Re: SNORT sig to cover the latest Chrome\FF Webex Vulnerability

[Patrick Mullen <pmullen () sourcefire com>]

Josh,

Thanks for the submission!  We released side 41409 yesterday for this,
which is essentially a stripped-down version of what you wrote.  We've
moved our rule over to the community ruleset to make it available to
everyone immediately.

Here is what we released:


content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html";
fast_pattern:only; http_uri;

And that's it.  Our version didn't have the other checks because we felt
that URI was so specific that it wouldn't have problems with False
Positives and by specifying the http_uri buffer, snort has assured us that
the packet is an HTTP packet and will have things like the http_method and
protocol version.  We also felt that the check for the User-Agent, while
narrowing the request down to the official client, could open our rule up
to False Negatives when someone used another (or custom) client to make the
request.

Thank you again for the rule submission!  If you have any more in the
future, please be sure to let us know!


Thanks,

~Patrick
-- 
Patrick Mullen
Response Research Manager
Cisco TALOS

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!