Home page logo
/

snort logo Snort mailing list archives

Re: [Spam] Re: Possible FP 17363
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Tue, 26 Oct 2010 12:11:54 -0400

funny you used the term bleeding edge....  
 
I'll let Joel explain the different rule sets available from VRT but if
you are getting your bleeding edge rules from Emerging Threats...
 
-J

        -----Original Message-----
        From: Lay, James [mailto:james.lay () wincofoods com] 
        Sent: Tuesday, October 26, 2010 12:06 PM
        To: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363
        
        

        So let me understand this.  My understanding of the Subscription
Rules were that these were the latest and greatest bleeding edge
rules...especially for 0-day items, new malware, trojans, etc.  The
Subscription Rules also contained "fixed" rules?

         

        From: Joel Esler [mailto:jesler () sourcefire com] 
        Sent: Tuesday, October 26, 2010 8:55 AM
        To: Lay, James
        Cc: snort-sigs () lists sourceforge net
        Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
        Importance: Low

         

        Pastebin.

         

        However, you aren't receiving the rule yet because it has not
come out of the 30 day window for registered users.

         

        J

         

        On Oct 26, 2010, at 10:48 AM, Lay, James wrote:

        
        
        

        Thank you.

         

        Oinkmaster.conf:

         

        url =
http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-290
0.tar.gz

        url =
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz

        path = /bin:/usr/bin:/usr/local/bin

        update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

        skipfile local.rules

        skipfile deleted.rules

        skipfile snort.conf

        disablesid
100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,20
03602,1390,1394,17246,17276,17297,17363

         

        The snort.conf file is kinda beefy...what's the best method to
put this online?  Thanks again.

         

        James

         

        From: Weir, Jason [mailto:jason.weir () nhrs org] 
        Sent: Tuesday, October 26, 2010 8:21 AM
        To: snort-sigs () lists sourceforge net
        Subject: Re: [Snort-sigs] Possible FP 17363

         

        have to see your oinkmaster.conf and snort.con

         

        -J

                -----Original Message-----
                From: Lay, James [mailto:james.lay () wincofoods com] 
                Sent: Tuesday, October 26, 2010 10:13 AM
                To: snort-sigs () lists sourceforge net
                Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363

                Hrmm....that's confusing then...oinkmaster says:

                 

                Loading /usr/local/etc/snort/oinkmaster.conf

                Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz... done.

                Archive successfully downloaded, unpacking... done.

                Downloading file from
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz... done.

                Archive successfully downloaded, unpacking... done.

                Setting up rules structures... done.

                Processing downloaded rules... disabled 8, enabled 0,
modified 0, total=21693

                Setting up rules structures... done.

                Comparing new files to the old ones... done.

                Updating local rules files... done.

                 

                Yet:

                [08:11:48 me () ids:~/rules$] sudo grep 17363 *.rules

                web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name
memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|";
byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:cve,2007-0197;
classtype:attempted-user; sid:17363; rev:1;)

                 

                Are rules not getting updated in 2900?  Or is my
oinkmaster not doing what it's supposed to do?  Thanks for any help.

                 

                James

                 

                From: Alex Kirk [mailto:akirk () sourcefire com] 
                Sent: Monday, October 25, 2010 10:44 AM
                To: rmkml
                Cc: Lay, James; snort-sigs () lists sourceforge net;
rmkml () free fr
                Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
                Importance: Low

                 

                Actually, this rule is currently at rev:3 - adding a
flowbit check and some additional bytes to the content match - due to
earlier false positive reports. If you get further FPs with the current
revision of the rule, please let us know.

                On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr>
wrote:

                Hi James,
                maybe for "small" reduce FP add "isdataat:255,relative;"
after byte_test()?
                another maybe null byte are separator? and instead
"isdataat:255,relative; content:!"|00|"; within:255;" ?
                Regards
                Rmkml
                
                PS:
http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault