Re: Citrix CVE-2019-19781

[rbevan via Snort-sigs <snort-sigs () lists snort org>]

Joel,

I just figured it out. The highest number sid in our download appears 
to be 52470. Our oinkcode switched from subscriber to registered a 
couple months ago. Our purchasing department placed the order and the 
reseller went out of business. The person who registered the account 
"overlooked" the reminder emails.

Unfortunately I am pretty low in my org. I am just above whale poop, 
but way below the surface. I am definitely not high enough to be trusted 
logging into the rules account.

Purchasing is working to fix the issue now.

Thanks for your help.

Rees


On Jan 15 2020 10:31 AM, Joel Esler (jesler) wrote:
> The oinkcode will always work. If your subscription expired, you will
> roll over to the registered rule set. You should receive reminders 30
> and 7 days prior to expiration.
>
> > On Jan 15, 2020, at 8:17 AM, Rees Bevan <rbevan () swcp com> wrote:
> >
> > Joel,
> >
> > I have (or maybe had?) 145 subscriptions. There was an issue with 
> > our reseller at renewal time. The oinkcode still works, but maybe I am 
> > getting just the registered rule set. When I get to work this AM I 
> > will manually pull the rules and check for the most recent rule.
> >
> > Regards,
> > Rees
> >
> > FROM: Joel Esler (jesler) [mailto:jesler () cisco com]
> > SENT: Wednesday, January 15, 2020 4:57 AM
> > TO: Rees Bevan
> > CC: Snort-sigs () lists snort org
> > SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781
> >
> > Maybe you don’t have a subscription? If they were released in the 
> > last 30 days, a registered user would not see them.
> >
> > Sent from my  iPhone
> >
> > On Jan 14, 2020, at 22:18, Rees Bevan <rbevan () swcp com> wrote:
> >
> > > 
> > > Joel,
> > >
> > > Thanks for the reply. A Cisco engineer contacted me directly and it 
> > > sounds like I have some serious updating to do on the NGIPS.
> > >
> > > Any clue why I am not seeing those rules in the VRT subscriber set? 
> > > I have a mix of 2.9.13.0 and 2.9.15.0 sensors. We are pulling the 
> > > 2.9.13.0 rules and using them for both flavors.
> > >
> > > Rees
> > >
> > > FROM: Joel Esler (jesler) [mailto:jesler () cisco com]
> > > SENT: Tuesday, January 14, 2020 7:31 PM
> > > TO: Rees Bevan
> > > CC: Snort-sigs () lists snort org
> > > SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781
> > >
> > > If you are using a Cisco Firepower device, probably the best course 
> > > would be to call TAC. Are you sure you’ve updated your SRU?
> > >
> > > Sent from my  iPhone
> > >
> > > On Jan 14, 2020, at 20:04, Rees Bevan via Snort-sigs 
> > > <snort-sigs () lists snort org> wrote:
> > >
> > > > 
> > > > Hello list,
> > > >
> > > > The Talos blog post here: 
> > > > https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html 
> > > > [1] mentions three rules, signatures 52512, 52513, and 52603. The 
> > > > blog indicates that the rules have been available since 12/24/19.
> > > >
> > > > My environment includes Sourcefire NGIPS and snort sensors running 
> > > > with the VRT subscription. I cannot locate these rules in either 
> > > > place. We are using “Security over Connectivity” on both the 
> > > > pulledpork config and the NGIPS config. I have grepped the rules 
> > > > files on our snort sensors and I see current rules, but not 52512, 
> > > > 52513, and 52603. On the NGIPS, I have sorted the intrusion rules by 
> > > > priority and tried searching by signatures and keywords, but no 
> > > > luck.
> > > >
> > > > Where should I be looking for these rules?
> > > >
> > > > Rees Bevan, CISSP, GCIA, MCSE
> > > > rbevan () swcp com
> > > >
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs () lists snort org
> > > > https://lists.snort.org/mailman/listinfo/snort-sigs
> > > >
> > > > Please visit http://blog.snort.org for the latest news about 
> > > > Snort!
> > > >
> > > > Please follow these rules: 
> > > > https://snort.org/faq/what-is-the-mailing-list-etiquette
> > > >
> > > > Visit the Snort.org to subscribe to the official Snort ruleset, 
> > > > make sure to stay up to date to catch the most <a href=" 
> > > > https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
>
>
>
> Links:
> ------
> [1] 
> https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!