Snort mailing list archives
Re: Ghost glibc and EXIM rules
From: "lists () packetmail net" <lists () packetmail net>
Date: Thu, 29 Jan 2015 13:12:26 -0600
Lukas, ET has these so hopefully this helps in the interim. From http://rules.emergingthreats.net/open/suricata/rules/emerging-exploit.rules # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?[\d\x2e]{1023}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?[\d\x2e]{1023}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:3;) Cheers, Nathan On 01/29/2015 12:08 PM, Lukas Matt wrote:
Hi, according to Talos (http://blogs.cisco.com/security/talos/ghost-glibc) they have two snort rules for the EXIM glibc exploit. SID 33225 and 33226. I was not able to find them in the sourcefire tarball. Will they be included in the next release? Regards -- Lukas Matt Deep Packet Inspection Developer, SophosLabs O: (+49) 721-25516-322 / M: (+49) 174-3440-555 ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Ghost glibc and EXIM rules Lukas Matt (Jan 29)
- Re: Ghost glibc and EXIM rules lists () packetmail net (Jan 29)
- Re: Ghost glibc and EXIM rules Joel Esler (jesler) (Jan 29)