Snort mailing list archives
Re: Snort-sigs Digest, Vol 75, Issue 1
From: PR <oly562 () gmail com>
Date: Thu, 02 Aug 2012 16:56:54 -0700
Greetings, I am running acidbase on ubuntu server. i found this entry: COMMUNITY SIP TCP/IP message flooding directed to SIP proxy ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(7-1) [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy 2012-08-02 06:42:12 192.168.1.14:36642 91.189.92.184:80 TCP I am also a bit perplexed why snort and a sig that is not listed on snort ID site: http://www.snortid.com/snortid.asp?QueryId=1:100000160 does not yeild any results. Could you comment on how a clean installed snort acidbase be sending out from a source: 192.168.1.14 to a destination: 91.189.92.184:80 Notable: I have no automatic updates turned on on snort or ubuntu Anyone care to comment? thanks guys/gals. l8 oly anderson snort user for like years now and I still dont know shyt.. lol. On Thu, 2012-08-02 at 21:20 +0000, snort-sigs-request () lists sourceforge net wrote:
Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Sourcefire VRT Certified Snort Rules Update 2012-07-19 (Research) 2. little help with false positives? (Henri Reinikainen) 3. Sourcefire VRT Certified Snort Rules Update 2012-07-24 (Research) 4. request enhance old sid 3193 please (rmkml) 5. Re: [Emerging-Sigs] request enhance old sid 3193 please (Matt Jonkman) 6. Sourcefire VRT Certified Snort Rules Update 2012-08-01 (Research) 7. Sourcefire VRT Certified Snort Rules Update 2012-08-02 (Research) ---------------------------------------------------------------------- Message: 1 Date: Thu, 19 Jul 2012 18:11:04 -0400 (EDT) From: Research <research () sourcefire com> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2012-07-19 To: snort-sigs () lists sourceforge net Message-ID: <20120719221104.5A8546CC013 () sourcefire com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, chat, dos, exploit, file-identify, file-office, file-other, file-pdf, ftp, policy, smtp, specific-threats, web-client and web-php rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-07-19.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFQCIOraBoqZBVJfwMRAnHaAJ0T8TPewWjUxlmGv4VOptp6oDj7kgCfTdl8 JJWyO6jT/+ZsMs4wURs32tU= =b4+h -----END PGP SIGNATURE----- ------------------------------ Message: 2 Date: Fri, 20 Jul 2012 08:32:03 +0300 From: Henri Reinikainen <henri () reinikainen in> Subject: [Snort-sigs] little help with false positives? To: <snort-sigs () lists sourceforge net> Message-ID: <f173bae8b9893838cab70332e36ce149 () rootservers in> Content-Type: text/plain; charset=UTF-8; format=flowed Hi Does someone has time to educate me? Because I don't get it. spamd-setup is running in cron hourly. Fetching spammer ip lists from www.openbsd.org via http. Every time this fetch happens there's some alerts triggered. # spamd-setup -d -b Getting http://www.openbsd.org/spamd/traplist.gz blacklist uatraps 51709 entries Getting http://www.openbsd.org/spamd/nixspam.gz blacklist nixspam 40000 entries sensitive_data: sensitive data global threshold exceeded sensitive_data: sensitive data - eMail addresses http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE I've checked connection with telnet and content of those lists. There is nothing even remotely like e-mail addresses (well one). Other problem with this is, that those list are downloaded to server, not uploaded. If I understand correctly this rule should only be working in one direction. If I download these lists and decompress them by hand, there is no decompression errors. ipvar HOME_NET [xxx.xxx.xxx.xxx/32] ipvar EXTERNAL_NET !