Snort mailing list archives
Re: Rule 19253
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 15 Jun 2011 13:11:15 -0600
Thanks for the info all. James
-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, June 15, 2011 11:37 AM To: rmkml Cc: Lay, James; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Rule 19253 Exactly what happened. It will be fixed tomorrow. On Jun 15, 2011, at 11:10 AM, rmkml wrote:Hi James, Maybe simply vrt missed flowbits:isset,http.engtesselate; on this rule? (this flowbits created on sid 19252 but never used on clear
text
rules) These two rules are "curious" because first sid 19252 are
web-client
file but this rule check http_uri and flow are to_client...Regards Rmkml On Wed, 15 Jun 2011, Lay, James wrote:Yowza...this thing fires CONSTANTLY: 06/15-08:08:12.474932 [**] [1:19253:1] WEB-CLIENT Adobe Reader malicious language.engtesselate.ln file download attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.88:80 -> int.ip:18960 [08:10:18 ids:~/snort$] sudo grep language.engtesselate.l ~/internetalert.fast -c 235 That's in 10 minutes...crazy. Suppressed and restarted...eww James
----------------------------------------------------------------------
-------- EditLive Enterprise is the world's most technically
advanced
content authoring tool. Experience the power of Track Changes,
Inline
Image Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev_____________________________________
__________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Rule 19253 Lay, James (Jun 15)
- Re: Rule 19253 rmkml (Jun 15)
- Re: Rule 19253 Joel Esler (Jun 15)
- Re: Rule 19253 Lay, James (Jun 15)
- Re: Rule 19253 Joel Esler (Jun 15)
- Re: Rule 19253 rmkml (Jun 15)