Re: Citrix CVE-2019-19781

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

The oinkcode will always work.  If your subscription expired, you will roll over to the registered rule set.  You 
should receive reminders 30 and 7 days prior to expiration.

On Jan 15, 2020, at 8:17 AM, Rees Bevan <rbevan () swcp com<mailto:rbevan () swcp com>> wrote:

Joel,

I have (or maybe had?) 145 subscriptions.  There was an issue with our reseller at renewal time.  The oinkcode still 
works, but maybe I am getting just the registered rule set.  When I get to work this AM I will manually pull the rules 
and check for the most recent rule.

Regards,
Rees

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Wednesday, January 15, 2020 4:57 AM
To: Rees Bevan
Cc: Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Citrix CVE-2019-19781

Maybe you don’t have a subscription?   If they were released in the last 30 days, a registered user would not see them.
Sent from my  iPhone


On Jan 14, 2020, at 22:18, Rees Bevan <rbevan () swcp com<mailto:rbevan () swcp com>> wrote:

Joel,

Thanks for the reply.  A Cisco engineer contacted me directly and it sounds like I have some serious updating to do on 
the NGIPS.

Any clue why I am not seeing those rules in the VRT subscriber set?  I have a mix of 2.9.13.0 and 2.9.15.0 sensors. We 
are pulling the 2.9.13.0 rules and  using them for both flavors.

Rees

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Tuesday, January 14, 2020 7:31 PM
To: Rees Bevan
Cc: Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Citrix CVE-2019-19781

If you are using a Cisco Firepower device, probably the best course would be to call TAC.  Are you sure you’ve updated 
your SRU?
Sent from my  iPhone



On Jan 14, 2020, at 20:04, Rees Bevan via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort 
org>> wrote:

Hello list,

The Talos blog post here: https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html  mentions three 
rules, signatures  52512, 52513, and 52603.  The blog indicates that the rules have been available since 12/24/19.

My environment includes Sourcefire NGIPS and snort sensors running with the VRT subscription.  I cannot locate these 
rules in either place.  We are using “Security over Connectivity” on both the pulledpork config and the NGIPS config.   
I have grepped the rules files on our snort sensors and I see current rules, but not 52512, 52513, and 52603.   On the 
NGIPS, I have sorted the intrusion rules by priority and tried searching by signatures and keywords, but no luck.

Where should I be looking for these rules?

Rees Bevan, CISSP, GCIA, MCSE
rbevan () swcp com<mailto:rbevan () swcp com>

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!