Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Wed, 29 Sep 2010 09:11:12 -0500
Yeah, nice try, trying to shift the blame of a poorly written rule to the MS vulnerability. Personally, I like to think of the VRT subscription ruleset as SourceFire's community QA testbed. You run it for 30 days and then they "open source" it (the words "open source" are in quotes b/c it is not all open source) after fixing mistakes. That is why I stopped subscribing to it. Right now I'm seriously looking in to the newly announced Emerging Threats Pro ruleset (http://www.emergingthreatspro.com/). Not only is it fully open source, it is QA'd and you can get 24/7 phone and email support. -L0rd Ch0de1m0rt On Tue, Sep 28, 2010 at 12:42 PM, Joel Esler <jesler () sourcefire com> wrote:
On Tue, Sep 28, 2010 at 1:25 PM, waldo kitty <wkitty42 () windstream net> wrote:On 9/28/2010 11:03, infosec posts wrote:> alert tcp $HOME_NET any ->$EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) Unless I am mistaken, we got a brand new signature for something that was patched in 2006 (IE 6.0 SP1 on WinXP XP1). It was also written so broadly that I'm north of 90,000 alerts in an 8-hour overnight time window before I killed the signature, and still counting as the buffers flush out from my sensors.ouch! that is a bit on the extreme side, isn't it :?Look at the vulnerability CVE for some laughs. Shame on you IE. Sometimes in the act of writing rules for stupid programmer mistakes, it's
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-09-27 Research (Sep 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Alex Kirk (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Eoin Miller (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Nigel Houghton (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Joel Esler (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 L0rd Ch0de1m0rt (Sep 29)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)