Snort mailing list archives
Re: Rule 37111
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 18 Dec 2015 14:05:30 -0700
You bet...thanks for the hard work on this. James On 2015-12-18 12:57, Nick Randolph wrote:
Actually this one from James isn't a result of stale flowbits. Thanks James. On Fri, Dec 18, 2015 at 2:22 PM, Geoffrey Serrao <gserrao () sourcefire com> wrote: We've identified an FP condition for sid 1:37111 that can be caused in part by a stale flowbit, this will get addressed in an upcoming release. On Fri, Dec 18, 2015 at 1:43 PM, Andre DiMino <adimino () sempersecurus org> wrote: Same. Seeing thousands of alerts over the past hour from legit CDNs. On Fri, Dec 18, 2015 at 11:47 AM, James Lay <jlay () slave-tothe-box net> wrote: This is a noisy one this AM: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player PCRE parsing out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RegExp"; fast_pattern:only; content:"<"; content:!">"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,78710; reference:cve,2015-8418; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html [1]; classtype:attempted-user; sid:37111; rev:1;) http://pagead2.googlesyndication[.]com/osd/hbe.swf?id=0~2 James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Andre' M. DiMino DeepEnd Research http://www.deependresearch.org [2] http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com [3] ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Links: ------ [1] http://helpx.adobe.com/security/products/flash-player/apsb15-32.html [2] http://deependresearch.org [3] http://www.sourcefire.com/
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 37111 James Lay (Dec 18)
- Re: Rule 37111 Andre DiMino (Dec 18)
- Re: Rule 37111 Rodgers, Anthony (DTMB) (Dec 18)
- Re: Rule 37111 Geoffrey Serrao (Dec 18)
- Re: Rule 37111 Nick Randolph (Dec 18)
- Re: Rule 37111 James Lay (Dec 18)
- Re: Rule 37111 Andre DiMino (Dec 18)