$HOME_NET alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE- DATA Email Addresses"; metadata:service http, service smtp, service ftp-data , service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid :138; rev:1;) ------------------------------ Message: 3 Date: Tue, 24 Jul 2012 12:34:03 -0400 (EDT) From: Research <research () sourcefire com> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2012-07-24 To: snort-sigs () lists sourceforge net Message-ID: <20120724163403.4FCF8D4055 () sourcefire com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, blacklist, botnet-cnc, exploit, file-identify, file-office, file-pdf, indicator-compromise, policy, scan, spyware-put, web-client and web-php rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-07-24.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFQDswIaBoqZBVJfwMRAhOIAJ0eh3t6YNwePdrk/CSPzBSh5NC9dwCeJ4FF Tp7+DYJ+0ebxWXGhGD7etlo= =e3Z2 -----END PGP SIGNATURE----- ------------------------------ Message: 4 Date: Mon, 30 Jul 2012 01:31:58 +0200 (CEST) From: rmkml <rmkml () yahoo fr> Subject: [Snort-sigs] request enhance old sid 3193 please To: Snort-sigs () lists sourceforge net, Emerging-sigs () emergingthreats net Message-ID: <alpine.LFD.2.01.1207300124250.1837@lenovo.localdomain> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Hi, Im request on old sid 3193 to enhance pcre, old: pcre:"/.cmd\x22.*\x26.*/smi"; new: pcre:"/\.cmd\x22.*?\x26/Ui"; Fire with this URI: /a.cmd"a& /a.cmd%22a& /a.cmd"a%26 /a.cmd%22a%26 Regards Rmkml http://twitter.com/rmkml ------------------------------ Message: 5 Date: Sun, 29 Jul 2012 17:40:00 -0400 From: Matt Jonkman <jonkman () jonkmans com> Subject: Re: [Snort-sigs] [Emerging-Sigs] request enhance old sid 3193 please To: rmkml <rmkml () yahoo fr> Cc: Snort-sigs () lists sourceforge net, Emerging-sigs () emergingthreats net Message-ID: <CAMHk8W=yaFMykz=7Kc3RMbDOUQS9CKorjvZ2svtRcjB0Sp8EVg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Good catch, making the change now. (2103193 in the ET set) Matt On Sun, Jul 29, 2012 at 7:31 PM, rmkml <rmkml () yahoo fr> wrote:Hi, Im request on old sid 3193 to enhance pcre, old: pcre:"/.cmd\x22.*\x26.*/smi"; new: pcre:"/\.cmd\x22.*?\x26/Ui"; Fire with this URI: /a.cmd"a& /a.cmd%22a& /a.cmd"a%26 /a.cmd%22a%26 Regards Rmkml http://twitter.com/rmkml _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!------------------------------ Message: 6 Date: Wed, 1 Aug 2012 13:00:38 -0400 (EDT) From: Research <research () sourcefire com> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2012-08-01 To: snort-sigs () lists sourceforge net Message-ID: <20120801170038.3F8D26CC00F () sourcefire com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, file-identify, file-other, file-pdf, indicator-obfuscation, specific-threats, sql, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-08-01.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFQGV4DaBoqZBVJfwMRAo81AJ9zEO7PTr2B2ByPWdn9k6shZ7KsKgCdF0oc OhvJr8B6DqJ9R+/B0SfziWg= =OuJD -----END PGP SIGNATURE----- ------------------------------ Message: 7 Date: Thu, 2 Aug 2012 15:33:53 -0400 (EDT) From: Research <research () sourcefire com> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2012-08-02 To: snort-sigs () lists sourceforge net Message-ID: <20120802193353.18A2D6CC025 () sourcefire com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: The Sourcefire VRT has added and modified multiple rules in the botnet-cnc, file-identify, indicator-obfuscation and web-php rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-08-02.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFQGtNlaBoqZBVJfwMRAkf3AJ9/Omk0asIMX52PwELbS3pDzCK6FwCgnLhx oHhLU/dUmTNama2DimTnP9U= =EZZA -----END PGP SIGNATURE----- ------------------------------ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! End of Snort-sigs Digest, Vol 75, Issue 1 *****************************************
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 75, Issue 1 PR (Aug 03)
- <Possible follow-ups>
- Re: Snort-sigs Digest, Vol 75, Issue 1 PR (Aug 03)
- Re: Snort-sigs Digest, Vol 75, Issue 1 Joel Esler (Aug 03)