Snort mailing list archives

Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14

From: Bryan Arenal <b.arenal () gmail com>
Date: Wed, 15 Sep 2010 09:10:53 -0600

Am I the only one who noticed that when downloading this rule update, it
says that it's from August 12th?

---
# wget http://www.snort.org/pub-bin/oinkmaster.cgi/
<OINKCODE>/snortrules-snapshot-2861.tar.gz
--2010-09-15 14:55:20--  http://www.snort.org/pub-bin/oinkmaster.cgi/
<OINKCODE>/snortrules-snapshot-2861.tar.gz
Resolving www.snort.org... 68.177.102.20
Connecting to www.snort.org|68.177.102.20|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort.org/rules/*20100812*/snortrules-snapshot-2861.tar.gz?blah
[following]
--2010-09-15 14:55:21--  https://s3.amazonaws.com/snort.org/rules/*20100812*
/snortrules-snapshot-2861.tar.gz?blah
Resolving s3.amazonaws.com... 72.21.202.164
Connecting to s3.amazonaws.com|72.21.202.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
---

Sure enough, those are the timestamps in the tarball as well:

---
root@localhost [~/tmp/rules]
# ls -ltr
total 9760
-rw-r--r-- 1 root root     396 Aug 18  2002 cgi-bin.list
-rw-r--r-- 1 root root   16724 Mar 10  2005 VRT-License.txt
-rw-r--r-- 1 root root    1327 May 16  2005 experimental.rules
-rw-r--r-- 1 root root     767 Jan 19  2010 Makefile.am
-rw-r--r-- 1 root root    1512 Aug 12 17:37 x11.rules
-rw-r--r-- 1 root root   52093 Aug 12 17:37 web-php.rules
-rw-r--r-- 1 root root  158362 Aug 12 17:37 web-misc.rules
-rw-r--r-- 1 root root   51639 Aug 12 17:37 web-iis.rules
-rw-r--r-- 1 root root   13768 Aug 12 17:37 web-frontpage.rules
-rw-r--r-- 1 root root   15411 Aug 12 17:37 web-coldfusion.rules
-rw-r--r-- 1 root root  167839 Aug 12 17:37 web-client.rules
-rw-r--r-- 1 root root  123693 Aug 12 17:37 web-cgi.rules
-rw-r--r-- 1 root root    1470 Aug 12 17:37 web-attacks.rules
-rw-r--r-- 1 root root 1921128 Aug 12 17:37 web-activex.rules
-rw-r--r-- 1 root root   26603 Aug 12 17:37 voip.rules
-rw-r--r-- 1 root root    1576 Aug 12 17:37 virus.rules
-rw-r--r-- 1 root root    5566 Aug 12 17:37 tftp.rules
-rw-r--r-- 1 root root    8067 Aug 12 17:37 telnet.rules
-rw-r--r-- 1 root root   47132 Aug 12 17:37 sql.rules
-rw-r--r-- 1 root root  552240 Aug 12 17:37 spyware-put.rules
-rw-r--r-- 1 root root  183524 Aug 12 17:37 specific-threats.rules
-rw-r--r-- 1 root root    7057 Aug 12 17:37 snmp.rules
-rw-r--r-- 1 root root   49205 Aug 12 17:37 smtp.rules
-rw-r--r-- 1 root root    8090 Aug 12 17:37 shellcode.rules
-rw-r--r-- 1 root root    5112 Aug 12 17:37 scan.rules
-rw-r--r-- 1 root root   15247 Aug 12 17:37 scada.rules
-rw-r--r-- 1 root root    3987 Aug 12 17:37 rservices.rules
-rw-r--r-- 1 root root   88695 Aug 12 17:37 rpc.rules
-rw-r--r-- 1 root root   15112 Aug 12 17:37 pop3.rules
-rw-r--r-- 1 root root    1048 Aug 12 17:37 pop2.rules
-rw-r--r-- 1 root root   36085 Aug 12 17:37 policy.rules
-rw-r--r-- 1 root root   22692 Aug 12 17:37 phishing-spam.rules
-rw-r--r-- 1 root root    6434 Aug 12 17:37 p2p.rules
-rw-r--r-- 1 root root    1493 Aug 12 17:37 other-ids.rules
-rw-r--r-- 1 root root  196992 Aug 12 17:37 oracle.rules
-rw-r--r-- 1 root root    1246 Aug 12 17:37 open-test.conf
-rw-r--r-- 1 root root    5806 Aug 12 17:37 nntp.rules
-rw-r--r-- 1 root root  214844 Aug 12 17:37 netbios.rules
-rw-r--r-- 1 root root   13432 Aug 12 17:37 mysql.rules
-rw-r--r-- 1 root root    6977 Aug 12 17:37 multimedia.rules
-rw-r--r-- 1 root root   31912 Aug 12 17:37 misc.rules
-rw-r--r-- 1 root root     199 Aug 12 17:37 local.rules
-rw-r--r-- 1 root root    1043 Aug 12 17:37 info.rules
-rw-r--r-- 1 root root   30718 Aug 12 17:37 imap.rules
-rw-r--r-- 1 root root    5474 Aug 12 17:37 icmp.rules
-rw-r--r-- 1 root root   16989 Aug 12 17:37 icmp-info.rules
-rw-r--r-- 1 root root   33679 Aug 12 17:37 ftp.rules
-rw-r--r-- 1 root root    4579 Aug 12 17:37 finger.rules
-rw-r--r-- 1 root root  121557 Aug 12 17:37 exploit.rules
-rw-r--r-- 1 root root   18664 Aug 12 17:37 dos.rules
-rw-r--r-- 1 root root   10826 Aug 12 17:37 dns.rules
-rw-r--r-- 1 root root 5042272 Aug 12 17:37 deleted.rules
-rw-r--r-- 1 root root    8239 Aug 12 17:37 ddos.rules
-rw-r--r-- 1 root root    8311 Aug 12 17:37 content-replace.rules
-rw-r--r-- 1 root root   19811 Aug 12 17:37 chat.rules
-rw-r--r-- 1 root root   23752 Aug 12 17:37 botnet-cnc.rules
-rw-r--r-- 1 root root   40034 Aug 12 17:37 blacklist.rules
-rw-r--r-- 1 root root    2830 Aug 12 17:37 bad-traffic.rules
-rw-r--r-- 1 root root  317279 Aug 12 17:37 backdoor.rules
-rw-r--r-- 1 root root    4647 Aug 12 17:37 attack-responses.rules
---

