Snort mailing list archives
Re: duplicate rules (16412 and 16413) ?
From: Nerijus Krukauskas <nkrukauskas () gmail com>
Date: Thu, 17 Jun 2010 15:27:10 +0300
Yes, my bad. Anyway they fire at the same time. Question for Sourcefire folks: can this be covered with one rule? As now it seems redundant to have two... On 2010-06-17, Rodrigo Montoro(Sp0oKeR) <spooker () gmail com> wrote:
It's not the same (differents CVE's) 16412 TextByteAtom http://www.snortid.com/snortid.asp?QueryId=16412 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0033 16413 TextCharsAtom http://www.snortid.com/snortid.asp?QueryId=16413 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0034 Regards, On Thu, Jun 17, 2010 at 7:32 AM, Nerijus Krukauskas <nkrukauskas () gmail com> wrote:Are these two the duplicates of each other? OK, I admit I haven't looked into the code (both are SO rules, and heck I've no idea if the source _is_ available). But the message is the same and references too. And they fire in sync. WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt [sid 16412] WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code execution attempt [sid 16413] -- http://nk99.org/ ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker
-- http://nk99.org/ ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- duplicate rules (16412 and 16413) ? Nerijus Krukauskas (Jun 17)
- Re: duplicate rules (16412 and 16413) ? Rodrigo Montoro(Sp0oKeR) (Jun 17)
- Re: duplicate rules (16412 and 16413) ? Nerijus Krukauskas (Jun 17)
- Re: duplicate rules (16412 and 16413) ? Rodrigo Montoro(Sp0oKeR) (Jun 17)