Re: CVE-2012-5076 and CVE-2012-1723 Rules

[Joel Esler <jesler () sourcefire com>]

On Nov 26, 2012, at 10:00 AM, "lists () packetmail net" <lists () packetmail net> wrote:
> On 11/25/2012 07:34 PM, Joel Esler wrote:> I'll take a look and see what we can
> do to improve any coverage we are missing,
> > blackhole, especially v2, is a pain.
>
> Joel, on the ET side and based on my network analysis, I am seeing very good
> methods for combating some of this.  I would like for us to work more on this,
> any more news regarding a community focused ruleset without delay between
> registered users and subscribers?

We cover blackholev2 in much the same way.  Eoin's rules started our coverage with bhekv2 and we've made modifications 
along the way, and added a ton ourselves.  They have worked very well.  I watch exploit kits pretty regularly to make 
sure we improve coverage for these.  I just wrote protection for 3 other exploit kits this weekend and they should be 
shipped soon after testing.

As far as the community ruleset, the tl;dr is yes.

Longer:
We were going to get this done in Q2 of this year, but with the massive ClamAV transition that took place this was 
placed on the back burner.  Now that we have recovered much of our cycles and reorganized the organization a bit to 
deal with the changes, we are now moving forward on it again.  There was some legal license work to do with the legal 
team that I had to get knocked out first, which involves writing provisions into the VRT license for the community 
ruleset (and some other beneficial changes!) along with making it simpler to read.  I'm due to provide my followup 
comments to the legal team this week about it, and then our DIE team can get working on the actual coding of the 
ruleset.  The way we have decided to do it is beneficial for everyone.  Registered, Subscriber, OEM, etc.  It'll 
involve a bit of coding, but it shouldn't be an issue.

> On 11/25/2012 04:26 AM, Snort Troubleshooting wrote:
> > I went ahead and downloaded ET (open-source) rules and stuck them in there.
> > Then I browsed to the blackhole website again, and Snort fired on two ET
> > Rules, namely, sid:2015724, and sid:2015725.
>
> You've just stumbled across some idiosyncratic differences between the VRT and
> ET rulesets.  This has been discussed in the past but myself being a participant
> in the ET ruleset I can say that as compared to VRT, ET/we are more focused on
> the exploit kit and permutations of the exploit kits as a community and have
> great coverage based on community input.

As I said above, we have some fantastic coverage for exploit kits (in exploit-kit.rules) and we adapt it to change the 
situations that pop up when needed.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!