Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sourcefire VRT Certified Snort Rules Update 2010-06-05

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Mon, 7 Jun 2010 11:40:55 -0400
On Mon, Jun 7, 2010 at 11:26 AM, infosec posts <infosec.posts () gmail com> wrote:

In lieu of adjusting the published changelog format, a quick listing
of the new SO SIDs/GIDs in the update bulletin (as you have done in
the past) should be relatively painless to implement, and would
satisfy my needs, without requiring increased priority over the other
features you are working on.

My update tools do produce an environment-specific changelog, but
sometimes there are issues with the deployment, either on my side or
the VRT side.  For example, there was the issue in April where SO
rules that were supposed to be there were not included in the update
package.  The only reason I knew anything was missing was because the
update bulletin listed the specific SO rules that were supposed to
have been included with the update.

A comprehensive, rather than partial, listing of what is supposed to
be in a given update can help with validation and troubleshooting.  I
would think this would be benificial for others in the community, but
maybe it's just me.


On Mon, Jun 7, 2010 at 9:52 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:

On Mon, Jun 7, 2010 at 9:41 AM, infosec posts <infosec.posts () gmail com> wrote:

Greetings,

Unless I'm mistaken, there is not a "complete list  of new and
modified rules" available at the link referenced below.

These bulletins used to list the SIDs/GIDs for the SO rules in the
update package, like so:
http://seclists.org/snort/2010/q2/668

More recent bulletins seem to have quit listing the SO rules in the
update, and I haven't been able to find a changelog on the website
that indicates what new SO rules should be in our update packages.
For example, since this update only includes SO rules, the changelogs
linked on the site are blank/empty
(http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_0/changes-2010-06-05.html).
 This makes it difficult to determine what the new rules are and
verify that they have been deployed correctly.

If this information is available somewhere, I'd be happy if someone
could point me to it; otherwise, could Sourcefire resume listing SO
rule SIDs/GIDs in these signature update bulletins, or in the
changelogs on the webiste?




On Sat, Jun 5, 2010 at 4:44 PM, Research <research () sourcefire com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds rules to the web-client category for 0-day attacks in
multiple Adobe products.

Details:
The Sourcefire VRT has become aware of a 0-day vulnerability in
multiple
Adobe products.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06-05.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFMCsUkQcQOxItLLaMRAlE9AJ9YkbREqvv83NB93XJron/3OJ6I0wCeOF9p
q/3lG08MwBOI0HxyRyuGOaY=
=ipeW
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs






We have not ever listed the shared object rules in the changelog. We
are in the process of changing that, it has not been high on the
priority list since most people use a tool like Pulled Pork to manage
their rules (it produces a changelog that has the shared object rules
listed).

Tools like Pulled Pork and Oinkmaster also have the advantage of
producing a changelog that is specific to your environment and not
just a difference between the current and last set of rules produced.

The changelogs on snort.org are there for a quick verification of what
is new and yes, they should include the shared object rules. We are
aware of the problem and like I said, it is on the todo list to fix
and we will do so.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/






The advisory released at the weekend was the only one that hasn't
listed the specific SID of the shared object rule in the note itself.
We were in a rush to complete the rule release and neglected to add
the information to the advisory. Hopefully this didn't impact folks
too much, it was a simple error of omission in a rapid response to a
zero day issue.

If we had put the GID and SID in the changelog I'm guessing it
wouldn't have been as much of a problem. Like I said, we're in the
process of changing a couple of things to add that information, moving
forward we'll try to be a little more diligent when getting emergency
releases out.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: