Snort mailing list archives
Re: Snort-sigs Digest, Vol 45, Issue 10 - Rules Update Link.
From: Guise McAllaster <guise.mcallaster () gmail com>
Date: Fri, 26 Feb 2010 22:55:05 +0000
Correct, if you are referring to the Feb 23 release. That is two updates ago…. Recent history seems to show that version numbers are quite a source of confusion for SourceFire. Guise On Fri, Feb 26, 2010 at 10:42 PM, Marcos Rodriguez < mrodriguez () sourcefire com> wrote:
Hi All, http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html/ It was correct on the VRT blog. On Fri, Feb 26, 2010 at 5:26 PM, <snort-sigs-request () lists sourceforge netwrote:Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: Sourcefire VRT Certified Snort Rules Update 2010-02-26 (evilghost () packetmail net) 2. Re: Sourcefire VRT Certified Snort Rules Update 2010-02-26 (Brad Doctor) 3. Re: Sourcefire VRT Certified Snort Rules Update 2010-02-26 (Guise McAllaster) 4. Re: Sourcefire VRT Certified Snort Rules Update 2010-02-26 (chris.kniseley () regions com) ---------------------------------------------------------------------- Message: 1 Date: Fri, 26 Feb 2010 15:57:04 -0600 From: "evilghost () packetmail net" <evilghost () packetmail net> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26 To: Nigel Houghton <nhoughton () sourcefire com> Cc: Snort Sigs <snort-sigs () lists sourceforge net> Message-ID: <4B8843B0.7090808 () packetmail net> Content-Type: text/plain; charset="us-ascii" Magic? The link in the announcement email is 404, as of now, Feb 26, 15:15:36 CST.A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 16452. For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux):~$ curl -I http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html HTTP/1.1 404 Not Found Date: Fri, 26 Feb 2010 21:55:22 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 8.98940 Set-Cookie: _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156; path=/ Content-Length: 6674 Status: 404 Not Found Content-Type: text/html; charset=utf-8Not for me.------------------------------ Message: 2 Date: Fri, 26 Feb 2010 15:04:43 -0700 From: Brad Doctor <brad.doctor () gmail com> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26 To: "evilghost () packetmail net" <evilghost () packetmail net> Cc: Snort Sigs <snort-sigs () lists sourceforge net>, Nigel Houghton <nhoughton () sourcefire com> Message-ID: <a07586b1002261404y5d913f49h5537326435b6af23 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" 404 here On Fri, Feb 26, 2010 at 2:57 PM, evilghost () packetmail net < evilghost () packetmail net> wrote:Magic? The link in the announcement email is 404, as of now, Feb 26, 15:15:36 CST.A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 16452. For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux):~$ curl -Ihttp://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.htmlHTTP/1.1 404 Not Found Date: Fri, 26 Feb 2010 21:55:22 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 8.98940 Set-Cookie:_radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156;path=/ Content-Length: 6674 Status: 404 Not Found Content-Type: text/html; charset=utf-8Not for me.------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Fri, 26 Feb 2010 22:23:27 +0000 From: Guise McAllaster <guise.mcallaster () gmail com> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26 To: Nigel Houghton <nhoughton () sourcefire com> Cc: Snort Sigs <snort-sigs () lists sourceforge net> Message-ID: <ab3c24b61002261423k1d8b23a3q1e684c4295c937e8 () mail gmail com> Content-Type: text/plain; charset="windows-1252" Yes, I am getting error, "You?ve reached this page because you?ve clicked on a link that does not exist. This is probably our fault? but instead of showing you the basic ?404 Error? page that is confusing and doesn?t really explain anything, we?ve created this page to explain what went wrong" when trying to access the supplied link in the email. This has happened multiple times in the past and I've grown to expect it and I've gotten used to it.. Add the fact that the Feb 23 rule, "WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt" (to be complete, this was updated Feb 25 to fixes the problem but now it is very exploit specific so good luck with its usefulness) alerted like a schizophrenic taking a polygraph (*SourceFire trifecta is in play*). In the two days before it was fixed, it managed to alert me on most all web downloads and severely throw off my statistics that I submit to the management. Proventia is now being seriously considered as a replacement. I guess an "open source" [*sic*] product that has no formal technical support and a history of false positive is not really a viable solution for a world class enterprises. No hard feelings for snort ... I like it and use it as a hobbyist and think it does many a lot of things well. :). Please keep up the good work but maybe the release note link can be more accurate in the future? One can only hope. Guise On Fri, Feb 26, 2010 at 9:52 PM, Nigel Houghton <nhoughton () sourcefire comwrote:On Fri, Feb 26, 2010 at 4:23 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:Changelog is 404. -evilghost Research wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: The Sourcefire VRT is aware of a vulnerability affecting Microsoft Internet Explorer. Details: Microsoft Internet Explorer Command Execution: Microsoft Internet Explorer contains a programming error that mayallowa remote attacker to execute commands on a vulnerable system. The attacker needs to supply VBScript to invoke winhlp32.exe, which can then be used to execute commands via a specially crafted .HLP file. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 16452. For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFLiDgnQcQOxItLLaMRAvEaAJ9rpY1fUgU+FqlTRm66BLe1CBJGXACfW11A QGugTZe+7KTde2i/54mF+L0= =DBm/ -----END PGP SIGNATURE-----------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigsNot for me. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Fri, 26 Feb 2010 16:10:49 -0600 From: chris.kniseley () regions com Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26 To: Brad Doctor <brad.doctor () gmail com> Cc: Snort Sigs <snort-sigs () lists sourceforge net>, Nigel Houghton <nhoughton () sourcefire com> Message-ID: < OFBD769558.D5E5D5D4-ON862576D6.0079CCF4-862576D6.0079D73E () corp rgbk com> Content-Type: text/plain; charset="us-ascii" 404 Good Buddy.... Thanks, Chris From: Brad Doctor <brad.doctor () gmail com> To: "evilghost () packetmail net" <evilghost () packetmail net> Cc: Snort Sigs <snort-sigs () lists sourceforge net>, Nigel Houghton <nhoughton () sourcefire com> Date: 02/26/2010 04:06 PM Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-02-26 404 here On Fri, Feb 26, 2010 at 2:57 PM, evilghost () packetmail net < evilghost () packetmail net> wrote: Magic? The link in the announcement email is 404, as of now, Feb 26, 15:15:36 CST.A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 16452. For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux):~$ curl -I http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html HTTP/1.1 404 Not Found Date: Fri, 26 Feb 2010 21:55:22 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 8.98940 Set-Cookie: _radiant_session=BAh7BzoOcmV0dXJuX3RvIk1odHRwOi8vd3d3LnNub3J0Lm9yZy92cnQvZG9j%0Acy9ydWxlc2V0X2NoYW5nZWxvZ3MvY2hhbmdlcy0yMDEwLTAyLTI2Lmh0bWwi%0ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%0AAAY6CkB1c2VkewA%3D--0a5374c3d60bb3ab39e966249e906633cc52d156; path=/ Content-Length: 6674 Status: 404 Not Found Content-Type: text/html; charset=utf-8Not for me.------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs End of Snort-sigs Digest, Vol 45, Issue 10 ******************************************------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Snort-sigs Digest, Vol 45, Issue 10 - Rules Update Link. Marcos Rodriguez (Feb 26)
- Re: Snort-sigs Digest, Vol 45, Issue 10 - Rules Update Link. Guise McAllaster (Feb 26)