Re: CVE-2015-0204

[<kestutis.malakauskas () barclays com>]

Thanks Joel,

That's good to know, will address this as I had an impression this might cause segregation of duties issues as the 
permission would also allow analysts to edit rules.

Appreciate,
Kestutis

Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations
Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () 
barclays com>
Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2
Barclays.com

Hotline: +370 520 62424
P Please consider the environment before printing this email

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: 10 March 2015 13:27
To: snort () outlook com
Cc: Malakauskas, Kestutis : RBB COO; snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] CVE-2015-0204

Your analysts can only read the rules if they have rules permissions in the account settings.
--
Joel Esler
Sent from my iPhone

On Mar 10, 2015, at 6:42 AM, "snort () outlook com<mailto:snort () outlook com>" <snort () outlook com<mailto:snort () 
outlook com>> wrote:
If by "DC" you mean Defence Center, then there is a way to view the rules body, given that permissions allow analysts 
to do that.

The above is not based on my experience, just demos/documents I have read about DC.


On Tue, Mar 10, 2015 at 3:08 AM -0700, <kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () barclays 
com>> wrote:

Thanks,



Yes this is correct, this is the way I imagine it as well, the issue was that not all the rules are triggered so far, 
which our analysts could examine. Without the rule being triggered on  DC our analysts can't see the exact rule so 
naturally they can't identify this distinction which is seen only if you can examine the rules itself. So I thought 
maybe someone has the separation done already for those and could provide which SIDs correspond to which (server side, 
client side).



Regards,

Kestutis



Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations

Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () 
barclays com>

Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2

Barclays.com<http://Barclays.com>



Hotline: +370 520 62424

P Please consider the environment before printing this email



From: Y M [mailto:snort () outlook com]
Sent: 10 March 2015 11:50
To: Malakauskas, Kestutis : RBB COO
Cc: snort-sigs
Subject: RE: [Snort-sigs] CVE-2015-0204



This can be inferred from the rules themselves. Looking at the rules you mentioned, logically speaking, the distinction 
can be made from



- Rule direction: "external" to "home" or "home" to "external", and the associated

- SSL State: ssl_state, either server_hello or client_hello.



"external" to "home" with server_hello looks for the server side while "home" to "external" with client_hello looks for 
the client side. Please correct me if I am wrong.



If the above holds true, then for usability purposes, may be you can modify the rules messages (using PulledPork, if 
you use it) to reflect client or server side alerts.



Hope this helps.



________________________________

From: kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () barclays com>
To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Date: Tue, 10 Mar 2015 09:06:36 +0000
Subject: [Snort-sigs] CVE-2015-0204

Hello,



There is SIDs with GID 1, 33686 through 33703 which covering CVE-2015-0204. I assume part of them are covering 
identification of vulnerable server configuration and the other part of those are covering vulnerable browsers. Is it 
possible to distinguish this defining which once are for vulnerable browsers and which once are for vulnerable servers?



Anyone from VRT?



Thanks,

Kestutis



Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations

Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () 
barclays com>

Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2

Barclays.com<http://Barclays.com>



Hotline: +370 520 62424

P Please consider the environment before printing this email



This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or 
exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any 
part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept 
responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group 
for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays 
Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, 
London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated 
by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).

------------------------------------------------------------------------------ Dive into the World of Parallel 
Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub 
for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, 
tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge 
net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs 
http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or 
exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any 
part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept 
responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group 
for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays 
Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, 
London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated 
by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or 
exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any 
part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept 
responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group 
for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays 
Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, 
London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority 
and the Prudential Regulation Authority (Financial Services Register No. 122702).

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!