Seriously, WTF?

On Tue, Sep 14, 2010 at 14:56, Research <research () sourcefire com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sourcefire VRT Certified Snort Rules Update

Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting Microsoft and
Adobe products.

Details:
Microsoft Security Advisory MS10-061:
The Microsoft Windows Print Spooler service contains a programming
error that may allow a remote attacker to execute code on an affected
system.

Rules to detect attacks targeting this vulnerability is included in
this release and are identified with GID 3, SIDs 17252 and 17253.

Microsoft Security Advisory MS10-062:
Microsoft Windows Media Player contains a programming error that may
allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 17242.

Microsoft Security Advisory MS10-063:
Microsoft Windows XP and Vista contain a programming error that may
allow a remote attacker to execute code on an affected system via the
use of specially crafted Uniscribe fonts.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 17256.

Microsoft Security Advisory MS10-064:
Microsoft Outlook contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 17251.

Microsoft Security Advisory MS10-065:
Microsoft Internet Information Server (IIS) contains a programming
error that may allow a remote attacker to execute code on an affected
system.

Rules to detect attacks targeting this vulnerability is included in
this release and are identified with GID 3, SIDs 17254 and 17255.

Microsoft Security Advisory MS10-067:
Microsoft WordPad contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 17250.

Microsoft Security Advisory MS10-068:
Microsoft LSASS contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 17249.

Adobe Security Bulletin APSA10-03:
Adobe Flash Player contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 17257.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-09-14.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFMj93jQcQOxItLLaMRAsX5AJ4ianhgCCaZKbrfhUEuEi/cMuoeFwCcDiKW
p4fjDNq8FdKNeXEK0WUXPqU=
=SaB4
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------

Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Sourcefire VRT Certified Snort Rules Update 2010-09-14 Research (Sep 15)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 Bryan Arenal (Sep 15)
  - Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 Nigel Houghton (Sep 15)
  - Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 waldo kitty (Sep 15)