Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Snort VRT Updates Questions/Concerns

from [Colin Grady] Network Security [Permanent Link]
Subject: [Snort-sigs] Snort VRT Updates Questions/Concerns
Date: Thu, 16 Nov 2006 20:45:22 -0600 
I'm looking at the latest Snort VRT rules advisory and trying to figure out
what the 'State Change Rules' section means in the Change Log (
http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2006-11-16.html).
Based on what is provided, it would seem that signatures are being changed
from an Enabled to a Disabled state, or from a Disabled to an Enabled state
-- but that doesn't seem to be the case.

Below is a few lines from the Change Log:

State change rules:
1233 <-> Disabled <-> WEB-CLIENT Outlook EML access (web-client.rules)
1284 <-> Disabled <-> WEB-CLIENT readme.eml download attempt (
web-client.rules)
1290 <-> Disabled <-> WEB-CLIENT readme.eml autoload attempt (
web-client.rules)
1735 <-> Disabled <-> WEB-CLIENT XMLHttpRequest attempt (web-client.rules)

Looking at the first signature referenced (1233 - WEB-CLIENT Outlook EML
access), I don't see any changes since the last VRT release and the revision
number is the same.

Also, in the 'New Rules' section is obviously the new rules that were
introduced in the release. Below are the first few lines from this section:

New rules:
9129 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX CLSID access (
web-client.rules)
9130 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX CLSID unicode
access (web-client.rules)
9131 <-> Disabled <-> WEB-CLIENT WinZip FileView 6.1 ActiveX function call
access (web-client.rules)

Based on the above, I would assume that those three signatures are all
disabled by default. However, when I look at the rules themselves, only the
last one (9131) is actually disabled:

sys1:~/rules$ grep 9129 *.rules | cut -d : -f 2 | awk '{ print $1 }'
alert
sys1:~/rules$ grep 9130 *.rules | cut -d : -f 2 | awk '{ print $1 }'
alert
sys1:~/rules$ grep 9131 *.rules | cut -d : -f 2 | awk '{ print $1 }'
#

This seems WAY wrong.

Any insight would be appreciated, and thanks in advance.

Colin Grady 
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Snort VRT Updates Questions/Concerns, Colin Grady <=
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Update, bleeding
Next by Date:  [Snort-sigs] Todd Bailey/IS/PLC is out of the office., Todd . Bailey
Previous by Thread:  [Snort-sigs] Sourcefire VRT Certified Rules Updates, Sourcefire VRT
Next by Thread:  [Snort-sigs] Todd Bailey/IS/PLC is out of the office., Todd . Bailey
Indexes:  [Date] [Thread] [Top] [All Lists]