Snort mailing list archives
Re: SNORT sig to cover the latest Chrome\FF Webex Vulnerability
From: Patrick Mullen <pmullen () sourcefire com>
Date: Wed, 25 Jan 2017 09:43:19 -0500
Josh, Thanks for the submission! We released side 41409 yesterday for this, which is essentially a stripped-down version of what you wrote. We've moved our rule over to the community ruleset to make it available to everyone immediately. Here is what we released: content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; And that's it. Our version didn't have the other checks because we felt that URI was so specific that it wouldn't have problems with False Positives and by specifying the http_uri buffer, snort has assured us that the packet is an HTTP packet and will have things like the http_method and protocol version. We also felt that the check for the User-Agent, while narrowing the request down to the official client, could open our rule up to False Negatives when someone used another (or custom) client to make the request. Thank you again for the rule submission! If you have any more in the future, please be sure to let us know! Thanks, ~Patrick -- Patrick Mullen Response Research Manager Cisco TALOS
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- SNORT sig to cover the latest Chrome\FF Webex Vulnerability joshua burgess (Jan 24)
- Re: SNORT sig to cover the latest Chrome\FF Webex Vulnerability Patrick Mullen (Jan 25)