Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sid 16665 ?

From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 9 Jul 2010 09:24:09 -0400
Not sure about the tarball from that particular date, but I just downloaded
snortrules-snapshot-2853.tar.gz, and the rule in there is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC
Microsoft Windows Help Centre escape sequence XSS attempt";
flow:to_client,established; content:"hcp|3A 2F 2F|"; nocase;
content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase;
pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253C)script(\s|\x2520)+defer/mi";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,40725; reference:url,osvdb.org/show/osvdb/65264;
classtype:attempted-user; sid:16665; rev:1;)

Any omission in a previous version of that tarball was in error, and has
obviously been corrected.

On Fri, Jul 9, 2010 at 8:39 AM, Kungu Panda <kungupanda () gmail com> wrote:


VRT folks:  I am not finding sid:16665 in the 2010-07-01 VRT
snortrules-snapshot-2853.tar subscriber tarball.  Has this sid/rule been
removed and/or superseded by another rule that provides detection for
CVE-2010-1885?



Thanks,

Lost Panda


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: