SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)
Hi Jay. Good questions, and I'm glad you like Nmap and Npcap! We are not
using GitHub's security feature at present. If we issued a security
advisory for Npcap or Nmap, we would likely host it ourselves. But Github
adds that tab to all projects by default and, from a quick glance at
settings, I don't see an obvious way to remove it. I think your best bet
is to sign up for release announcements through GitHub and look for...

NPCAP GitHub Security Advisories Sethi, Jay (May 01)
Hello nmap dev team!

I work for Manitoba Hydro, a utility in Manitoba Candada. We use nmap (and NPCAP!). As part of NERC CIP compliance, we
are required to check regularly for security advisories. I recently noticed the following on the GitHub page:
The npcap change log notes a few releases that resolve CVEs
npcap/CHANGELOG.md at master * nmap/npcap * GitHub<https://github.com/nmap/npcap/blob/master/CHANGELOG.md>
(For example, Npcap...

Better interface names reported by pcap_findalldevs Dmytro Ovdiienko (May 01)
<<< image/png; name="EAAC2C82AF0D4674B18524120B700D78.png": Unrecognized >>>

Feature Request: nping to flag incorrect or curtailed ICMP echo payload Alex Ferenstein (May 01)
Hi Nmap development mailing list, some time I emailed Gordon, asking for a
feature to flag disparity of echo-replied payload compared to that which
was sent. Can it be implemented, or, have I missed an existing feature?
R’s, Alex

------------------------------

Hi Gordon,

thank you for making nmap/nping. I have a feature request for nping.

As you know, “The echo reply is an ICMP message generated in response to an
echo request; *it is...

zenmap crash in Fedora 34 louzaoh (Apr 22)
This is the message I've got:

➜ zenmap
File "/usr/bin/zenmap", line 114
except ImportError, e:
^
SyntaxError: invalid syntax

➜ rpm -qa zenmap\*
zenmap-7.91-1.noarch

Regards.,

Nmap Bug in payload.cc: corrupted UDP packets during -sU scan mzet via dev (Apr 02)
Hi List,

It was observed that UDP packets that are sent during an UDP port scanning (-sU) are corrupted.

Background:

To make UDP scanning more effective, for many services (ports) Nmap takes content of UDP packets from nmap-payloads
file. Logic for handling this is implemented in payload.cc source file.

Issue:

Due to subtle implementation issue (introduced in...

[NSE] Hex digits in URL encoding should be upper-case nnposter (Apr 01)
For visibility to the broad Nmap community:

I have created issue #2281 to start using upper-case hexadecimal digits
for URL encoding inside NSE. More details at

https://github.com/nmap/nmap/issues/2281

Please leave any comments there.

Cheers,
nnposter

Re: Empty do_ipv4 function in address-info nnposter (Mar 27)
I agree that there is no obvious reason why to have the function there
at all. On the other hand, the script description is pretty clear:

"Shows extra information about IPv6 addresses, such as..."

In other words, there should be no expectation that the script does
anything with IPv4.

Cheers,
nnposter

Empty do_ipv4 function in address-info Toni Ruottu (Mar 27)
Hi!

In the current version of address-info.nse the do_ipv4 function body is
completely empty. Is this a mistake? If it is not a mistake I would at
least expect a comment that explains why the function doesn't do anything.

Cheers, --Toni

PR 2278 - improvement on script ssl-enum-ciphers Sulidi Maimaitiming (Mar 26)
Hi Nmap team,

I have been using the ssl-enum-ciphers script to detect the presence of
weak tls protocols and ciphers and it is a great tool.
However I've noticed many ciphers are rated A for cipher strength (while
they are flagged as weak on SSL Labs for instance), and then I realised
there was a list of warnings aggregated at the port level.
Plus the aggregated output is not always consistent...
I opened a PR on GitHub (...

Re: ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers nnposter (Mar 20)
<snip>

<snip>>

The script has been updated in r38199. Please see the following comment
for the root cause:

https://github.com/nmap/nmap/issues/1187#issuecomment-803503496

Cheers,
nnposter

Re: Nmap Issue : "kernel: RPC: fragment too large:" Dario Ciccarone (dciccaro) via dev (Mar 16)
https://serverfault.com/questions/652188/nfs-share-problems-rpc-fragment-too-large-xxxxx - second answer on a Google
search for "kernel: RPC: fragment too large:"

With the most absolute respect, and from a professional to another: it would certainly help *immensely* if you could
provide information such as:

* Nmap version and command-line options used
* Operating system, patch level on the host being used to run nmap
*...

Nmap Issue : "kernel: RPC: fragment too large:" PENISSON , TIMOTHÉ (Mar 16)
Hello,
I use Nmap to scan machines and in the logs of some of them, we see this kind of messages appearing in the logs:
"kernel: RPC: fragment too large:".
This message appears globally on all servers scanned by Nmap with an NFS mount.
Is this behavior known by the Nmap community? Is it linked to a specific conf or script?
Is there a workaround to avoid this?

Thanks for your help,

Sincerely,

[Bloc marque]

Timothé PENISSON
MOE...

I keep getting this error every time I try to open the scripting window on windows 10 to input an nse Mike Myers (Mar 16)
Here is the stack trace…

Version: 7.90
Traceback (most recent call last):
File "zenmapGUI\ScriptInterface.pyo", line 261, in script_list_timer_callback
File "zenmapGUI\ScriptInterface.pyo", line 270, in initial_script_list_cb
File "zenmapGUI\ScriptInterface.pyo", line 307, in handle_initial_script_list_output
NameError: global name 'os' is not defined

Thanks for any help. I can use the command...

ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers Guido van Rooij (Mar 16)
With nmap 7.60, I scanned the host with IP address 3.132.36.206 with the below reesulst:

Starting Nmap 7.60 ( https://nmap.org ) at 2021-03-10 11:06 UTC
Nmap scan report for ec2-3-132-36-206.us-east-2.compute.amazonaws.com (3.132.36.206)
Host is up (0.094s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-enum-ciphers:
| TLSv1.0:
|...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Npcap 1.30 Released: Raw WiFi + Better Performance Gordon Fyodor Lyon (Apr 12)
Hi folks. The Nmap Project is pleased to release Npcap Version 1.30 at
https://npcap.org. We hope Nmap and Wireshark users will be especially
happy with the raw WiFi improvements, since you tend to be particularly
savvy about low-level network inspection. It turns out that some of the
issues we thought were caused by lower level hardware drivers were actually
bugs in our driver. Oops! But at least that means we can fix them
ourselves, and we did....

Npcap 1.20 released Gordon Fyodor Lyon (Mar 16)
Nmap/Npcap Community:

I'm happy to report the release of version 1.20 of the Npcap Windows packet
capturing/sending driver! It's the first release of 2021 and includes
better capabilities for selecting timestamp methods as well as many other
improvements and bug fixes. These include updating the underlying libpcap
library to version 1.10 and building our installer now with NSIS 3. More
details on all this are available from the...

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Backdoor.Win32.Agent.oj / Unauthenticated Remote Command Execution malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c1e92e04cdb432d83ea2610ef226d4cd_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.oj
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 23, upon connection to an
infected host third-party attackers get handed a remote shell.
Type: PE32
MD5:...

Backdoor.Win32.Agent.oj / Remote Stack Buffer Overflow malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c1e92e04cdb432d83ea2610ef226d4cd.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.oj
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 23. Third-party attackers can
send a specially crafted payload, triggering a classic stack buffer
overflow overwriting ECX, EIP...

Backdoor.Win32.Agent.kte / Remote Stack Buffer Overflow (UDP Datagram) malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/7c92e59e776355734781bbf05571d0f0.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.kte
Vulnerability: Remote Stack Buffer Overflow (UDP Datagram)
Description: The malware drops an executable named "aspimgr.exe" under
SysWOW64 dir, which listens on TCP port 80 and UDP port 53. Third-party
attackers...

Backdoor.Win32.Agent.gmug / Heap Corruption malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c7763bae3376a9f2865a1a18e84c259e.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.gmug
Vulnerability: Heap Corruption
Description: The malware listens on TCP port 33308, third-party attackers
who can reach the server can send a specially crafted payload causing a
heap corruption.
Type: PE32
MD5:...

Backdoor.Win32.Agent.ggw / Authentication Bypass malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/509e3d4839688c6173980dfba22ebd55.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.ggw
Vulnerability: Authentication Bypass
Description: The malware runs a built-in FTP server listening on one of
several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092.
Third-party attackers who can reach the...

Worm.Win32.Delf.hu / Insecure Permissions malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/46e27d7bfdbda7a71dfa12a79026a88b.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Worm.Win32.Delf.hu
Vulnerability: Insecure Permissions
Description: The malware creates a hidden insecure dir named "RECYCLER"
under c:\ drive and grants change (C) permissions to the authenticated user
group. Standard users can rename...

HEUR.Trojan.Win32.Bayrob.gen / Insecure Permissions malvuln (Apr 30)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/765698ccfb033c86eea6d293235d7ed0.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: HEUR.Trojan.Win32.Bayrob.gen
Vulnerability: Insecure Permissions
Description: The malware creates a insecure dir named "rlpzeasjvgnb" under
c:\ drive and grants change (C) permissions to the authenticated user
group. Standard users can...

Defense in depth -- The Microsoft way (part 76): arbitrary code execution WITH elevation of privilege in user-writable directories below %SystemRoot% Stefan Kanthak (Apr 30)
Hi @ll,

Microsoft still ships Windows with and lets it create user-writable
directories below the "Windows" directory %SystemRoot%\ -- despite
that, with exception of %SystemRoot%\Temp\, they are all used to
store DATA and SHOULD have been placed below %ProgramData% alias
%SystemDrive%\ProgramData\ instead!

JFTR: %ProgramData% was introduced with Windows Vista more than 15
(in words: FIFTEEN) years ago, but Microsoft obviously...

Defense in depth -- the Microsoft way (part 75): Bypass of SAFER alias Software Restriction Policies NOT FIXED Stefan Kanthak (Apr 30)
Hi @ll,

Microsoft introduced SAFER alias Software Restriction Policies (SRP) with
Windows XP about 20 years ago.
See <https://msdn.microsoft.com/en-us/library/ms722422.aspx> for the API,
plus the TechNet articles "How Software Restriction Policies Work"
<https://technet.microsoft.com/en-us/library/cc786941.aspx> and
"Using Software Restriction Policies to Protect Against Unauthorized Software"
<...

Open-Xchange Security Advisory 2021-04-30 Martin Heiland via Fulldisclosure (Apr 30)
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite / OX Guard
Vendor: OX Software GmbH

Affected product: OX App Suite
Internal reference: OXUIB-481
Vulnerability type:...

Backdoor.Win32.Agent.afq / Remote Heap Corruption malvuln (Apr 28)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/853754de6b8ffbe1321a8c91aab5c232_C.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.afq
Vulnerability: Remote Heap Corruption
Description: The malwares built-in server "UberWWW v. 1.1" listens on TCP
port 8080. Third-party attackers who can reach the infected host can send a
2000 byte HTTP Post...

Backdoor.Win32.Agent.afq / Directory Traversal malvuln (Apr 28)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/853754de6b8ffbe1321a8c91aab5c232_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.afq
Vulnerability: Directory Traversal
Description: The malwares built-in server "UberWWW v. 1.1" listens on TCP
port 8080. The server allows third-party attackers to read arbitrary files
outside of its root...

Backdoor.Win32.Agent.afq / Missing Authentication malvuln (Apr 28)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/853754de6b8ffbe1321a8c91aab5c232.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.afq
Vulnerability: Missing Authentication
Description: The malwares built-in server "UberWWW v. 1.1" listens on TCP
port 8080. There is no authentication, third-party attackers who can reach
the server can list any...

Trojan-Dropper.Win32.Injector.aobl / Insecure Permissions malvuln (Apr 28)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/842f6f21a2a83792e98900df90c9340b.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Injector.aobl
Vulnerability: Insecure Permissions
Description: The malware creates a insecure dir named "winholder" under c:\
drive and grants change (C) permissions to the authenticated user group.
Standard users...

Trojan-Dropper.Win32.Dycler.vrp / Insecure Permissions malvuln (Apr 28)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/1d6d6d3c077250b7b3ad053e71054ecc.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Dycler.vrp
Vulnerability: Insecure Permissions
Description: The malware creates an insecure dir named "Drivers" under c:\
drive and grants change (C) permissions to the authenticated user group.
Standard users can...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Plausible. Dave Aitel via Dailydave (Apr 11)
A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".

And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like,...

News Roundups! Dave Aitel via Dailydave (Feb 01)
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY

Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening...

Re: Fully Automated CONOPs Exercise Pukhraj Singh via Dailydave (Jan 28)
Folks like Joe Slowik
<https://www.youtube.com/watch?v=n7XqxRXwFZ4&ab_channel=CYBERWARCON>, Grugq
<https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf>and you
<https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html>(Dave)
have tried to articulate the CONOPS for worms since long. In their current
forms, worms look like IO packages in full-spectrum missions. Ignoring...

Re: Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 28)
I mean, the goal of the question is to start putting some meat on the idea
of what "harm" is and how that is reflected both from a policy and
technical perspective. But also: It's useful to put some real definitions
around what is required to make people comfortable with fully-automated
techniques.

I don't think the idea that we are going to come up with and enforce norms
is as useful as figuring out what the norms really are...

Re: Fully Automated CONOPs Exercise Dave Dittrich via Dailydave (Jan 28)
Did any of them mention international humanitarian law, specifically
discrimination, respecting territory of neutral ("green") actors and
their infrastructure, and avoiding harm to neutral third parties and
non-combatants? The problem with most worms is the inability to
accurately discriminate targets and resulting harm. This is an area
where technical experts need to be balanced with operators and policy
makers to ensure that...

Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 27)
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.

And how would their defensive team need to change strategically if they
were facing such an offensive team.

It's a fun thing to see people wrap their...

"Severely lacking". Dave Aitel via Dailydave (Jan 20)
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address noreply (Jan 07)
Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics Andre Gironda via Dailydave (Jan 05)
MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics toby via Dailydave (Jan 05)
I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics Chuck McAuley via Dailydave (Jan 05)
Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics Dave Aitel via Dailydave (Jan 05)
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

kopano-core 11.0.1.143: Remote DoS with resource exhaustion Jan Engelhardt (May 01)
To the best of my knowledge, this is the initial publication,
and there is no CVE number as of this time.

# Affected versions

* kopano-core 8.5 to 11.0.1.143

The "kopano-gateway" program implements a network service for IMAP.
By default, a generous buffer is allocated for string literals, so
the service can be triggered to go into an out-of-memory condition.
OOM appears to be handled (log msg with "Cannot allocate...

[ANNOUNCE] klibc 2.0.9 Ben Hutchings (Apr 30)
I have released version 2.0.9. This is available in the git
repository at:

https://git.kernel.org/pub/scm/libs/klibc/klibc.git

and as a tarball at:

https://mirrors.kernel.org/pub/linux/libs/klibc/2.0/

Security fixes:
- Integer overflows in heap functions (CVE-2021-31870, CVE-2021-31873)
- Integer overflows in cpio (CVE-2021-31871, CVE-2021-31872)

New features:
- Signal handling on alpha, s390(x), and sparc no longer requires...

Nitro Enclaves kernel driver issue Paraschiv, Andra-Irina (Apr 29)
Hi,

An issue was found in the Nitro Enclaves kernel driver codebase [1]
included in the v5.10 upstream Linux kernel. The fix for it has been
tested on the AWS side. The issue does not break the isolation or
security of what is running inside the enclave. Nitro Enclaves already
assumes that the instance running the Nitro Enclaves kernel driver is
untrusted.

We would like to thank Mathias Krause from Open Source Security, Inc.
for reporting...

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
Hello,

Yeah, we've always built with --disable-isc-spnego, so no problem there.

I wound up just upgrading every branch still supportd to 9.16.15. Seemed
like the easiest way.

Ariadne

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ondřej Surý (Apr 29)
Hi Ariande,

BIND 9.17.x was using the system SPNEGO since 9.17.2 (I think).

Also for older versions, it should be enough to use --disable-isc-spnego if you can’t patch it (that’s what I am doing
for Debian buster). It just won’t work with Heimdal krb5, but it compiles just fine with MIT krb5.

Cheers,
Ondrej

Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Ariadne Conill (Apr 29)
Hello,

These directories only have patches for CVE-2021-25214 and CVE-2021-25215.
A patch for CVE-2021-25216 appears to be missing. In some supported
branches of Alpine, we erroneously followed a development branch of BIND,
so I am trying to determine if there is anything I need to backport to
cover CVE-2021-25216.

Thanks in advance for any advice you can provide on this.

Ariadne

ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) Michael McNally (Apr 28)
On April 28, 2021, we (Internet Systems Consortium) disclosed three
vulnerabilities affecting our BIND 9 software:

CVE-2021-25214: A broken inbound incremental zone update (IXFR)
can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214

CVE-2021-25215: An assertion check can fail while answering queries for
DNAME records that require the DNAME to be processed to resolve itself...

[CVE-2021-30128] Unsafe deserialization in OFBiz jleroux () apache org (Apr 27)
Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version

Mitigation:
Upgrade to at least 17.12.07
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12212 & OFBIZ-12221

Credit:
Litch1 from the Security Team of Alibaba Cloud <litch1chk () gmail com>

References:...

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI jleroux () apache org (Apr 27)
Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack

Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at https://issues.apache.org/jira/browse/OFBIZ-12216

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm () gmail com>...

CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later Thiago H. de Paula Figueiredo (Apr 27)
Description:

Information Exposure vulnerability in context asset handling of Apache
Tapestry allows an attacker to download files inside WEB-INF if using a
specially-constructed URL. This was caused by an incomplete fix for
CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0
version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache
Tapestry 5.7.1.

Solution:

For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4...

CVE-2021-28125: Apache Superset Open Redirect daniel gaspar (Apr 27)
Description:

Apache Superset up to and including 1.0.1 allowed for the creation of
an external URL that could be malicious. By not checking user input
for open redirects the URL shortener functionality would allow for a
malicious user to create a short URL for a dashboard that could
convince the user to click the link.

Mitigation:

Upgrade to 1.1.0 or above

Credit:

Found and reported by Gianluca Veltri, Dario Castrogiovanni

Reply to: users...

CVE-2020-17517: Apache Ozone: Ozone S3 Gateway allows bucket and key access to non authenticated users Bharat Viswanadham (Apr 26)
Description:

The S3 buckets and keys in a secure Apache Ozone Cluster must be
inaccessible to anonymous access by default. The current security
vulnerability allows access to keys and buckets through a curl command
or an unauthenticated HTTP request. This enables unauthorized access
to buckets and keys thereby exposing data to anonymous clients or
users. This affected Apache Ozone prior to the 1.1.0 release.

Mitigation:

Upgrade to the latest...

virtualbox: CVE-2021-25319: missing sticky bit in openSUSE packaging for /etc/box allows local root exploit for members of vboxusers group Matthias Gerstner (Apr 26)
Hi,

somewhat related to CVE-2021-2264 I noticed an openSUSE specific
security issue in the openSUSE packaging for virtualbox [1]. To enable
the autostart feature in virtualbox as outlined in the upstream manual
[2] our packagers introduced a group 'vboxusers' that is granted write
access to the directory /etc/vbox as the "autostart DB". Contrary to
what the manual says the directory was not packaged with the sticky bit
set,...

virtualbox: CVE-2021-2264: vboxautostart-service.sh allows injection of parameters in 'su' invocation Matthias Gerstner (Apr 26)
Hello,

I recently discovered an issue in the script "vboxautostart-service.sh"
which is distributed by Oracle as part of their virtualbox RPMs [1]. By
default this script is not used but it can be enabled by an
Administrator according to the manual [2].

In the context of the autostart feature a directory "$VBOXAUTOSTART_DB"
(by default /etc/vbox) is used. Local users in the system are granted
write access to this directory....

Re: DNS rebinding vulnerability in npupnp Gabriel Corona (Apr 25)
Le 20/04/2021 à 09:54, Gabriel Corona a écrit :

This is CVE-2021-31718.

Gabriel

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: MFA in classrooms Paul Chauvet (Apr 30)
We haven't exempted any locations from MFA (with the exception of two scripting hosts which themselves require MFA to
access).

Only complaints were from a couple faculty (pre-pandemic) who didn't typically have their phones on during class. For
those - we provided yubikeys as a supplement.

Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauvetp () newpaltz edu...

Re: [External] [SECURITY] MFA in classrooms Telfer, Will (Apr 30)
There are no exemptions for MFA in classrooms, but we do allow phone numbers to be registered so instructors can enroll
the phone in the classroom if there is one or call the Help Desk to be issues an emergency/temporary bypass code. We
require MFA for Office apps (including email), our LMS, our cloud storage, & more. Since we have MFA on virtually
everything student, faculty, & staff use on a daily basis, folks are usually good about...

Re: [External] [SECURITY] MFA in classrooms Menne, Michael S (Apr 30)
We have explicitly stayed away from conditional access policies for MFA to create less confusion and given the
complexities of maintaining them in our environment.

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone: (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1922465205]

Confidentiality Notice: This e-mail message,...

Re: [External] [SECURITY] MFA in classrooms Gregg, Christopher S. (Apr 30)
We exempt MFA for Office365 from on campus. Other systems with sensitive category data require MFA from everywhere.
Many academic focused systems do not have MFA at all (yet anyway).

We are hoping to look into creating more granular, flexible MFA rules using Conditional Access in the near future as we
revisit things for our longer term remote work plans.

Chris

Chris Gregg
Associate Vice President of Information Security & Risk...

Re: MFA in classrooms James Monek (Apr 30)
No, we bypass MFA for instructor stations in the classrooms. The last thing
we need is a faculty member forgetting their cell phone and can't
get into resources for teaching their class.

Jim

On Fri, Apr 30, 2021 at 1:49 PM Mark Reboli <mreboli () misericordia edu>
wrote:

Re: MFA in classrooms Menne, Michael S (Apr 30)
We require MFA for Office 365 everywhere. We just finished Students and Faculty this semester. We have yet to grant a
permanent exception.

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone: (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1339245782]

Confidentiality Notice: This e-mail message, including any attachments, is...

MFA in classrooms Mark Reboli (Apr 30)
All, I am wondering how others have addressed access by faculty in classrooms to resources that require MFA:

Do you require MFA in classrooms?

If you do not, how do you address this area?

Thank you.

M

Mark Reboli
Network/Telecom/IT Security Manager
Misericordia University
301 Lake Street Dallas, PA 18612
(570)674-6753

This e-mail and accompanying attachments are confidential. The information is intended solely for the use of the...

Re: Opportunity for HBCU's and MSI's to participate in 2021 Four Nations Cybersecurity Virtual Study Tour Dushyant Sattiraju (Apr 29)
Hi Brian,

I would be interested in participating.

Please let me know if you need anything from my end to apply.

Cheers
Dushyant

Dushyant Sattiraju
Cyber Security Operations Team Lead,
eSolutions, Deakin University
Geelong Waterfront Campus,
Locked Bag 20001, Geelong, VIC 3220
(M) +61 4 2050 4345
(W) +61 3 522 78475
dushyant.sattiraju () deakin edu au<mailto:dushyant.sattiraju () deakin edu au>
www.deakin.edu.au<...

May 27 ResearchSOC webinar with Ken Goodwin Stone, Todd A (Apr 29)
This webinar may be of interest to the community

Ken Goodwin, director of networking, <https://www.psc.edu/> Pittsburgh
Supercomputing Center (PSC) will present "Building a vulnerability
management workflow that works, and getting the buy-in to implement it," on
Thursday, May 27, 3pm Eastern, as part of the
<https://researchsoc.iu.edu/training/webinars.html> ResearchSOC webinar
series.

<...

Opportunity for HBCU's and MSI's to participate in 2021 Four Nations Cybersecurity Virtual Study Tour Brian Kelly (Apr 29)
Good morning,
I’m writing to invite Historically Black Colleges & Universities (HBCU) and Minority Serving Institution (MSI) to
participate in the upcoming CAUDIT<https://www.caudit.edu.au/> Four-Nation Cybersecurity virtual study tour, it will be
in collaboration with
EDUCAUSE<https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program> and
REN-ISAC<https://www.ren-isac.net/>, and...

Internet2 Routing Security Webinar Paul Howell (Apr 28)
Internet2 Security Architect Steven Wallace will present Internet2’s routing table reports on Thursday, May 6 from 2-3
p.m. ET. The route table reports provide Internet2 Connectors and campus network operators with information to assist
them in adopting best practices to secure their networks and the global Internet.

The reports highlight any misalignment with MANRS (Mutually Agreed Norms for Route Security) practices. Each route
announced...

CMMC Program Manager Corn, Michael (Apr 27)
Good people,

In support of our CMMC center of excellence we've just opened a position for our CMMC program manager. Feel free to
ping me with any questions, but please share this with anyone who you feel might be interested.
thanks
MC

https://jobs.ucsd.edu/bulletin/job.aspx?jobnum_in=109117

----------------------
Michael Corn | Chief Information Security Officer
mcorn () ucsd edu
University of California San Diego | ITS - Information...

Re: Virtual CISO Garrett McManaway (Apr 26)
I would recommend reaching out to Dan, he is familiar with the EDU space and especially good at communicating
security/technical issues to non-It people.

https://www.linkedin.com/in/danielaayala/

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dr....

Job Opportunity - University of Illinois - Identity and Access Management Barnes, Joe (Apr 26)
Good morning,

We have multiple openings for Identity and Access Management Specialist at various levels of experience. Working in
person, remote, or hybrid is an option and will continue to be beyond pandemic. More details, including a link to
apply can be found here: https://jobs.illinois.edu/academic-job-board/job-details?jobID=145047. Posting closes May 6,
2021. Come join our growing team.

Please pass along to anyone who you think...

Re: Virtual CISO Tej Patel (Apr 23)
OculusIT (https://www.oculusit.com/it-consulting/#cisoservices) - happy to share experiences directly.

Best,

--Tej

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dr. Christopher
Davis
Sent: Friday, April 23, 2021 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Virtual CISO

Has anyone employed the services of a virtual CISO (or company) to help them design and...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: link monitoring Saku Ytti (May 01)
This feature will be introduced by ER-079886 in some future date. You
may be confused about OTN FEC, which is available via MIB, but
unrelated to the topic.

I did plan to open a feature request for other vendors too, but I've
been lazy. It is broadly missing, We are doing very little as a
community to address problems before they become symptomatic and
undercapitalising the information we already have from DDM and RS-FEC.

Only slightly...

Re: link monitoring Michel Blais (Apr 30)
Y.1731 or TWAMP if available on those devices.

Le ven. 30 avr. 2021 17:57, Colton Conor <colton.conor () gmail com> a écrit :

Re: link monitoring Colton Conor (Apr 30)
What NMS is everyone using to graph and alert on this data?

Weekly Routing Table Report Routing Analysis Role Account (Apr 30)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith <pfsinoz...

Re: link monitoring Alain Hebert (Apr 30)
    Yes the JNP DOM MIB is what you are looking for.

    It also the traps for warnings and alarms thresholds you can use
which is driven by the optic own parameters.
    ( Human Interface: show interfaces diagnostics optics <interface> ] )

    TLDR:

        Realtime: Traps;
        Monitoring: DOM MIB;

    PS: I suggest you join [ juniper-nsp () puck nether net ] mailing list.

-----
Alain Hebert...

RE: link monitoring Travis Garrison (Apr 29)
We use LibreNMS and smokeping to monitor latency and dropped packets on all our links and setup alerts if they go over
a certain threshold. We are working on a script to automatically reroute traffic based on the alerts to route around
the bad link to give us time to fix it.

Thanks
Travis

From: NANOG <nanog-bounces+tgarrison=netviscom.com () nanog org> On Behalf Of Baldur Norddahl
Sent: Thursday, April 29, 2021 3:39 PM
To: nanog ()...

Re: link monitoring Eric Kuhnke (Apr 29)
If I may add one thing I forgot, this post reminded me. In the question I
think it was probably a 100G CWDM4 short distance link. When monitoring a
100G coherent (QPSK, 16QAM, whatever) longer distance link, be absolutely
sure to poll all of the SNMP OIDs for it the same as if it was a point to
point microwave link.

Depending on exactly what line card and optic it is, it may behave somewhat
similarly to a faded or misaligned radio link under...

Re: link monitoring Lady Benjamin Cannon of Glencoe, ASCE (Apr 29)
We monitor light levels and FEC values on all links and have thresholds for early-warning and PRe-failure analysis.

Short answer is yes we see links lose packets before completely failing and for dozens of reasons that’s still a good
thing, but you need to monitor every part of a resilient network.

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC
CEO
lb () 6by7 net
"The only fully end-to-end encrypted...

Re: link monitoring Eric Kuhnke (Apr 29)
The Junipers on both sides should have discrete SNMP OIDs that respond with
a FEC stress value, or FEC error value. See blue highlighted part here
about FEC. Depending on what version of JunOS you're running the MIB for it
may or may not exist.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB36074&cat=MX2008&actp=LIST

In other equipment sometimes it's found in a sub-tree of SNMP adjacent to
optical DOM values....

Re: link monitoring Pete Rohrman (Apr 29)
I'll sell you my Solar Winds license - cheap!

Pete Rohrman
Stage2 Support
212 497 8000, Opt. 2

link monitoring Baldur Norddahl (Apr 29)
Hello

We had a 100G link that started to misbehave and caused the customers to
notice bad packet loss. The optical values are just fine but we had packet
loss and latency. Interface shows FEC errors on one end and carrier
transitions on the other end. But otherwise the link would stay up and our
monitor system completely failed to warn about the failure. Had to find the
bad link by traceroute (mtr) and observe where packet loss started.

The...

Re: Myanmar internet - something to think about if you're having a bad day Christopher Morrow (Apr 29)
I'm glad someone noted this...
I'd also say that it seems to me that the restrictions are a LOT like
'seatbelt laws' in the US, where most states enforce as a secondary action:
"Oh you were speeding AND you aren't wearing a seat belt, bonus fine"
(note: I'm a seatbelt user, just using this as an example)

and that the censorship COULD be used as a further action for repressing
folk:
"Oh, you...

Re: Myanmar internet - something to think about if you're having a bad day Bradley Huffaker (Apr 29)
Censorship does not need to be complete to be highly effective. Almost all regulation, drugs/speeding/etc, is
designed to increase the cost to the point were “most” individuals are discouraged. While VPNs can be used to bypass
China’s Great Firewall the added friction is enough to keep most happily engaged with easer distractions....

Re: Myanmar internet - something to think about if you're having a bad day Sabri Berisha (Apr 29)
----- On Apr 28, 2021, at 11:32 AM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:

Hi,

Even my third-grader was able to figure out that she needed a VPN when I blocked Roblox's IP space (128.116.0.0/17) on
my home router.

Other than, as reports said, soldiers snipping cables in datacenters, regimes will have a difficult time completely
blocking whatever they don't like. Even China can't do it.

Thanks,

Sabri

NIST RPKI Monitor version 2.0 Sriram, Kotikalapudi (Fed) via NANOG (Apr 29)
We (NIST) have released a new version of the NIST RPKI Monitor (v2.0):

https://www.nist.gov/services-resources/software/nist-rpki-deployment-monitor

We are open to adding more features and analyses based on user feedback. Your comments/suggestions are welcome. Thank
you.

Sriram

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.63 RISKS List Owner (Apr 30)
RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.63>
The current issue can also be found at
<...

Risks Digest 32.62 RISKS List Owner (Apr 25)
RISKS-LIST: Risks-Forum Digest Sunday 25 April 2021 Volume 32 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.62>
The current issue can also be found at
<...

Risks Digest 32.61 RISKS List Owner (Apr 23)
RISKS-LIST: Risks-Forum Digest Friday 23 April 2021 Volume 32 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.61>
The current issue can also be found at
<...

Risks Digest 32.60 RISKS List Owner (Apr 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 April 2021 Volume 32 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.60>
The current issue can also be found at
<...

Risks Digest 32.59 RISKS List Owner (Apr 04)
RISKS-LIST: Risks-Forum Digest Sunday 4 April 2021 Volume 32 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.59>
The current issue can also be found at
<...

Risks Digest 32.58 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Thursday 1 April 2021 Volume 32 : Issue 58

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.58>
The current issue can also be found at
<...

Risks Digest 32.57 RISKS List Owner (Mar 23)
RISKS-LIST: Risks-Forum Digest Tuesday 23 March 2021 Volume 32 : Issue 57

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.57>
The current issue can also be found at
<...

Risks Digest 32.56 RISKS List Owner (Mar 19)
RISKS-LIST: Risks-Forum Digest Friday 19 March 2021 Volume 32 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.56>
The current issue can also be found at
<...

Risks Digest 32.55 RISKS List Owner (Mar 16)
RISKS-LIST: Risks-Forum Digest Tuesday March 2021 Volume 32 : Issue 55

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.55>
The current issue can also be found at
<...

Risks Digest 32.54 RISKS List Owner (Mar 13)
RISKS-LIST: Risks-Forum Digest Saturday 13 March 2021 Volume 32 : Issue 54

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.54>
The current issue can also be found at
<...

Risks Digest 32.53 RISKS List Owner (Mar 12)
RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 53

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.53>
The current issue can also be found at
<...

Risks Digest 32.52 RISKS List Owner (Mar 06)
RISKS-LIST: Risks-Forum Digest Saturday 6 March 2021 Volume 32 : Issue 52

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.52>
The current issue can also be found at
<...

Risks Digest 32.51 RISKS List Owner (Feb 22)
RISKS-LIST: Risks-Forum Digest Monday 22 February 2021 Volume 32 : Issue 51

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.51>
The current issue can also be found at
<...

Risks Digest 32.50 RISKS List Owner (Feb 19)
RISKS-LIST: Risks-Forum Digest Friday 19 February 2021 Volume 32 : Issue 50

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.50>
The current issue can also be found at
<...

Risks Digest 32.49 RISKS List Owner (Feb 12)
RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 49

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.49>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Problem with parsing NGAP UL Configuration Request Pascal Quantin (Apr 28)
Hi Dincer,

Le mer. 28 avr. 2021 à 17:07, Dincer Beken <dbeken () blackned de> a écrit :

Your TransportLayerAddress item has a length of 132 bits, which neither
match an IPv4 only address (32 bits), of 1Pv6 only address (128 bits) or an
IPv4 followed by an IPv6 address (160 bits). Thus wireshark does not try to
decode the payload of this unknown length. If you tried to encode an IPv4
and/or IPv6 address, then you have a bug.

Best...

Problem with parsing NGAP UL Configuration Request Dincer Beken (Apr 28)
Hello all,

I am trying to handle the 5G UL Ran configuration transfer message. I am encoding an XN TNL Information Item with
asn1c. All IEs and messages so far have worked well, but the Tunnel Information item does not work for me.
I cannot see the Tunnel Information elements (IPs.).

I am using wireshark version 3.40. I have attached the capture.

I am stuck on this and would appreciate any help. If anyone here is experienced with...

Re: How to disable QT_MULTIMEDIA_LIB during cmake Jirka Novak (Apr 28)
Hi Roland,

I see your merge request. So my task is to review it and make it
running with QT_MULTIMEDIA_LIB undefined, right? BTW it was my original
idea to do.

Best regards,

Jirka Novak

Re: How to disable QT_MULTIMEDIA_LIB during cmake Roland Knall (Apr 28)
A merge request has been generated for this:
https://gitlab.com/wireshark/wireshark/-/merge_requests/2849

cheers

Am Mi., 28. Apr. 2021 um 14:33 Uhr schrieb Roland Knall <rknall () gmail com>:

Re: How to disable QT_MULTIMEDIA_LIB during cmake Roland Knall (Apr 28)
I have created a change which handles the CMAKE stuff correctly (analog to
extcap & pcap, ...)

I would need some help from you Jirka for the RTP specifics.

kind regards
Roland

Am Mi., 28. Apr. 2021 um 14:01 Uhr schrieb John Thacker <
johnthacker () gmail com>:

Re: How to disable QT_MULTIMEDIA_LIB during cmake John Thacker (Apr 28)
In general some features can be disabled, see CMakeOptions.txt for a list,
but Qt Multimedia Lib cannot be disabled easily.

If you look at cmakeconfig.h.in:
<https://gitlab.com/wireshark/wireshark/-/blob/master/cmakeconfig.h.in#L320>

/* Define to the version of this package. */
#cmakedefine PACKAGE_VERSION

/* Define if we have QtMultimedia */
#define QT_MULTIMEDIA_LIB 1

/* Define if we have QtMacExtras */
#cmakedefine QT_MACEXTRAS_LIB 1...

Re: Having problem tracing multiple ip addresses Robert Blair (Apr 27)
** Reply to message from Hugo van der Kooij via Wireshark-users
<wireshark-users () wireshark org> on Mon, 26 Apr 2021 07:23:43 +0000

On another OS I have used IP tracing many times, on Ubuntu only two or three
times. After seeing the trace from wireshark I now have no clue what is going
on.

When I started with these IoT devices I had both of the routers WIFI interfaces
with the same SSID and password. This caused problems trying to...

Re: Status label for issues Uli Heilmeier (Apr 27)
Am 27.04.21 um 09:28 schrieb Guy Harris:

Yes, I'm aware of it. This is something I've already mentioned in my first mail. For this label only automation (bot)
makes sense. As long as there is no automation we will have a closed issue with a false state.

For the Gitlab API there is no difference between manually closed issued and issues marked as duplicate.
Both have the state closed. Marked as duplicate issues have a additional note...

Re: Status label for issues Guy Harris (Apr 27)
The last of those is, well, a duplicate of the "(duplicated)" in the status box at the top (if the close is done right,
by entering

/duplicate #{bug number}

into a comment and saving the comment).

Re: Status label for issues Uli Heilmeier (Apr 27)
I see your point.

We had this status field at Bugzilla and it worked sufficiently well (at least for dissector bugs).

At the moment it is very hard to see if someone has already had a look at an issue, if she/he was able to reproduce it,
if a sample capture is missing etc.

Regarding additional tooling I will have a closer look at triage-ops the next days.

Am 27.04.21 um 09:06 schrieb Roland Knall:

Re: Status label for issues Uli Heilmeier (Apr 27)
Am 27.04.21 um 09:06 schrieb Guy Harris:

Yes, you're totally right. os::windows, os::macos, os::linux and os::other should be enough.

Currently we have os::unix with the description "AIX, HP-UX, Solaris, and other Unices"

Re: Status label for issues Roland Knall (Apr 27)
It wasn't clear to me, that your list was the original list + new entries.

I have especially an issue with the new ws-status labels and their
transitions. Judging from a company, where we have about 50 developers
whose daily bread it is to transition properly in Jira, I cannot see an
open-source project with no additional tooling to properly transition
between e.g. unconfirmed => confirmed => in-progress.

That is my main concern.

Am...

Re: Status label for issues Guy Harris (Apr 27)
So does "unix" mean:

1) has some possibly very-remote code base connection to some UNIX that AT&T put out;

2) is eligible to use the UNIX(R) trademark;

3) other?

If it's 1), then I *guess* Linux is the only UN*X that doesn't fit into that category, although macOS, being a 4.4-Lite
derivative, would fit into that category as well.

If it's 2), then 1) the *BSDs don't count and 2) at...

Re: Status label for issues Uli Heilmeier (Apr 26)
Diff between current and proposal list:

- incident
- question
- cli::tshark
+ ui::tshark
- ui::gtk
- version::0.x
- version::1.0
- version::1.10
- version::1.12
- version::1.2
- version::1.4
- version::1.6
- version::1.8
- version::2.0
- version::2.2
- version::2.4
- version::2.6
- version::3.0
+ version::outdated
+ ws-status::unconfirmed
+ ws-status::confirmed
+ ws-status::waiting-for-response
+ ws-status::in-progress
+ ws-status::invalid
+...

Re: Status label for issues Roland Knall (Apr 26)
The list seems to be duplicated with the lists from above. Anyhow, it seems
we just have too many labels already, and I am still not convinced that
they can be used properly and consistently at this point

I would clean up the proposal list first, then from there figure out which
items we need on the list

cheers
Roladn

Am Mo., 26. Apr. 2021 um 21:17 Uhr schrieb Uli Heilmeier <zeugs () heilmeier eu

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2021-04-29 Research (Apr 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
file-other and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-27 Research (Apr 27)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the app-detect,
browser-ie, browser-other, exploit-kit, file-pdf, malware-cnc,
malware-other, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:...

Snort Blog: 2.9.8.3 Shared Object end-of-life Joel Esler (jesler) via Snort-sigs (Apr 22)
https://blog.snort.org/2021/04/2983-shared-object-end-of-life.html

2.9.8.3 Shared Object end-of-life

Attention users of SNORTⓇ version 2.9.8.3: This serves as your official end-of-life notification. However, this EOL
notification is a bit unique.

We will be moving to an “end of life” for shared object rules for Snort version 2.9.8.3 in 90 days, (July 20, 2021).
After that, for an indeterminate amount of time after July 20, we will...

Snort Subscriber Rules Update 2021-04-22 Research (Apr 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-other
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-21 Research (Apr 21)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
malware-cnc, policy-other, protocol-voip, server-apache and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Fwd: question. Russ Combs (rucombs) via Snort-devel (Apr 20)
This should be posted to snort-users or snort-sigs. snort-devel is for bugs and related development work.

Russ

________________________________
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of juan patricioo via Snort-devel <snort-devel ()
lists snort org>
Sent: Thursday, April 15, 2021 4:09 PM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] Fwd: question....

Snort Subscriber Rules Update 2021-04-20 Research (Apr 20)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Fwd: question. juan patricioo via Snort-devel (Apr 19)
---------- Forwarded message ---------
De: juan patricioo <cursoredesinap9644 () gmail com>
Date: jue, 15 abr 2021 a las 21:59
Subject: question.
To: <snort-users () lists snort org>

Hello, im trying to do a rule in snort that can capture de text on a text
field in the next formulary:

http://cekb.unileon.es/formulario.html

[image: image.png]

Im trying:

*alert tcp any any -> any 80 (msg:"script text";...

Snort Subscriber Rules Update 2021-04-15 Research (Apr 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, indicator-obfuscation, malware-backdoor, malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-13 Research (Apr 13)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2021-28310:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 57403 through 57404.

Microsoft Vulnerability...

Snort Blog: New "Snort 3 and me" webinar series launches on April 20 Joel Esler (jesler) via Snort-sigs (Apr 08)
We’re launching some webinars about the transition to Snort 3. They are totally free, and your information will not be
used for any marketing purposes.

Snort Subscriber Rules Update 2021-04-08 Research (Apr 08)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-06 Research (Apr 06)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and file-other rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-01 Research (Apr 01)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
exploit-kit, indicator-obfuscation, indicator-shellcode, malware-cnc,
netbios, protocol-dns, protocol-voip, server-oracle and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please...

Snort Subscriber Rules Update 2021-03-30 Research (Mar 30)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-other,
malware-cnc, os-windows, protocol-tftp and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.