the bleeding set but only
> once from snort.org for either the vrt or community rule sets, back near
> the 16th. I just checked the output of my update (which I have
> automatically done at 12:30 every morning) and saw no updates for vrt or
> community but oinkmaster did function properly, it processed the rule
> sets but just did not find anything had changed (Just to be sure I ran
> the update script by hand to watch for error messages that might not
> have made it into the logs and it worked flawlessly, downloaded all the
> files, unpacked them and checked for changes, found none and exited).
>
> Tom
>
>
> -----Original Message-----
> From: Briggs, Bruce [mailto:Bruce.Briggs () suny edu] 
> Sent: Thursday, March 31, 2005 7:12 AM
> To: Arseneault, Thomas (HQP)
> Cc: snort-users
> Subject: RE: [Snort-users] RE: [Snort-sigs] Any new rules coming out
> ofsnort.org?
>
> Have you registered on the Snort site?
> If not, then you won't get updates until the next Snort release.
> http://www.snort.org/rules/
>   Subscribers receive real-time rules updates as they are available -
> Learn more about subscription highlights here 
>   Registered users can access rule updates 5 days after release to
> subscription users. 
>   Unregistered users receive a static ruleset at the time of each major
> Snort Release 
>
> I am registered, and I see some updated rules files from my Oinkmaster
> update done yesterday.
>
> Bruce
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
> Arseneault, Thomas (HQP)
> Sent: Wednesday, March 30, 2005 6:23 PM
> To: Ron Jenkins; Matt Kettler
> Cc: snort-users
> Subject: RE: [Snort-users] RE: [Snort-sigs] Any new rules coming out of
> snort.org?
>
> I just downloaded the latest ruleset from
> http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkmaster
> code>/snortrules-snapshot-2.3.tar.gz and I found that all the included
> files were dated 3/16 none were any later. I did see a see an email from
> the 28th about a "VRT Certified Rules Update" but nothing so far.
>
> Tom Arseneault
> Security Engineer
> Robert Half International
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron
> Jenkins
> Sent: Wednesday, March 30, 2005 1:43 PM
> To: Matt Kettler
> Cc: snort-users
> Subject: [Snort-users] RE: [Snort-sigs] Any new rules coming out of
> snort.org?
>
> There has been two set of rules since then for registered and
> subscribers users.
>
>
>
> -----Original Message-----
> From: snort-sigs-admin () lists sourceforge net
> [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Matt
> Kettler
> Sent: Wednesday, March 30, 2005 3:45 PM
> To: Tom Currie, Consultant
> Cc: snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] Any new rules coming out of snort.org?
>
> Tom Currie, Consultant wrote:
>
>  
>
> > I see that I have new rules all the time from bleeding-snort, but I
> >    
> have not had
>  
>
> > any new rules from snort.org since March 16th.  (based on oinkmaster).
> >
> > I an still getting downloads of the tgz sig file, but it's frozen in
> >    
> time.  Is
>  
>
> > it deprecated and I should just move on, or what?
> >
> >    
> See the website:
> http://www.snort.org/rules/
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/info/Sentarus/hamr30
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/info/Sentarus/hamr30
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/info/Sentarus/hamr30
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Demarc:
> A global provider of Threat Management Solutions.
> Download our HomeAdmin security software for free today!
> http://www.demarc.com/info/Sentarus/hamr30
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>  



-------------------------------------------------------
This SF.net email is sponsored by Demarc:
A global provider of Threat Management Solutions.
Download our HomeAdmin security software for free today!
http://www.demarc.com/info/Sentarus/hamr30
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users