Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: pulled pork updates

From: Johnny Venter <johnny.venter () zoho com>
Date: Wed, 23 Oct 2013 09:30:26 -0400
This might have been a typ-o.

I clicked on the subscriber change log.  I'm a registered user.  I checked the registered user rules and the latest 
modification date is: 9-18-2013 @ 4:38PM.

I'm now cross referencing this with my snort.rules.

Thanks.

On Oct 23, 2013, at 9:22 AM, Johnny Venter <johnny.venter () zoho com> wrote:


Hey guys,

This is a follow up from my earlier question:

Something just doesn't feel right about the rules.

For example, I checked: http://www.snort.org/vrt/docs/ruleset_changelogs/2946/changes-2013-10-22.html and noticed 
that the first line 1:28255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL (malware-cnc.rules)

I then check my snort.rules file and do not find this rule anywhere in that file.  I've done a visual spot check and 
also used: 

cat snort.rules | grep -i "MALWARE-CNC Win.Trojan.Kuluoz"

I did the same with "FILE-PDF Adobe Acrobat Reader ICC remote memory corruption attempt"

Is this rule supposed to be in my snort.rules?  If so, what could be the cause of it not updating? Thanks, any help 
is appreciated.



Begin forwarded message:


From: Johnny Venter <johnny.venter () zoho com>
Subject: pulled pork updates
Date: October 15, 2013 11:08:36 AM EDT
To: snort-users <snort-users () lists sourceforge net>

Hi, 

I have an issue or need clarification on pulledpork. I see the following in my sid_changes.log:

-=Begin Changes Logged for Tue Oct 15 14:55:30 2013 GMT=-

New Rules
        BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt (1:SID:181)

Deleted Rules
        BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt (1:25343)

Set Policy: Disabled

Rule Totals
        New:-------1
        Deleted:---1
        Enabled:---4543
        Dropped:---0
        Disabled:--13325
        Total:-----17868

-=End Changes Logged for Tue Oct 15 14:55:30 2013 GMT=-

My question is that I've seen this exact data since October 3, is that normal? When I started using PP, I 
deleted/archived all of my existing snort rules files except local.rules. Once I did this, PP put all of the rules 
in one file and I referenced this file in my snort.conf.  Was this correct or was I supposed to keep the default 
rules files from snort?

Thanks.



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: