Re: Sourcefire VRT Certified Snort Rules Update2010-04-13

[Jeff Nathan <jeff () snort org>]

Is there some reason you feel like it's your duty to be a complete
douchebag and shit on this list every time you get a bug up your ass?

Any time you're ready to contribute to a large, complex open source
project please let me know.  Then I can occasionally toss some hand
grenade emails onto your list.

Asshat.

-Jeff

On Wed, Apr 14, 2010 at 2:49 PM, evilghost () packetmail net
<evilghost () packetmail net> wrote:
> They're not here either.  To be honest the whole VRT deployment process
> reminds me of some Rube Goldberg machine that is perpetually in some
> state of being broken.  VRT is like Ubuntu when it was based on Debian
> Sid.  It's *almost* good and usable and from time to time you can get
> things done in spite of it.  I'd like to think the 30-day delayed
> Registered User VRT packs are like the Ubuntu LTS, it's still unstable
> but it's usually working somehow.
>
> I will comment that without fail, there's *always* some epic failure in
> the VRT release.  I really look forward to them like a sadist.  Whether
> it be a non-existent change log, the implementation of new features
> without announcement crashing older versions of Snort in the same
> branch, release announcements before the archive even fully exists on
> the webserver and you're serving up truncated tar-gzips, signatures that
> map the network like those that detect on "SMTP HELO", VRT shared_object
> rules which do not contain pre-built binaries for the current download
> release on Snort.org, etc.
>
> I like to think the guys go out the night before the VRT release, get
> really *really* wasted, and come in the next day and push out some
> goodness, then sit back and high-five each-other everytime an issue like
> this comes out.  Then they go back and light up cigars with $100 bills
> out of the VRT subscription vault.
>
> I pulled the VRT archive yesterday Nigel.  They're not there.
>
> -evilghost
>
> infosec posts wrote:
> > It's great that VRT can be so timely with IDS signatures for patch
> > Tuesday.  Unfortunately, it doesn't appear that the SO rules they
> > wrote this time actually made it into the ruleset they released
> > yesterday.  Did anyone else actually get these rules?  I certainly
> > can't find them in my download.  I did get the updated non-SO rules.
> >
> >
> > From: Research <research () sourcefire com>
> > Date: Tue, 13 Apr 2010 14:17:37 -0400 (EDT)
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Sourcefire VRT Certified Snort Rules Update
> >
> > Synopsis:
> > The Sourcefire VRT is aware of vulnerabilities affecting products from
> > Microsoft Corporation.
> >
> > Details:
> > Microsoft Security Advisory (MS10-019):
> > The Microsoft CAB Subject Interface Package (SIP) implementation
> > contains a programming error that may allow a remote attacker to bypass
> > the authentication mechanism.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16530.
> >
> > Microsoft Security Advisory (MS10-020):
> > The Microsoft implementation of the SMB protocol contains programming
> > errors that may allow a remote attacker to execute code on an affected
> > system.
> >
> > Rules to detect attacks targeting these vulnerabilities are included in
> > this release and are identified with GID 3, SIDs 16531, 16532, 16539
> > and 16540.
> >
> > Microsoft Security Advisory (MS10-023):
> > Microsoft Publisher contains a programming error that may allow a
> > remote attacker to execute code on an affected system.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16542.
> >
> > Microsoft Security Advisory (MS10-024):
> > The Microsoft SMTP service is prone to a Denial of Service condition
> > that may be triggered by a remote attacker.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16534.
> >
> > Microsoft Security Advisory (MS10-025):
> > The Microsoft Windows Media Service suffers from a programming error
> > that may allow a remote attacker to execute code on an affected system.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16541.
> >
> > Microsoft Security Advisory (MS10-026):
> > Microsoft Windows Media Player contains a programming error that may
> > allow a remote attacker to execute code on an affected system.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16543.
> >
> > Microsoft Security Advisory (MS10-027):
> > Microsoft Windows Media Player contains a programming error that may
> > allow a remote attacker to execute code on an affected system via an
> > ActiveX control.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16537.
> >
> > Microsoft Security Advisory (MS10-028):
> > Microsoft Visio suffers from programming errors that may allow a remote
> > attacker to execute code on an affected system.
> >
> > Rules to detect attacks targeting these vulnerabilities are included in
> > this release and are identified with GID 3, SIDs 16535 and 16536.
> >
> > Microsoft Security Advisory (MS10-029):
> > The Microsoft implementation of IPv6 contains a programming error that
> > may allow a remote attacker to spoof connections to an affected host.
> >
> > A rule to detect attacks targeting this vulnerability is included in
> > this release and is identified with GID 3, SID 16533.
> >
> > For a complete list of new and modified rules please see:
> >
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-04-13.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFLxLVBQcQOxItLLaMRAtYsAJ9Uf1k22CyZtytMSKcR3dDo6GaT7QCeK1Gj
> > +jAO1JxvJ4Ner69HCVjtKPs=
> > =yRyG
> > -----END PGP SIGNATURE-----
> >
> > ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs