SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Nmap's GSoC 2019 participation Karuna Grewal (Dec 20)
Hi all,
I've been nmap user for a while and I started to contribute to the
same for which I began with a minor FIXME issue. I'm looking forward
to contributing to some part of the project which is of significant
interest to the current developments.
Also, I wondered if Nmap will be participating in GSoC 2019 and the
relevant projects. Going through the issue tracker I want to work on
this issue (https://github.com/nmap/nmap/issues/1025)...

GitHub PR#1418 Review Karuna Grewal (Dec 19)
Hi everyone!
I've created a pull request (https://github.com/nmap/nmap/pull/1418)
which addresses a FIXME issue in one of the ncat files.

As a means to optimize the loop which intends to iterate over the read
file descriptors, I've changed the original traversal from 0 to
max_fd. Now, it checks only those specific file descriptors which are
inserted into the appropriate file descriptor list which makes it
efficient.

Waiting for...

Re: SMB Encryption and SMB Signing Paulino Calderon (Dec 17)
Hello Jan,

The script smb2-security-mode only checks the message signing configuration but we have smb2-capabilities
(https://nmap.org/nsedoc/scripts/smb2-capabilities.html) that does (or should) check if Encryption is enabled.

Cheers.

Re: Proposal for ncat improvement nnposter (Dec 12)
Fortunately this omission already got fixed last April in r37236:

https://github.com/nmap/nmap/commit/45229e0fbd5172f2d1c2bec84fca533c98a79210

You should see it when a new version is released (or if you build it
fresh yourself).

Cheers,
nnposter

Re: Proposal for ncat improvement Ulrich Heuser (Dec 12)
Dear nnposter,
this was a perfect answer -- of course it helped to solve my little issue of missing the http-response due to
connection closing by ncat. With the mentioned option
--no-shutdown it behaves exactly as wanted. Thanks a lot.

Btw., as I am using nmap on Windows/DOS, I was not aware of the above option for ncat. The Usage/Help of ncat under DOS
does no mention the --no-shutdown option. Looking up the man page for ncat on Linux I...

Re: Proposal for ncat improvement nnposter (Dec 11)
While not exactly the same, would option --no-shutdown help in your
situation?

Cheers,
nnposter

Proposal for ncat improvement Ulrich Heuser (Dec 11)
Dear all,
I found a relevant diff between the original netcat tool and ncat out of nmap:

On sending out a http-request by netcat the connection is kept alive for a long period, and this supports receiving a
http-response from the addressed counterpart.

With ncat the connection is closed after 1 sec., and the comm. counterpart is not able to send a http-response to the
ncat requestor after that amount of time.

It would be useful to extend the...

DNS issue: wrong DNS-Server is used. newsgrep . (Dec 10)
My problem in short:
====================
There are some DNS-Servers configured on an inactive interface (208.67.220.220 and
(208.67.220.222), which are then used by Nmap instead of the DNS-Server (192.168.2.1)
of the active intrface (eth1) that is used for the scan. This leads to the problem that
the wrong DNS-Server is used and that local DNS-Names can not be resolved.

My System:
==========
Windows 10 .0.17134.165 64Bit
Nmap 7.70, Npcap...

GitHub PR #1395 - NSE script for CVE-2018-7600 (RCE vulnerability on Drupal 7.x, 8.x) Kostas Milonas (Dec 02)
Hello everyone.

A few days ago I created a pull request with an NSE script about
CVE-2018-7600 (Drupalgeddon 2),
the RCE vulnerability on Drupal 7.x, 8.x.

The URL of the pull request is:

https://github.com/nmap/nmap/pull/1395

The script creates a file through the vulnerability and then makes an
additional request
to check if the file was really created in order to mark the target as
vulnerable.

Thank you in advance for your time reviewing...

Re: Getting started with contributing Sameer Shaikh (Dec 01)
Hi Aditya!

You can look for issues marked with the "good first issue" tag on them.
These are marked so because they're easy to solve and can be attempted by
beginners like us.

As for the basic skill set, you'll have to read and read and read – code,
documentation, & issues; and you'll have to learn to identify what to
learn, to solve the particular issues you're interested in.

And do read the CONTRIBUTING.md...

Ctrl+D to close Ncat? Loren Amelang (Dec 01)
Apologies if this is a stupid question, but it seems valid to me. I just discovered Ncat as a way to manually send
short text commands from my new Linux machine to the 20 year old microcomputer that runs my off-grid house. Nowhere in
the User's Guide, man pages, or Google searches could I find any clues about the proper way to manually close my raw
TCP session!

After 45 minutes of searching, I found one "superuser" answer...

Got an error while running ssl-enum-ciphers Jorge Luis Sanz Amerijeiras (Dec 01)
Hello, another try, but now I'm subscribed :) :)

I'm getting some errors while running nmap with --script ssl-enum-ciphers.

Maybe the domain name is too long? It has 24 chars in total, including dots. Estructure is:
xxxxxxx.xxxxxxxxx.xxx.xx

Nmap vers: 7.70, over kali lnux.
nmap -d --script ssl-enum-ciphers -p 11443 xxxxx.xxxxxxxx.xx.xx
nmap -d --script ssl-enum-ciphers -p 443 xxxxx.xxxxxxxx.xx.xx

Both ports have the same result:
.....

Error when starting zenmap Dennis Pejcha (Dec 01)
Running Windows 10 Pro, get the following error on startup. I have tried
uninstalling and reinstalling nmap to see if that might clear up the
problem, but no change.

Version: 7.70
Traceback (most recent call last):
File "zenmap", line 195, in <module>
File "zenmapGUI\App.pyo", line 358, in run
File "zenmapGUI\App.pyo", line 194, in new_window
File "zenmapGUI\MainWindow.pyo", line 152, in...

Getting started with contributing Aditya Prajapati (Dec 01)
Hey all,
I am new to Open Source Development and would love to be a part of the NMAP
Development Community. Could anyone mind sharing the basic skill set I
would require to start contributing?. (I'm reading the nmap network
scanning to get a basic idea about nmap)

Also, it would be a huge help if anyone could help me figure out a
relatively easy low /medium priority issue to work on.

Thanks!

Re: https-redirect bug causing scans to take much longer Daniel Cater (Nov 27)
Yes, the problem seems to be fixed now, thanks for the quick response!

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.70 released! Better service and OS detection, 9 new NSE scripts, new Npcap, and much more. Fyodor (Mar 20)
Nmap Community,

We're excited to make our first Nmap release of 2018--version 7.70! It
includes hundreds of new OS and service fingerprints, 9 new NSE scripts
(for a total of 588), a much-improved version of our Npcap windows packet
capturing library/driver, and service detection improvements to make -sV
faster and more accurate. And those are just a few of the dozens of
improvements described below.

Nmap 7.70 source code and binary...

Nmap GSoC 2017 Success Reports Fyodor (Oct 10)
Hello Nmap Community,

Nmap celebrated its 20th birthday last month and we also just completed our
13th Google Summer of Code. We focused on a fairly small team of four
students this year (http://seclists.org/nmap-announce/2017/2), and I'm
happy to report that every one passed! And they all have code integrated
into Nmap 7.60 already, with even more to follow for the next release.
Also this year, for the first time, every student wrote a...

Nmap 7.60 released! SSH support, SMB2/SMB3 improvements, 14 more scripts, new Npcap, GSoC work, and more Fyodor (Aug 01)
Hello everyone. I'm back from Defcon and excited to announce the new Nmap
7.60 release! It has only been a month and a half since 7.50, but we still
packed a lot into this one. Mostly because we have such an awesome GSoC
team of 8 students and mentors working on so many cool projects. The
program hasn't even ended yet, but much of their work has already been
integrated into this release.

One of the things I'm most excited...

Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)
Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50! It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained....

Introducing the 2017 Nmap/Google Summer of Code Team! Fyodor (May 18)
Nmap community:

Thanks for all of your applications and referrals of talented students to
the Summer of Code program. Google has agreed to sponsor four students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2017 team! We normally mentor coders working all over the
Nmap/Zenmap/Ncat/Nping spectrum, but this year we're doubling down on the
Nmap Scripting Engine component. All four of our...

Nmap Project Seeking Talented Programmers for GSoC 2017 Fyodor (Mar 27)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[SECURITY] [DSA 4346-2] ghostscript regression update Salvatore Bonaccorso (Dec 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4346-2 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
December 23, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ghostscript
Debian Bug : 915832

The update for...

[slackware-security] netatalk (SSA:2018-355-01) Slackware Security Team (Dec 23)
[slackware-security] netatalk (SSA:2018-355-01)

New netatalk packages are available for Slackware 14.0, 14.1, 14.2,
and -current to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/netatalk-3.1.12-i586-1_slack14.2.txz: Upgraded.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in
dsi_opensess.c. This is due to lack of bounds checking on attacker...

Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section Murat Aydemir (Dec 21)
I. VULNERABILITY
-------------------------
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the
Notes column of the Alarms section

II. CVE REFERENCE
-------------------------
CVE-2018-20339

III. VENDOR
-------------------------
https://www.manageengine.com

IV. TIMELINE
-------------------------
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
20/12/2018 OPManager replay that they fixed

V. CREDIT...

Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section Murat Aydemir (Dec 21)
I. VULNERABILITY
-------------------------
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL
injection in the Alarms section

II. CVE REFERENCE
-------------------------
CVE-2018-20338

III. VENDOR
-------------------------
https://www.manageengine.com

IV. TIMELINE
-------------------------
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
20/12/2018 OPManager replay that they fixed

V. CREDIT
-------------------------...

[SECURITY] [DSA 4357-1] libapache-mod-jk security update Salvatore Bonaccorso (Dec 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4357-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libapache-mod-jk
CVE ID : CVE-2018-11759

Raphael...

[SECURITY] [DSA 4356-1] netatalk security update Salvatore Bonaccorso (Dec 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4356-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : netatalk
CVE ID : CVE-2018-1160
Debian Bug :...

[SECURITY] [DSA 4355-1] openssl1.0 security update Moritz Muehlenhoff (Dec 19)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4355-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
December 19, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2018-0732 CVE-2018-0734...

FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd FreeBSD Security Advisories (Dec 19)
=============================================================================
FreeBSD-SA-18:15.bootpd Security Advisory
The FreeBSD Project

Topic: bootpd buffer overflow

Category: core
Module: bootpd
Announced: 2018-12-19
Credits: Reno Robert
Affects: All supported versions of FreeBSD.
Corrected:...

[security bulletin] MFSBGN03835 rev.1 - Fortify Software Security Center (SSC), Remote Unauthorized Access security-alert (Dec 19)
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03298201

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03298201
Version: 1

MFSBGN03835 rev.1 - Fortify Software Security Center (SSC), Remote
Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-12-19
Last...

Secunia Research: libexif EXIF_IFD_INTEROPERABILITY / EXIF_IFD_EXIF Denial of Service Vulnerability Secunia Research (Dec 17)
======================================================================

Secunia Research 2018/12/13

libexif EXIF_IFD_INTEROPERABILITY / EXIF_IFD_EXIF
Denial of Service Vulnerability

======================================================================
Table of Contents

Affected Software....................................................1...

Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities Secunia Research (Dec 17)
======================================================================

Secunia Research 2018/12/13

LibRaw Multiple Denial of Service Vulnerabilities

======================================================================
Table of Contents

Affected Software....................................................1...

Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API Murat Aydemir (Dec 17)
I. VULNERABILITY
-------------------------
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection
via the getGraphData API.

II. CVE REFERENCE
-------------------------
CVE-2018-20173

III. VENDOR
-------------------------
https://www.manageengine.com

IV. TIMELINE
-------------------------
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
17/12/2018 OPManager replay that they fixed

V. CREDIT
-------------------------...

WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009 Michael Catanzaro (Dec 13)
------------------------------------------------------------------------
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009
------------------------------------------------------------------------

Date reported : December 13, 2018
Advisory ID : WSA-2018-0009
WebKitGTK+ Advisory URL :
https://webkitgtk.org/security/WSA-2018-0009.html
WPE WebKit Advisory URL :...

[SECURITY] [DSA 4354-1] firefox-esr security update Moritz Muehlenhoff (Dec 12)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4354-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
December 12, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-12405 CVE-2018-17466...

[security bulletin] MFSBGN03835 rev.1 - Fortify Software Security Center (SSC), Remote Unauthorized Access security-alert (Dec 12)
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03298201

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03298201
Version: 1

MFSBGN03835 rev.1 - Fortify Software Security Center (SSC), Remote
Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-12-12
Last...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

YSTS 13th Edition - CFP Luiz Eduardo (Dec 18)
This is the official form to submit your paper to You sh0t the Sheriff 2019

Where: Sao Paulo, Brazil

When: May 27th, 2019

Call for Papers Open: November 28th, 2018

Call for Papers Close: February 28th, 2019

http://www.ysts.org

@ystscon

ABOUT THE CONFERENCE
you Sh0t the Sheriff is a very unique, one-day, event dedicated to
bringing cutting edge talks to the top-notch
professionals of the Brazilian Information Security Community.

The...

Re: CTFs Kevin T. Neely (Dec 18)
If CTFs are both important AND they take away from the participants'
experience, why not have a day, or two, or even multiple half-days where
the CTF is the only thing going? SANS does this with Netwars. At other
events, I often find myself torn between either 1) talks, preparing and
presenting my own material, or, more commonly, after-hours events and 2)
the CTFs and contest-area content. CTFs take a lot of time and
concentration, so why...

The Reality Bubble of the VEP Dave Aitel (Dec 18)
[image: IMG_20181205_123821.jpg]

So recently I went to a conference on vulnerability equities
<https://carnegieendowment.org/2018/12/05/international-policy-conference-on-government-vulnerability-management-event-7009>,
which I wanted to tell everyone about on this mailing list. Normally I
reserve this mailing list for technical conversations, and use the cyber
policy blog <https://cybersecpolitics.blogspot.com/> for policy talk, but...

Capstone disassembler v4.0 is out! Nguyen Anh Quynh (Dec 18)
Greetings,

We are super excited to announce version 4.0 of Capstone disassembler
framework!

Exactly 5 years ago, on December 18th of 2013, we published the first
version. Today, this release 4.0 marks 5 years of our project! Such a long
journey, which is impossible without huge community support!

In no particular order, we would like to thank Thinkst Canary
<https://canary.tools/>, NowSecure <https://www.nowsecure.com/>, ECQ
<...

Re: CTFs Jordan Wiens (Nov 20)
For more context for those that haven't seen it, here's the game we made
for the CTF:

https://sourcery.pwnadventure.com/

We're continuing our quest to make hacking a first-class video game
mechanic. Now, instead of hacking the game itself to win, you hack inside
the game using in-game elements.

Re: CTFs Arun Koshy (Nov 20)
It's reasonable posture to never go to cons with any devices that you
care about or has actual telemetry on you or your org in any way. Not
sure why most of the industry does not follow the standard above.

Re: CTFs Edward Prevost (Nov 20)
If I'm understanding correctly, you're proposing to setup a system, at it's hardened state, and upon arrival all
attendees are made aware of the access particulars and details of said system, and then encouraged to assail it? If so,
this sounds great... kind of like "CommunityCrowdSourcing", for fun.

I'll note, the one thing that makes the CTF at DEFCON enjoyable for most observers, is the graphical displays....

CTFs Dave Aitel (Nov 19)
So at CSAW a couple weeks ago there was a CTF, and like most conferences,
it worked out well. I mean part of it is Vector35 doing their magic and a
set of players who had both skills and focus. (Vector35 will be back with a
bigger class at INFILTRATE this year!)

Anyways, I both love and hate CTFs and security conferences. At DEFCON I
find they're the only thing I really watch. But for most conferences I feel
like the people who should MOST...

Elephants and information leaks Dave Aitel (Nov 14)
https://immunityproducts.blogspot.com/2018/11/recent-kernel-memory-disclosure-bugs-in.html

We don't usually detail publicly the amount of engineering that goes into a
CANVAS exploit. But above is a blogpost about some of our recent work. If
you are a CANVAS Early Update customer, the Windows effort is available for
download - otherwise if you are a CANVAS customer, you already have the
Linux exploit. :)

For various other reasons, I'm...

2019 Keynote: WINDOW SNYDER Dave Aitel (Nov 13)
https://vimeo.com/135888545 - Andrew Cushman, 2012

I wanted to highlight how much I lie awake at night thinking about
keynotes. And I think we have a good record on them, if for no other reason
than we refuse to do the standard drill.

At other conferences, keynotes go to sponsors or to people you pay because
they are famous. I think a better way is to find the voices in industry
with something to say that they have not been able to say on a...

Quasi-Clans Dave Aitel (Nov 07)
So we're announcing the INFILTRATE keynote tomorrow, and as I was on
vacation last week, sitting on a different beach from the beach I normally
sit on, I spent some time reflecting on what INFILTRATE really looks like,
you know, as part of my effort to "find myself" or whatever I was doing.

Honestly, what I was doing was reading this book on Quantum Mechanics
<https://www.goodreads.com/book/show/41832814-beyond-weird>....

probably known but FWIW Richard Thieme (Nov 07)
*We have cracked GandCrab encryption in a joint effort with Europol, the
Romanian Police and the Federal Bureau of Investigations.*

The decryption tool is available for free on Bitdefender Labs
(https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
<...

RootedCON 2019 Call For Papers is open! omarbv (Nov 07)

▄▄▄▄▄▄ ▄▄
██▀▀▀▀██ ██ ██
██ ██ ▄████▄ ▄████▄ ███████ ▄████▄ ▄███▄██
███████ ██▀ ▀██ ██▀ ▀██ ██...

Wormy worms. Dave Aitel (Oct 22)
https://www.youtube.com/watch?v=L96bfxIisq4

So I spent some time last week watching this talk, and a few of the other
Hack.lu talks. A large part of this talk is about a historical walkthrough
of both public work on the subject, and public examples of various worms
which operated as semi-parasitic patching cycles.

It left me with a lot of questions though:

- In the future, will all worms patch hosts as they move through, as a
form of...

INFILTRATE 2019 - How Far Is The Horizon? Dave Aitel (Oct 18)
[image: IMG_20181016_075725-EFFECTS.jpg]
Come talk at INFILTRATE this year! CFP Here <http://infiltratecon.org/cfp/>.

Here is why you should:

- This is the only conference where the audience is other exploit writers
- You get a very valuable peer review of your talk, for free!
- Obviously we treat you well, pay your way, and even have profit
sharing on the conference
- We have the best food and venue of any security...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Use after free in monit / _handleEvent Hanno Böck (Dec 23)
Hi,

There's a use after free in monit that shows up if you run it for a
while on an active system with address sanitizer enabled.

I reported this in august:
https://bitbucket.org/tildeslash/monit/issues/764/use-after-free-in-function-_handleevent

Fix is here:
https://bitbucket.org/tildeslash/monit/commits/5827927c4623

The fix is unreleased, the current version (5.25.2) is still affected.

Use after free in syslog-ng / affile_dw_reap() Hanno Böck (Dec 22)
Hi,

The recently released syslog-ng 3.19.1 fixes a use after free bug.

ASAN error:
==7538==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000007770 at pc 0x7fc3a89069c8 bp 0x7ffd8099afd0
sp 0x7ffd8099afc0
READ of size 8 at 0x612000007770 thread T0
#0 0x7fc3a89069c7 in affile_dw_reap modules/affile/affile-dest.c:140
#1 0x7fc3ac21f563 in iv_run_timers...

[CVE-2018-17197] Apache Tika Denial of Service -- Infinite Loop in Tika's SQLite3Parser Tim Allison (Dec 22)
[CVE-2018-17197] Apache Tika Denial of Service -- Infinite Loop in
Tika's SQLite3Parser

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache Tika 1.8 to 1.19.1

Description:
A carefully crafted or corrupt sqlite file can cause an infinite loop
in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.

Mitigation:
Apache Tika users should upgrade to 1.20 or later.

Credit:
This issue was...

CVE-2018-6954: systemd-tmpfiles root privilege escalation by following non-terminal symlinks Michael Orlitzky (Dec 21)
Product: systemd (tmpfiles)
Versions-affected: 239 and earlier
Author: Michael Orlitzky
Fixed-in: v240
Bug-report: https://github.com/systemd/systemd/issues/7986
Acknowledgments:
Franck Bui of SUSE put forth a massive amount of effort to fix this,
and Lennart Poettering consistently provided timely reviews over the
course of a few months.

== Summary ==

Before version 240, the systemd-tmpfiles program will follow symlinks
present in a...

sqlite: CVE-2018-20346: integer overflow (resulting in buffer overflow) for FTS3 queries Salvatore Bonaccorso (Dec 21)
Hi

MITRE has assigned CVE-2018-20346 for the "Magellan" called vulnerabilities.
The description in the CVE database reads as:

below some references for the issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1659379
https://bugzilla.redhat.com/show_bug.cgi?id=1659677
https://www.mail-archive.com/sqlite-users () mailinglists sqlite org/msg113218.html
https://blade.tencent.com/magellan/index_en.html...

[CVE-2018-11799] Apache Oozie security vulnerability Gézapeti Cseh (Dec 19)
CVE-2018-11799: Apache Oozie security vulnerability

Severity: 8.7 (High) (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Vendor: The Apache Software Foundation

Versions Affected: Oozie versions earlier than 5.1.0

Description: A malicious user can construct an XML that results workflows
running in other user's name.

Mitigation: Upgrade to Apache Oozie 5.1.0

Credit: This issue was discovered by

*Satish Subhashrao Saley at Oath / Yahoo!*...

Additional context information about RedHat's announcement of CVE-2018-5742 ISC Security Officer (Dec 19)
Hello --

Internet Systems Consortium would like to provide packagers and
redistributors of our software some additional context concerning
CVE-2018-5742, which was announced yesterday by RedHat, affecting
some BIND packages in RedHat and CentOS.

Their disclosure of the issue can be found via this page:

https://access.redhat.com/security/cve/cve-2018-5742

and more information can be found in their respective bug trackers:...

CVE-2018-16884: Linux kernel: nfs: use-after-free in svc_process_common() Vladis Dronov (Dec 19)
Heololo,

A flaw was found in the Linux kernel in the NFS4 subsystem. NFS41+ shares mounted
in different network namespaces at the same time can make bc_svc_process() use wrong
back-channel id and cause a use-after-free. Thus a malicious container user can cause
a host kernel memory corruption and a system panic. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out.

The CVE-2018-16884 id was assigned to this flaw and...

CVE-2018-20126 QEMU: pvrdma: memory leakage when creating cq/qp P J P (Dec 19)
Hello,

A memory leakage issue was found in QEMU's implementation of VMWare's
paravirtual RDMA device. It could occur while creating CQ/QP ring objects in
create_cq/qp() routines, as it did not free ring objects' memory in case of an
error.

A guest user/process could use this flaw to leak host memory resulting in DoS.

Upstream patch:
---------------
->...

CVE-2018-20125 QEMU: pvrdma: null dereference or excessive memory allocation when creating QP/CQ P J P (Dec 18)
Hello,

A Null pointer dereference issue was found in QEMU's implementation of
VMWare's paravirtual RDMA device. It could occur while creating CQ/QP ring
objects in pvrdma_ring_init() routine.

A guest user/process could use this flaw to crash QEMU process or allocate
excessive memory on host resulting in DoS.

Upstream patch:
---------------
-> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html

This issue...

CVE-2018-20216 QEMU: pvrdma: infinite loop in pvrdma_qp_send/recv P J P (Dec 18)
Hello,

An infinite loop issue was found in QEMU's implementation of VMWare's
paravirtual RDMA device. It could occur while transferring QP ring objects'
data in pvrdma_qp_send/recv functions.

A guest user/process could use this flaw to cause infinite loop resulting in
DoS.

Upstream patch:
---------------
-> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html

This issue was reported by Li Qiang....

Re: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing P J P (Dec 18)
Hello Alex,

+-- On Tue, 18 Dec 2018, Alex Gaynor wrote --+
| Can you say more about why this is only a DoS? The commit message sounds (to
| someone with little domain expertise in KVM) like a fairly traditional
| pattern for an exploitable for code exec uaf.

That's right, it does have potential for more misuse, though it may not be as
easy. I missed to mention that earlier.

Thank you.

Re: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing Alex Gaynor (Dec 18)
Can you say more about why this is only a DoS? The commit message sounds
(to someone with little domain expertise in KVM) like a fairly traditional
pattern for an exploitable for code exec uaf.

Cheers,
Alex

CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing P J P (Dec 18)
Hello,

A use after free issue was found in the way Linux kernel's KVM hypervisor
processed posted interrupts, when nested(=1) virtualization is enabled. In
nested_get_vmcs12_pages(), in case of an error while processing posted
interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc'
descriptor address. Which is latter used in pi_test_and_clear_on().

A guest user/process could use this flaw to...

Re: CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array P J P (Dec 18)
+-- On Tue, 18 Dec 2018, saar amar wrote --+
| I'm wondering why it says "DOS" and not "execute arbitrary code on the host,
| in the context of the QEMU process"? I have stack overflow, it pretty clear
| I could gain more than simple DOS:)
|
| What do your day?

IIUC, it's likely to corrupt adjacent stack variables and/or hit stack canary
resulting in DoS. The scatter/gather entry object(struct ibv_sge) holds...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Wifi Calling and e911 Mccormick, Kevin (Dec 21)
Hello Jim and Jeff,

I do not think that should be your responsibility to have a policy, but
that of the carrier or application that is doing the WiFi calling.

I use Republic Wireless which is a WiFi based phone service. All calls go
over WiFi if available, then cellular which is backwards of traditional
cellular.

They have policies and terms for their service.

https://republicwireless.com/legal/911-and-e911-service-limitations/

Google Fi...

Log Management as a Managed Service Hudson, Edward (Dec 21)
Team,

We are in the process of moving to centralized log management across our 23-campus system. We have already selected the
software platform (LogRhythm) but are considering vendors who can manage the platform (cloud hosted), provide the
threat analysis and SEIM type functions. We have a couple of proposals but in the interested of not pre-disposing folks
I won’t disclose them publically. I would be interested in hearing any plus/deltas...

Re: Get Involved with the 2019 SANS Security Awareness Survey Valerie Vogel (Dec 21)
The deadline to complete the 2019 SANS Security Awareness Survey is today (Fri., Dec. 21)!
https://survey.sans.org/jfe/form/SV_4UZfNorPzzXlfr7

We appreciate your responses on behalf of the higher ed community.

Happy holidays!
Valerie

Valerie Vogel
Interim Director, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | Follow HEISC on
LinkedIn<...

Re: Wifi Calling and e911 Koerber, Jeff (Dec 21)
They see a disclaimer explaining it when they activate it from their phone. I don’t see why we would need a disclaimer
because we have little to do with it because it is a service offered through their provider. We educate students about
WiFi calling and explain this. It’s better for them to be able to call and not be located than not to be able to call
at all.

Also, you can install cell phone repeaters to avoid your students using WiFi...

Re: Wifi Calling and e911 Julian Y Koh (Dec 20)
Our network manager brought this to me this morning. Seems that wifi calling is getting more pervasive on our network
which raises the concern with being able to locate someone in trouble if they are using wifi calling. Do any of you
have policies or notices or feel the need for them to set up a disclaimer if someone calls 911 and cannot be located?

Carrier-based Wi-Fi calling has its own set of disclaimers and warnings surrounding 911 and...

Wifi Calling and e911 Pardonek, Jim (Dec 20)
Our network manager brought this to me this morning. Seems that wifi calling is getting more pervasive on our network
which raises the concern with being able to locate someone in trouble if they are using wifi calling. Do any of you
have policies or notices or feel the need for them to set up a disclaimer if someone calls 911 and cannot be located?

Thanks and Merry Christmas!

Jim

James Pardonek, MS, CISSP, CEH, GSNA
Information Security...

Re: Secure Delete for Mac Tim Doty (Dec 18)
The issue with SSD has been partially explained, but to be clear an SSD
works entirely differently from a spinning platter and brings entirely
different issues to the problem of data elimination and data recovery.
Wear leveling is only part of the picture, it really has to do with the
specifics of the implementation (such as zeroing applying to a whole
page while writes are always a pattern of ones and can apply to a single
sector, and the...

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Shahra Meshkaty (Dec 17)
We run our phishing simulation through KnowBe4 every month as well.
Initially we dealt with some push backs, but because it has resulted in
building awareness & lot less are falling pray & are accepting it as a
useful tool. We do a phishing video with very new employee -- as pare of HR
onboarding.

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
OH! Sorry, I meant the faculty who may feel like InfoSec is trying to
"trick" them on a regular basis because of monthly phishing exercises. If
they get upset because InfoSec phishes monthly, I'm curious how often they
quiz or test their students.

kmw

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
The phishing simulations are sent out monthly.

The training is done on an annual basis (which contains video content AND quizzes)

Alexander Johnson
Network Administrator
Information Technology
o: 918.335.6295 m:918.332.6587

OKLAHOMA WESLEYAN UNIVERSITY
[visit our
website]<...

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
How often do they have quizzes and/or exams?

kmw

Re: Internal Phishing Simulation Advice Thomas Skill (Dec 17)
Ashley

At the University of Dayton, we have been phishing all faculty and staff on
a monthly basis for a couple years. When we began this process, we decided
that these efforts cannot be viewed by our community as a way to "shame or
blame" but rather as our way to "train and strengthen."

We carefully explained that the bad actors are extremely skilled and agile
at their craft of tricking users -- and that we, as a campus...

2019 Security Awareness Campaign Materials Now Available! Valerie Vogel (Dec 17)
Greetings,

The 2019 Security Awareness Campaign materials are now available!

You can read the overview blog, which provides links to the 12 new blogs:
https://er.educause.edu/blogs/2018/12/security-awareness-made-simple-2019-security-awareness-campaign-materials

You’ll also find the new content on our Awareness Campaigns page:...

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Michael Duff (Dec 17)
At Stanford, we conduct weekly simulated phishing campaigns for all employees -- see
phishing.stanford.edu<http://phishing.stanford.edu>. My philosophy is that it needs to be frequent in order to provide
effective training, otherwise it's merely testing susceptibility.

Our phishing awareness program has been very successful thanks to our well planned advance communications and because
we position it as "no harm, no...

Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
The simulation sends one email a month. The email itself varies, sometimes is an obviously fake email from “Microsoft”
other times it’s a tricky email from “Amazon”. The simulation is frustrating for some—because if they fail they are
automatically enrolled in additional training—the simulation itself is not cumbersome (you simply have to right-click
to report the email as phishing. We get some heat from those that click on...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Spectrum technical contact Aaron1 (Dec 23)
I’m glad you got it figured out with the right people at spectrum. When I was sitting up ddos rtbh with my 3 isp’s , I
remember spectrum (fka twc/charter) was difficult to get the right person on the phone to help me understand what I
needed to do. I had to go through layers of phone attendants and groups to get to someone who knew about ddos rtbh.

Btw, I’ve wondered about using sp-neutral(agnostic) forms of ddos rtbh... maybe cymru...

Re: Spectrum technical contact Seth Mattinen (Dec 23)
Yeah but you can't just call it "spectrum" because there's at least 3
totally different AS numbers that could be called that. Call them TWC or
by their AS number for faster results.

Re: Spectrum technical contact Josh Luthman (Dec 22)
Got a hold of someone, finally! All you have to do, if it's done through
BGP, is set a community to 10796:666

This was setup as Time Warner Cable but is Spectrum today. The people I
spoke with had been with Time Warner Cable for years before the
acquisition/name change.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Spectrum technical contact Josh Luthman (Dec 22)
Attack is back on. If there's anyone out there that works at Spectrum and
can do a route change and hopefully share some info on BGP communities I
would greatly appreciate hearing from you.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

RE: Spectrum technical contact Tim Warnock (Dec 22)
Unless of course the point-to-point between spectrum and Josh is under attack...?

Re: Spectrum technical contact Aaron1 (Dec 22)
That’s where you confuse me Josh, if you do BGP with them wouldn’t it be your advertisement to them that’s causing them
to route to you. In other words, aren’t they only routing packets to you for prefixes that you advertise via BGP to
them?

Aaron

Re: Spectrum technical contact Mike Hammett (Dec 22)
Did you try their NOC on their PeeringDB page? https://www.peeringdb.com/net/2144

-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Josh Luthman" <josh () imaginenetworksllc com>
To: "NANOG list" <nanog () nanog org>
Sent: Friday, December 21, 2018 3:51:10 PM
Subject: Spectrum technical contact

We have had a DOS attack...

Re: Spectrum technical contact Josh Luthman (Dec 22)
They don't do communities to my knowledge. At this point they won't do
anything unless I'm public safety.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Spectrum technical contact Josh Luthman (Dec 22)
The IP is their routing to me. It's not BGP.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Spectrum technical contact Ahad Aboss (Dec 22)
Your upstream should have provided you with BGP backhole community where
you tag your /32 and they propagate the BGP BH to all their upstream
providers.

Re: Spectrum technical contact Jason Canady (Dec 22)
Your upstream provider is null routing it when you send them the command via BGP, no longer filling your pipe.

Re: Spectrum technical contact Josh Luthman (Dec 22)
But if they route it to me and I null it, the traffic is already fillimg my
pipe (which is my issue).

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Spectrum technical contact Jason Canady (Dec 22)
The /32 should override any static route they are sending you with a
larger prefix.

Jason Canady
Unlimited Net, LLC
Responsive, Reliable, Secure

Re: Spectrum technical contact Josh Luthman (Dec 22)
I do BGP with them, but of course the issue is an IP that they route to me.

My issue is with ASN 10796

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Real-time BGP hijacking detection: ARTEMIS-1.0.0 just released Hank Nussbacher (Dec 22)
So expect now BGP hijackers to announce /25s from here on in. They
generally adopt BCPs faster than providers.

-Hank

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.97 RISKS List Owner (Dec 20)
RISKS-LIST: Risks-Forum Digest Thursday 20 December 2018 Volume 30 : Issue 97

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.97>
The current issue can also...

Risks Digest 30.96 RISKS List Owner (Dec 12)
RISKS-LIST: Risks-Forum Digest Wednesday 12 December 2018 Volume 30 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.96>
The current issue can also...

Risks Digest 30.95 RISKS List Owner (Dec 08)
RISKS-LIST: Risks-Forum Digest Saturday 8 December 2018 Volume 30 : Issue 95

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.95>
The current issue can also...

Risks Digest 30.94 RISKS List Owner (Dec 03)
RISKS-LIST: Risks-Forum Digest Monday 3 December 2018 Volume 30 : Issue 94

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.94>
The current issue can also be...

Risks Digest 30.93 RISKS List Owner (Dec 01)
RISKS-LIST: Risks-Forum Digest Saturday 1 November 2018 Volume 30 : Issue 93

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.93>
The current issue can also...

Risks Digest 30.92 RISKS List Owner (Nov 21)
RISKS-LIST: Risks-Forum Digest Wednesday 21 October 2018 Volume 30 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.92>
The current issue can also...

Risks Digest 30.91 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Tuesday 6 November 2018 Volume 30 : Issue 91

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.91>
The current issue can also be...

Risks Digest 30.90 RISKS List Owner (Nov 01)
RISKS-LIST: Risks-Forum Digest Thursday 2 November 2018 Volume 30 : Issue 90

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.90>
The current issue can also...

(no subject) RISKS List Owner (Oct 30)
23-Oct-2018 21:40:01-GMT,18244;000000000000
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 30.89

RISKS-LIST: Risks-Forum Digest Tuesday 30 October 2018 Volume 30 : Issue 89

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information,...

(no subject) RISKS List Owner (Oct 23)
20-Oct-2018 0:23:38-GMT,165138;000000000004
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 30.88

RISKS-LIST: Risks-Forum Digest Tuesday 23 October 2018 Volume 30 : Issue 88

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further...

Risks Digest 30.87 RISKS List Owner (Oct 19)
RISKS-LIST: Risks-Forum Digest Friday 19 October 2018 Volume 30 : Issue 87

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.87>
The current issue can also be...

Risks Digest 30.86 RISKS List Owner (Oct 11)
RISKS-LIST: Risks-Forum Digest Thursday 11 October 2018 Volume 30 : Issue 86

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.86>
The current issue can also...

Risks Digest 30.85 RISKS List Owner (Oct 02)
RISKS-LIST: Risks-Forum Digest Tuesday 2 October 2018 Volume 30 : Issue 85

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.85>
The current issue can also be...

Risks Digest 30.84 RISKS List Owner (Sep 28)
RISKS-LIST: Risks-Forum Digest Friday 28 September 2018 Volume 30 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.84>
The current issue can also...

Risks Digest 30.83 RISKS List Owner (Sep 13)
RISKS-LIST: Risks-Forum Digest Thursday 13 September 2018 Volume 30 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.83>
The current issue can also...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: USB documentation missing setup steps for Linux Peter Wu (Dec 22)
Hi Miles,

These instructions might not apply to all distros. Fedora for example
seems to require one to add themselves to the "usbmon" group instead of
"wireshark". I have updated the page, feel free to edit it if you feel
it needs more clarification.

USB documentation missing setup steps for Linux Miles (Dec 21)
This page is missing some critical details on configuring permissions:
https://wiki.wireshark.org/CaptureSetup/USB#Linux

Some of the missing details are available in another page.
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
This page should be linked to from the USB page.

I was specifically missing the "add user to wireshark group" step, which is
found here:...

Re: Lua minimum version Dario Lombardo (Dec 20)
Thanks, I figured it out myself. Just for the sake of completeness, I was
working on the fix, but I was beaten by (the almost identical patch by)
Gerald in

commit 060811713fa63e04cbed95af4e7720794a1bf3a6
Author: Gerald Combs <gerald () wireshark org>
Date: Tue Dec 18 08:30:27 2018 -0800

Lua: Fix compilation with Lua 5.1.

Re: Lua minimum version Guy Harris (Dec 19)
IMO this is unproven.

Which is *itself* a mistake, as far as I'm concerned. Why should all calls to dofile()/loadfile() look in the
Wireshark configuration directories?

That's a *separate* problem; the bug in question is an issue with the "load Lua code" API, which, for better or worse,
is a separate API from the "do file I/O" API.

There's more than one place where we're getting bitten by the...

Re: Lua minimum version Peter Wu (Dec 19)
CMake says:
* LUA (required version >= 5.1)

IMO that commit should be reverted, it extends the public Lua API just
to workaround an issue on Windows. We already override dofile/loadfile,
so I'm investigating whether that can be patched in an appropriate way.
(Aside from that there is also io.open, so the current fix is already
incomplete.)

Re: Unit tests for dissectors Peter Wu (Dec 19)
Hi Atli,

The current test suite has some tests for core functionality (TCP
reassembly, decryption, display filters, etc.). Dissectors are not
thoroughly tested due to the sheer number of possible cases. Attaching
an unsanitized capture file for every possible dissector and subcases
would significantly increase the repository size and test suite runtime.

If you have a capture file for validation purposes, consider opening a
bug report and...

Re: Builds without PCAP fail the unit tests Peter Wu (Dec 19)
Only one of the tests have been failing, the text2pcap one. It turns out
to be an issue where the -c option was not handled correctly when
ENABLE_PCAP=OFF. Proposed fix: https://code.wireshark.org/review/31130

Since the recent refactoring in the Python test suite, this is already
possible :-)

When running pytest, you will see the reason why certain tests are
skipped. From the above logs:

=========================== short test summary info...

Lua minimum version Dario Lombardo (Dec 19)
Hi,
which is the lua minimum version supported?

The commit

commit 5953756305388724545f0df46d286be2f02c048a
Author: Guy Harris <guy () alum mit edu>
Date: Mon Dec 17 10:57:20 2018 -0800

Add routines to load Lua programs that assume the path is UTF-8 on
Windows.

used lua_load with 5 params, that was introduced in lua 5.2 (if I'm not
mistaken). Centos ships with lua 5.1, resulting in failing builds on that
platform that has...

Re: pcapng_write_session_header_block Jaap Keuter (Dec 18)
Oh well ..... :)

Done, change pushed.

Thanks,
Jaap

Re: pcapng_write_session_header_block Guy Harris (Dec 18)
Section, session, what's one consonant between friends? :-)

Yeah, it's just a typo. Please go ahead and rename the function.

pcapng_write_session_header_block Jaap Keuter (Dec 18)
Hi list,

writecap/pcapio.h has a function pcapng_write_session_header_block() declaration, with matching definition in
writecap/pcapio.c
This name refers to a block that doesn’t exist in the pcap Next Generation Capture File Format(1)
The format does however contain a block called section header, which is what this function writes.
Therefore I propose to rename this function to match the actual block name.

Thanks,
Jaap

Re: Builds without PCAP fail the unit tests Antoine d'Otreppe (Dec 18)
Yes, those are the tests I was referring to.

Well then it's all fine I guess. Thanks for clearing that up :)

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Re: Builds without PCAP fail the unit tests Guy Harris (Dec 18)
If by "the unit tests" you're referring to the tests in the "test" subdirectory of the source tree, this should not be
surprising, given that one of those tests is in test/suite_capture.py, and "capture" means "we test packet capturing".

If we're going to support running the unit tests on builds without libpcap/WinPcap/Npcap, we should have the test suite
somehow figure out whether Wireshark...

Builds without PCAP fail the unit tests Antoine d'Otreppe (Dec 18)
Hi all,

Half of my builds, those without PCAP, failed recently on travis during the test step:
https://travis-ci.org/aspyct/wireshark/builds/469639514

(Mind you, they were broken before, but for a different reason).

The logs say, among other things:
"tshark: This version of TShark was not built with support for capturing packets."

Does that look familiar to anyone? Did I break something, or is it expected?

Regards,
Antoine

Re: Not hitting some breakpoints with CLion macOS Anders Broman (Dec 18)
Hi,

Can you push the patch trough gerrit?

Regards

Anders

From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Jan Venekamp
Sent: den 17 december 2018 19:36
To: wireshark-dev () wireshark org
Subject: Re: [Wireshark-dev] Not hitting some breakpoints with CLion macOS

Thank you for pointing to the line pragmas. It turns out CLion does not like these (or maybe there is some setting I
could not found).
After setting...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: MD5 Checksum Discrepancy Joel Esler (jesler) via Snort-sigs (Dec 23)
Thank you. Yes, possibly something messing with your checksums. Everything checks out here.

Sent from my  iPhone

Re: MD5 Checksum Discrepancy ivan ninichuck via Snort-sigs (Dec 23)
Hello,

Caught my attention so I check one for you. Might want to redo your
calcs, or double check your source for the sums. Just got
44c6f3bfc21549db8c205c8c18f0b55c snortrules-snapshot-29120.tar.gz.

MD5 Checksum Discrepancy Tom Lenz via Snort-sigs (Dec 23)
Hello all,

    After downloading the rule lists from the Snort download page, I
went to compare them to the posted MD5 checksums. However, none of the
checksums I generated for the registered rule lists matched the posted
checksums. I generated the following checksums for the registered rule
lists:

|        cd49001195e90ae69838c61fd0be6cc7 snortrules-snapshot-29120.tar.gz
        1dfb051ea6ccfcca96b14ecf2bbef49c ...

SID:23262 James Lay via Snort-sigs (Dec 20)
Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"|DE AD
BE EF|"; depth:4; fast_pattern; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service http;...

Snort Subscriber Rules Update 2018-12-20 Research (Dec 19)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie rule sets
to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2018-12-19 Research (Dec 19)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
file-other, file-pdf, indicator-compromise and server-webapp rule sets
to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
After specifying two pcaps and setting up core affinity, now I can see two cores evenly loaded. Here is the command

/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file
--daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -r /media/ramdisk/get250a.pcap -z 2 --lua
'process = { threads = { { thread = 0, cpuset = '\''1'\'' },...

Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
A few things then:

The abcip daq lets you read the abcip script directly (--daq abcip -r get250.abc). This probably isn’t what you want if
you want inline processing.

Specify multiple inputs as such: -r get250_1.abc -r get250_2.abc -r get250_3.abc
The same concept applies for pcaps

From the perspective of splitting the abcip files, keep each complete conversation (keyed by ports, ip, transport
protocol) in one piece and distribute them...

Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
Thanks Carter,

The pcap file (get250.pcap) was generated by abcip and I don’t think it can be split by flows.

Did you mean that if the pcap has multiple flows, then snort will automatically use multiple cores?

1. Do you know where I can download a public pcap that has multiple flows?
2. Or show me how to specify multiple input pcaps?

Regards,
Charlie Li

From: Carter Waxman (cwaxman) <cwaxman () cisco com>
Sent: Wednesday,...

Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
How are you capturing that pcap? Are you able to split by flows (be careful doing this if you want visibility into
multi-channel protocols like ftp or sip)? We currently don’t have internally load balancing but can take advantage of
multiple input streams, either by specifying multiple input pcaps or multiple input interfaces with load-balancing
before reaching snort. Look into using afpacket w/ fanout=hash for kernel hash load balancing if...

Snort with GRE Tunnel/ERSPAN Rajput, Jawad (CONTR) via Snort-devel (Dec 19)
Good Morning,

I have a question about Snort 2.9.9.0 GRE (Build 56) compatibility with ERSPAN/GRE Tunnel. Snort is not generating any
events while fed with ERSPAN. We can see data on the listening interface but Snort is not generating any events. We had
the same issue with Bro but we fixed it by editing ini-bare.bro file and changed from encap_hdr_size = 0 line to
encap_hdr_size = 44. My question is there a way to ignore first N bytes while...

How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
Hi All,

I just moved from Snort 2.9.x to 3.0 Beta to take advantage of multi-threading.

By default, Snort 3.0 Beta uses a single thread, that snort.-z = 1.

I have tried to set -z to 4, but it still uses only one core. Here is the command I used

/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file
--daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -z 4...

snort2 to write log in human readble format Divyanshu Banerjee via Snort-users (Dec 18)
Dear members,
How to write and store the log automatically of snort 2.9.12 in human
readble format .

Thanks

Re: Snort3: builtin rules: how change action? Victor Roemer via Snort-users (Dec 18)
So `snort --dump-builtin-rules > builtin.rules` will give you a list of
rules, you can change the action from `alert` to `block`. You really
have to decide on which you wish to block yourself.

From there you'll have to include `builtin.rules` in your snort.lua.

Re: WAN IPS + LAN Snort IDS: Signature events visible on both sides? Al Lewis (allewi) via Snort-users (Dec 18)
Not sure I understand the question, but the signature/event packet that alerts probably wont have the reset.

Have you tried capturing the traffic (with another tool) or tagging the snort event (to see traffic around the time of
alert)?

If you run snort inline (i.e afpacket) you can dump the daq to see the traffic handled. You may see the reset packet
there.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.