Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27

[Alex Kirk <akirk () sourcefire com>]

No, you're not off your rocker - and you're not the only person to point
this out this morning. We've got a fix ready for the next SEU, and you're
100% correct to have disabled it in the meantime. It'll be turned off by
default in the next SEU anyway.

Oh, and we know this is old coverage - we had a request to deal with some
older bugs like this one, and we obliged.

On Tue, Sep 28, 2010 at 11:03 AM, infosec posts <infosec.posts () gmail com>wrote:

> I have to ask, because I must be missing something here.
>
> SID:17494 - web-client.rules - alert tcp $HOME_NET any ->
> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
> Long URL Buffer Overflow attempt"; flow:established,to_server;
> urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
> 0A|"; metadata:service http; reference:bugtraq,19667;
> reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
>
> Unless I am mistaken, we got a brand new signature for something that
> was patched in 2006 (IE 6.0 SP1 on WinXP XP1).  It was also written so
> broadly that I'm north of 90,000 alerts in an 8-hour overnight time
> window before I killed the signature, and still counting as the
> buffers flush out from my sensors.
>
> Am I off my rocker, or is this a "WTF?" signature reminiscent of the
> great SMTP FP debacle in the past?
>
>
>
> On Mon, Sep 27, 2010 at 4:23 PM, Research <research () sourcefire com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Sourcefire VRT Certified Snort Rules Update
> >
> > Synopsis:
> > This release adds and modifies rules in several categories.
> >
> > Details:
> > As a result of ongoing research, the Sourcefire VRT has added and
> > modified multiple rules in the chat, dns, exploit, ftp, imap, misc,
> > netbios, oracle, policy, pop3, rpc, specific-threats sql, tftp,
> > web-activex, web-client and web-misc rule sets to provide coverage for
> > emerging threats from these technologies.
> >
> > For a complete list of new and modified rules please see:
> >
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-09-27.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFMoQeuQcQOxItLLaMRAjfSAJ48UoGNn5OA6BwZuHAKG2q4AgZPxACgpRxl
> > cHkrx29GrpOy24o1Ao+o5PI=
> > =02Sl
> > -----END PGP SIGNATURE-----
> ------------------------------------------------------------------------------
> > Start uncovering the many advantages of virtual appliances
> > and start using them to simplify application deployment and
> > accelerate your shift to cloud computing.
> > http://p.sf.net/sfu/novell-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs