Snort mailing list archives
Re: sid 16665 ?
From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 9 Jul 2010 09:24:09 -0400
Not sure about the tarball from that particular date, but I just downloaded snortrules-snapshot-2853.tar.gz, and the rule in there is: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC Microsoft Windows Help Centre escape sequence XSS attempt"; flow:to_client,established; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253C)script(\s|\x2520)+defer/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,40725; reference:url,osvdb.org/show/osvdb/65264; classtype:attempted-user; sid:16665; rev:1;) Any omission in a previous version of that tarball was in error, and has obviously been corrected. On Fri, Jul 9, 2010 at 8:39 AM, Kungu Panda <kungupanda () gmail com> wrote:
VRT folks: I am not finding sid:16665 in the 2010-07-01 VRT snortrules-snapshot-2853.tar subscriber tarball. Has this sid/rule been removed and/or superseded by another rule that provides detection for CVE-2010-1885? Thanks, Lost Panda ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sid 16665 ? Kungu Panda (Jul 09)
- Re: sid 16665 ? Alex Kirk (Jul 09)