SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

More detailed documetation of each verbosity level Peng Yu (Feb 09)
Hi,

The man page does not clearly document what each verbosity level
exactly entails. Could anybody explain what additional info are shown
at each higher verbosity level? How many levels are in total? Thanks.

-v (Increase verbosity level), -vlevel (Set verbosity level)
Increases the verbosity level, causing Nmap to print more
information about the scan in progress. Open ports are shown as
they are found...

[PATCH] Ncat: match traditional and OpenBSD netcat behaviour of terminating on EOF Tobias Girstmair (Feb 07)
Hi people and apologies for the unwieldy title!

Right now, Ncat keeps running when the remote end closes the connection.
Only when the client pushes more bytes into Ncat, it fails with "Broken
pipe." For example, this makes it impossible to wrap Ncat in a
while-loop to keep reconnecting.

Here is a simple PoC of the problem:
- run `ncat -l 1234` in one terminal and `nc ::1 1234` in another.
- ^C the listen-mode ncat.
- hit...

Re: periodic diff script David Fifield (Jan 28)
Possibly something is going wrong with XML generation. Try running the
nmap command manually. Look for any error messages and inspect the
resulting XML file.

periodic diff script Mattia Campagnano (Jan 28)
Hi, I was trying to use your periodic ndiff script available on
https://nmap.org/book/ndiff-man-periodic.html but I get an error message on
the created diff file.

xml.sax exception <XML file> not well-formed (invalid token)

The code I use is attached.

Any help would be appreciated.

[no subject] Zin Bo (Jan 25)
zinbo0545 () gmail com

[no subject] Zin Bo (Jan 25)
nangmoeshan8795 () gmail com

nmap JSON output support rodion.raskolnikov via dev (Jan 25)
Hi folks,

attached you will find a patch (against the latest svn nmap 7.91), which allows JSON output from nmap. In order ot have
the JSON output, the nmap executable must be compiled with --with-json configuration option (default: no). This will
produce an executable which has a new command line option:

-oJ <filename>

and will output a JSON output file like:...

VoIP scanning NSE Scripts Khatir M'GHARI (Jan 03)
Hello community I'm looking for updated nmap scripts for VoIP scans

BR,
KMG

PR on Github for nmap Tobias Dussa (Jan 03)
Hi folks,

I have submitted a PR (#1952) on Github that introduces a trivial change,
namely, it allows a source port for scans to be specified in the comms
library. This is essential for scanning for certain types of backdoors.
As far as I can tell, this change should not break anything, and it is
definitely a very simple patch.

Thanks a lot!

Cheers,
Toby.

Fw: wrong/false duplicate MAC in nmap -sP listing Mihu RUCAREANU (Jan 03)
________________________________
From: Mihu RUCAREANU <mihu_rucareanu () hotmail com>
Sent: December 11, 2020 12:21 AM
To: fyodor () nmap org <fyodor () nmap org>
Subject: wrong/false duplicate MAC in nmap -sP listing

Hi "Fyodor"-Lyon,
I'm an average Linux user, rather beginner and self-taught by trial-and-error, sometimes too perfectionist, but trying
to be systematic nonetheless. I'm also an enthusiastic user...

GitHub PR 2209 Joshua Rogers (Jan 03)
Hi,

Submitted PR 2209 to modify the http-iis-short-name-brute.nse script to use
OPTIONS method:

Current version of http-iis-short-name-brute.nse only uses GET requests. As
per
https://soroush.secproject.com/blog/2014/08/iis-short-file-name-disclosure-is-back-is-your-server-vulnerable/,
the OPTIONS method can also be used. I have updated the script to
additionally use the OPTIONS method.

Thanks,
Josh

NmapWin v1.0 rodion.raskolnikov via dev (Dec 29)
Hi everybody,

NmapWin 1.0 has been released. Lots of new features and bug fixes:

- Support for MySQL and SQL Server CE databases
- NmapWin Windows service for scheduling scans
- Some more nmap command line options included
- Validation of all input fields.
- External XML output import into DB

Download it from:

https://gitlab.com/rodionraskolnikov/nmapwin/-/packages

Have fun and a successful 2021!
Rodion

Sent with [ProtonMail](...

Fixed ncat temporary certificates and CI on github broken Tobias Girstmair (Dec 01)
hi,

CONTRIBUTING.md says to send a notification when sending a pull request
(http://issues.nmap.org/2168). It's a one-liner change to fix the expiry
date of temporary certificates issued by ncat --ssl, which currently is
60 seconds instead of one year.

Given the triviality of the patch, I wouldn't have posted here, were it
not to inform you that Travis-CI is refusing to run on the majority of
pull requests. <...

Zenmap Error "No module named GTK" Anomous Gufox (Dec 01)
Dear Developer,
I am Sagnik Haldar known as AnomousG would like to report that I found that
after I started using Kali Linux version 2020.4. I usually downloaded
zenmap as one of my favourite tools but unfortunately it showed the
following error after a successful installation.
I also reported it as a bug in Kali Linux but got to know the reason why
zenmap was dropped from Kali is because the Python2 dependencies (such as
the GTK one) are gone...

NSE script contribution - CVE-2020-14882 NSE script Daniel M (Dec 01)
Hello nmap-dev,

I submitted a pull request adding a NSE script to detect CVE-2020-14882
(WebLogic unauthenticated RCE):

https://github.com/nmap/nmap/pull/2169

I hope it helps! Looking forward to your feedback.

Thanks,
Daniel

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Nmap Defcon Release! 80+ improvements include new NSE scripts/libs, new Npcap, etc. Gordon Fyodor Lyon (Aug 10)
Fellow hackers,

I'm here in Las Vegas for Defcon and delighted to release Nmap 7.80. It's
the first formal Nmap release in more than a year, and I hope you find it
worth the wait!

The main reason for the delay is that we've been working so hard on our
Npcap Windows packet capturing driver. As many of you know, Windows Nmap
traditionally depended on Winpcap for packet capture. That is great
software, but it has been...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002 Apple Product Security via Fulldisclosure (Feb 11)
APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7
Supplemental Update, and macOS Mojave 10.14.6 Security Update
2021-002

macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental
Update, and macOS Mojave 10.14.6 Security Update 2021-002 addresses
the following issues. Information about the security content is also
available at https://support.apple.com/HT212177.

macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update*,...

Backdoor.Win32.BackAttack.18 / Multiple Vulnerabilities malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c806d23f4343ab40cf897e9c38b5c1c3.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.BackAttack.18
Vulnerability: Multiple Vulnerabilities
Description: BackAttack.18 (v1.8) listens on TCP ports 80 and 11131.
It has remote features you can enable like take screenshot, restart
the infected system, enable FTP or even...

Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write Code Execution malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/1b557d4f923b0de75e397686053a9022.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Augudor.a
Vulnerability: Unauthenticated Remote File Write Code Execution
Description: Augudor.a drops an empty file named "zy.exe" and listens
on TCP port 1011. Attackers who can reach the infected host can write
any...

Backdoor.Win32.Aphexdoor.LiteSock / Remote Stack Buffer Overflow malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/a8bb1744bedf43849ed808b7dfa32da4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Aphexdoor.LiteSock
Vulnerability: Remote Stack Buffer Overflow
Description: Aphexdoor.LiteSock drops an extensionless executable
named "moo" in the Windows dir and listens on TCP ports 113 and 1415.
Sending a specially...

Backdoor.Win32.NetTerrorist / Unauthorized Remote Command Execution malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/5131a9b441c9f9b20228f171c327a4f5.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NetTerrorist
Vulnerability: Unauthorized Remote Command Execution
Description: NetTerrorist listens on TCP port 785, it seemingly uses
authentication like USER [user], PASS [pass]. Interestingly, you can
just bypass authentication...

Trojan.Win32.Cafelom.bu / Heap Corruption malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/146ce177ab03b8f62a9fc6e7bbf40dc1.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Cafelom.bu
Vulnerability: Heap Corruption
Description: This malware drops two executables DNF-II.exe and xx.exe,
then looks for and loads a text-file named "GamePath.txt" under c:\
drive. Placing a corrupt text-file with...

Backdoor.Win32.Wollf.15 / Missing Authentication malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ffa917e74406b8b77252be2c4f71f6d3.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Wollf.15
Vulnerability: Missing Authentication
Description: Wollf backdoor creates a service named "wrm" and opens
TCP port 7614, there is no authentication allowing anyone to take over
the infected system.
Type: PE32
MD5:...

Trojan-Spy.Win32.WinSpy.vwl / Insecure Permissions EoP malvuln (Feb 11)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/0187e62ca40cb3d556a2c5825620bd8f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Spy.Win32.WinSpy.vwl
Vulnerability: Insecure Permissions EoP
Description: WinSpy.vwl create two directories "Accessories" and
"Netrix" under "Program Files (x86)". Netrix grants full permissions
(F) to everyone...

Stored XSS in SolarWinds Serv-U File Server <=15.2.1 Jack Misiura via Fulldisclosure (Feb 11)
Title: Stored XSS

Product: SolarWinds Serv-U FTP Server

Vendor Homepage: https://www.solarwinds.com/

Vulnerable Version: 15.2.1 and lower

Fixed Version: 15.2.2

CVE Number: CVE-2020-28001

Author: Jack Misiura from The Missing Link

Website: https://www.themissinglink.com.au

Timeline:

2020-10-30 Disclosed to Vendor

2021-01-21 Vendor releases patched version

2021-08-02 Publication

1. Vulnerability Description

SolarWinds Serv-U FTP...

Path traversal in SolarWinds Serv-U File Server <=15.2.1 Jack Misiura via Fulldisclosure (Feb 11)
Title: Path traversal

Product: SolarWinds Serv-U FTP Server

Vendor Homepage: https://www.solarwinds.com/

Vulnerable Version: 15.2.1 and lower

Fixed Version: 15.2.2

CVE Number: CVE-2020-27994

Author: Jack Misiura from The Missing Link

Website: https://www.themissinglink.com.au

Timeline:

2020-10-28 Disclosed to Vendor

2021-01-21 Vendor releases patched version

2021-08-02 Publication

1. Vulnerability Description

SolarWinds Serv-U File...

SEC Consult SA-20210210-0 :: Reflected Cross-Site Scripting in Adobe Magento Commerce SEC Consult Vulnerability Lab (Feb 10)
SEC Consult Vulnerability Lab Security Advisory < 20210210-0 >
=======================================================================
title: Reflected Cross-Site Scripting (XSS)
product: Adobe Magento Commerce
vulnerable version: < 2.4.2
fixed version: 2.4.2
CVE number: CVE-2021-21029
impact: Medium
homepage: https://magento.com/
found: 2020-06-29...

Trojan-Spy.Win32.WebCenter.a / Information Disclosure malvuln (Feb 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/e3cf225a94c6be5a26fc21a1ec83f418.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Spy.Win32.WebCenter.a
Vulnerability: Information Disclosure
Description: The trojan creates a dir named "webcenter" under
"C:\Windows\SysWOW64" and drops various exes and html pages to return
information about the...

Trojan-Spy.Win32.SpyEyes.awow / Insecure Permissions EoP malvuln (Feb 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/e61a6755db1c59eb1d219b761de925f4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Spy.Win32.SpyEyes.awow
Vulnerability: Insecure Permissions EoP
Description: SpyEyes.awow creates a insecure dir named "$Recycle$"
under the c:\ drive, granting change (C) permissions to the
authenticated users group. Also, drops...

Trojan.Win32.Delf.uq / Insecure Permissions EoP malvuln (Feb 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/a4ea99b54e171274795f14a4ac7f17ba.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Delf.uq
Vulnerability: Insecure Permissions EoP
Description: Malware creates an vulnerable dir named "downsoft" under
c:\ drive granting change (C) permissions to the authenticated users
group.
Type: PE32
MD5:...

Email-Worm.Win32.Sircam.eb / Insecure Permissions EoP malvuln (Feb 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/cd88a9b686acd9ccf23dba8d248129b4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Email-Worm.Win32.Sircam.eb
Vulnerability: Insecure Permissions EoP
Description: Sircam.eb creates a vuln dir under c:\ drive named
"Windupdt" and drops an exe named "winupdate.exe". Grants change (C)
permissions to...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

News Roundups! Dave Aitel via Dailydave (Feb 01)
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY

Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening...

Re: Fully Automated CONOPs Exercise Pukhraj Singh via Dailydave (Jan 28)
Folks like Joe Slowik
<https://www.youtube.com/watch?v=n7XqxRXwFZ4&ab_channel=CYBERWARCON>, Grugq
<https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf>and you
<https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html>(Dave)
have tried to articulate the CONOPS for worms since long. In their current
forms, worms look like IO packages in full-spectrum missions. Ignoring...

Re: Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 28)
I mean, the goal of the question is to start putting some meat on the idea
of what "harm" is and how that is reflected both from a policy and
technical perspective. But also: It's useful to put some real definitions
around what is required to make people comfortable with fully-automated
techniques.

I don't think the idea that we are going to come up with and enforce norms
is as useful as figuring out what the norms really are...

Re: Fully Automated CONOPs Exercise Dave Dittrich via Dailydave (Jan 28)
Did any of them mention international humanitarian law, specifically
discrimination, respecting territory of neutral ("green") actors and
their infrastructure, and avoiding harm to neutral third parties and
non-combatants? The problem with most worms is the inability to
accurately discriminate targets and resulting harm. This is an area
where technical experts need to be balanced with operators and policy
makers to ensure that...

Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 27)
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.

And how would their defensive team need to change strategically if they
were facing such an offensive team.

It's a fun thing to see people wrap their...

"Severely lacking". Dave Aitel via Dailydave (Jan 20)
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address noreply (Jan 07)
Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics Andre Gironda via Dailydave (Jan 05)
MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics toby via Dailydave (Jan 05)
I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics Chuck McAuley via Dailydave (Jan 05)
Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics Dave Aitel via Dailydave (Jan 05)
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

"Is it done yet? Boom! Typey Typey!" Dave Aitel via Dailydave (Dec 31)
Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build...

paper + data-set tracking supply-chain compromises worth a peek by Geer, Tozer et.al. Arun Koshy via Dailydave (Dec 16)
paper : http://geer.tinho.net/fgm/fgm.geer.2012.pdf
data-set : https://github.com/IQTLabs/software-supply-chain-compromises

Kiroshi Optics Dave Aitel via Dailydave (Dec 11)
https://twitter.com/JesseHeinig/status/1336913378564919297
https://twitter.com/ClipperChip/status/1337289319988473856

People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found...

Worth a listen on your morning drive Dave Aitel via Dailydave (Dec 10)
https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=TheHagueProgramforCyberNorms

(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-cyberspace/
)

Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.

I lolled at this section which is so true it hurts:

Since publishing that book I explored the concepts of sovereignty...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

WebKitGTK and WPE WebKit Security Advisory WSA-2021-0001 Carlos Alberto Lopez Perez (Feb 15)
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2021-0001
------------------------------------------------------------------------

Date reported : February 15, 2021
Advisory ID : WSA-2021-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2021-0001.html
WPE WebKit Advisory URL :...

CVE-2021-26720: avahi-daemon: 'avahi' to 'root' user privilege escalation through Debian specific if-up script avahi-daemon-check-dns.sh Matthias Gerstner (Feb 15)
Hello list,

the avahi-daemon package [1] in Debian Linux contains a Debian specific
script installed in

/usr/lib/avahi/avahi-daemon-check-dns.sh

This script is run as 'root' via the if-up.d script in

/etc/network/if-up.d/avahi-daemon

There are security issues in the code of the main shell script in this
context. The $RUNDIR "/run/avahi-daemon" is owned by the unprivileged
avahi:avahi user/group. This fact is also...

Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit Roman Fiedler (Feb 15)
Roman Fiedler writes:

Now sudo patches are already deployed widely, so this is how
the NO_ROOT_MAILER flag influenced exploit complexity:

* With "NO_ROOT_MAILER" working using "nss_load_library" method,
e.g. implemented by blasty: main program
https://github.com/blasty/CVE-2021-3156/blob/main/hax.c
(140 lines with 18 lines header) and the library to be loaded
https://github.com/blasty/CVE-2021-3156/blob/main/lib.c
(16...

CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads Jens Geyer (Feb 11)
CVE-2020-13949: potential DoS when processing untrusted Thrift payloads

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Thrift up to and including 0.13.0

Description:
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the
payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation,...

Re: Re: screen crash processing combining characters Salvatore Bonaccorso (Feb 10)
Hi,

It has now been released:
https://invisible-island.net/xterm/xterm.log.html#xterm_366

Regards,
Salvatore

Re: Re: screen crash processing combining characters Utkarsh Gupta (Feb 10)
Hi Tavis,

Great, thanks! Could you also tell Thomas that CVE-2021-27135 has been
assigned for that?

- u

Re: CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards() Alexandros Toptsoglou (Feb 10)
Hi,

is the information listed here correct? Especially the CVE-2021-20200
assignment.

In project-zero reference at the last comment CVE-2020-29369 is mentioned.

Best regards,

Alexandros

CVE-2021-20200: Linux kernel: close race between munmap() and expand_upwards()/downwards() Rohit Keshri (Feb 10)
Hello Team,

A use-after-free flaw may be seen due to a race problem while in
detach_vmas_to_be_unmapped() in mm/mmap.c in VMA access while
munmap(). This flaw could allow a local attacker with a user privilege
to crash the system, because VMA with VM_GROWSDOWN or VM_GROWSUP flag
set may change their size under mmap_read_lock(). This vulnerability
could even lead to a kernel information leak problem.

'CVE-2021-20200' was assigned by...

CVE-2020-35498: Open vSwitch: Packet parsing vulnerability Flavio Leitner (Feb 10)
Description
===========

Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.

Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.

The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet...

[SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released Stefan Sperling (Feb 10)
I'm happy to announce the release of Apache Subversion 1.10.7.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#supported-releases

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

CVE-2020-17525
"Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The...

[SECURITY][ANNOUNCE] Apache Subversion 1.14.1 released Stefan Sperling (Feb 10)
I'm happy to announce the release of Apache Subversion 1.14.1.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#recommended-release

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

CVE-2020-17525
"Remote unauthenticated denial-of-service in Subversion mod_authz_svn"...

Replay-Sorcery: CVE-2021-26936: Multiple security issues in with setuid-root program in versions 0.4.0 through 0.5.0 Matthias Gerstner (Feb 10)
Hello,

we received a review request [1] for ReplaySorcery [2] for inclusion in the
openSUSE Linux distribution. ReplaySorcery allows to record short videos of
screen content, triggered via a key combination. Since version 0.4.0 released
on 2020-12-19 through to the current version 0.5.0 the replay-sorcery program
is by default installed with setuid-root and (unnecessarily) setgid-root bits
and is thus running with root privileges. The motivation...

Re: charset.alias in pkexec/glib/gnulib Tavis Ormandy (Feb 09)
Thanks Jakub!

Tavis.

Re: screen crash processing combining characters Tavis Ormandy (Feb 09)
Fyi, Thomas (XTerm maintainer) replied - he was able to repro, and said
the fix is going to be in patch #366, a bug fix release coming soon.

Tavis.

Re: screen crash processing combining characters Utkarsh Gupta (Feb 09)
Hi,

Got CVE-2021-26937 assigned for this.

- u

Educause Security Discussion — Securing networks and computers in an academic environment.

Hardening Blackboard Redhat Server Uday Kiran (Feb 13)
One quick question does anyone in this forum has experience on applying the hardening (as per CIS benchmark) in
Blackboard servers (Red Hat 7 & 8)?

Background: Our Blackboard server is in RedHat’s latest version, however, wanted to check if we can apply basic
hardening as per CIS, of course not all recommendations but very minimal, when we checked with Blackboard support they
did not recommend to harden the server since it was not...

External System Access Policy Mattehew Prescott (Feb 12)
Hello,
We are doing our NIST800-171 assessment and one control we are looking at
is about external systems access to cui data. Do any of you have policies
or procedures that address external systems access? Do those policies also
cover third parties and not just a home computer?
Could you share those policies with me?

Thanks,
Matt Prescott, Security Analyst
Information Technology
(o) 325-674-2882
Abilene Christian University
[image: Abilene...

Security Awareness General Student Requirement/Availability Survey Larry Carson (Feb 12)
Hello all,

I am a fellow information security staff member at an Educause member institution. I am also a graduate student doing
research. I have a quick Security Awareness survey regarding what is required/available to the general student
population in higher education. The results are not tied to individuals or institutions and will only be used in
research for my course work.

Preview
Topic: Security Awareness Training/Education for the...

Re: student systems and NIST 800-171 Brian Kelly (Feb 12)
Good morning,
We’ve created a “sign-up” form for a new Student Systems and NIST 800-171 Community Group.
If you expressed interest through a “Me to” or “include me” reply please take a moment to complete this form to ensure
your involvement.

Please complete the form by EOD on Friday, February 19th, 2021 -

https://app.smartsheet.com/b/form/39c56a3d8e084dc58cf8c82932ab73b0

Any questions can be directed to me, at bkelly ()...

Sign up sheet for Student Systems and NIST 800-171 Community Group Brian Kelly (Feb 12)
Good morning,
We’ve created a “sign-up” form for a new Student Systems and NIST 800-171 Community Group.
If you expressed interest through a “Me to” or “include me” reply please take a moment to complete this form to ensure
your involvement.

Please complete the form by EOD on Friday February 19th , 2021 -

https://app.smartsheet.com/b/form/39c56a3d8e084dc58cf8c82932ab73b0

Any questions can be directed to me, at bkelly () educause...

Re: SECURITY Digest - 11 Feb 2021 (#2021-40) Jesse F Moore (Feb 11)
Regarding Security Onion. I would be very interested in others experience with using SecurityOnion2 in Distributed mode
implementations that have tried to solve the East to West Traffic (mirror port from switch in each building perhaps)
issues.

Reference:
https://docs.securityonion.net/en/2.3/architecture.html#architecture

Jesse Moore (he/him/his<https://www.mypronouns.org/>)
Office of the CISO | Sr. Cybersecurity Advisor
moorej1 () uw...

[EdTalks] How Cornell University Provides IT Support Before, During & After the Pandemic Lilly Berkley (Feb 11)
Please join Keyan T Williams, Assistant Director, I.T. Support Operations from Cornell University and Karl Horvath,
Ph.D., President at Campus Consortium for an EdTalk on “How Cornell University Provides IT Support Before, During &
After the Pandemic” on Thursday, February 18, 2021, from 2:00 pm – 3:00 pm ET.
 
Register here for free: [https://bit.ly/3aZvlNE] (only 100 seats available – first come, first serve)

Keyan and...

Re: DingTalk software concerns? Henry Wojteczko (Feb 11)
Robert:

Chinese government sponsored cyber-hacks are very aggressive and highly sophisticated. I strongly agree with an
approach of a high degree of segmentation with zero access to applications that contain sensitive data residing in the
USA. Bear in mind that smart phones are also a risk. Consider loaning the person a tablet and flip phone. Have in place
an intruder response plan in preparation for the inevitable attack.

I have direct...

Re: DingTalk software concerns? Barton, Robert W. (Feb 11)
I've had this conversation about our services in other countries, but China is even a little more different. Please
see this from Stanford.
https://uit.stanford.edu/security/travel/high-risk-countries-recommendations

I know some recommendations that I have heard are to send new equipment and expect it to come home corrupted (don't
even allow it back until 100% wiped), don't use your normal services (segment this group...

Re: DingTalk software concerns? Ramon Rentas (Feb 11)
I never heard of that app until now, so I did some google searches and
found lots of articles warning about the app's weak security that would
allow the Chinese Government to spy in the app's users. Below is one of
such articles.

https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html

Good luck,

Ramón
---

Ramón Rentas

Associate Director for Infrastructure,...

Final reminder - Session 201 survey responses due TODAY Mitchell Pautz (Feb 11)
Dear Colleagues,

Just a friendly reminder to please take a few minutes to complete this *survey
<https://urldefense.com/v3/__https:/forms.gle/iAEBgUxj2aTUeom86__;!!LIr3w8kk_Xxm!58u7-dAby372tGqgu1S6qNCoD1ySW2FjhzA8shEu3Vy09fXHJB1iSSaTCjBWdA$>
*

Your responses will be extremely valuable in helping us plan for exciting
and engaging future sessions.

We want to hear from all of you regardless of whether you attended the last
session or not....

Re: Security Onion - Hardware Recommendations Foss, Henry L. (Feb 11)
I want to piggyback on this. On the same line of intrusion detection, can others share what they are using?

We have looked at DarkTrace, and have determined that just PA FWs at the edge and DC are not enough to give us much
visibility. We’re using Cisco DNA and ISE to provide further detail, but it is a manual process researching incidents.

Thank you

Hank Foss
Manager of Security Infrastructure CISSP, MSCS, GPEN
Sacred Heart University
Main...

Re: [External] [SECURITY] Security Onion - Hardware Recommendations Jason Rinne (Feb 11)
Hi Kevin, I knew there would be a lot of questions but I didn't know where
to start to get the ball rolling.
-I would say 1-2 users logged in and searching.
-I would like to run suricata + zeek with this deployment but I don't know
about full pcap. I doubt I have the budget for storing full pcap.

*Jason Rinne*

*Systems Administrator*

500 E College Street | Marshall, MO 65340

P| 660.831.4088

rinnej () moval edu | www.moval.edu
<...

DingTalk software concerns? Bole, Jim A (Feb 11)
We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks
in China, use DingTalk.

Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom.

Anyone have any experience with this?

I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their
activities would be tracked by someone in China. And that...

Re: [External] [SECURITY] Security Onion - Hardware Recommendations Kevin Wilcox (Feb 11)
Hi, Jason!

What volume of data do you plan to pull in, how many users logged in and
searching, are you running suricata + zeek, are you storing full pcap,
there are lots of questions before any recommendations can be made =)

kmw

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: DoD IP Space Valdis Klētnieks (Feb 15)
On Sun, 14 Feb 2021 22:25:56 -0800, William Herrin said:

Oh, come on Bill. This ain't your first rodeo. You know damned well
that if we do that, the errors are in fact *not* eventually found and fixed.

In addition, if you do that, even once the error is fixed, the box will
not know about that and will continue to use the IPv4 addresses.

Re: DoD IP Space John Curran (Feb 15)
Mark -

You’ve properly pointed out IPv6 can indeed be readily & safely deployed today using modern equipment that
supports a reasonable transition approach… full agreement there.

Interestingly enough, you’ve also pointed out the not-so-secret reason why it's taken so long to get sizable
deployment of IPv6 – that is, despite us knowing that we needed "a straightforward transition plan” on day one that...

Re: New York Carrier Hotels Jared Mauch (Feb 15)
I’m expecting many people to move out to 165 Halsey but as with many things the future is still hazy. I also wonder if
at some point Google will decide that WFH is viable and they don’t need the office space in 111 8th and things will
swing back..

(Yes, I know that 165 isn’t in NY)

- Jared

Re: DoD IP Space james.cutler () consultant com (Feb 15)
Back then some thought it would be more like DECnet Phase V.

Netflix Contact Cassell, Brandon (Feb 15)
If anyone from Netflix is around, I’d appreciate it if you could hit me up off list, we have a ticket open that I could
use some assistance on.

Thanks,

Brandon Cassell
bcassell () oar net<mailto:bcassell () oar net>

Re: DoD IP Space Kenneth J. Dupuis (Feb 15)
<<< text/html: EXCLUDED >>>

Re: New York Carrier Hotels Kenneth J. Dupuis (Feb 15)
<<< text/html: EXCLUDED >>>

Re: DoD IP Space Mark Tinka (Feb 15)
IPv6 also runs on hardware that was shipped as far back as 2003, if not
earlier.

Mark.

Re: DoD IP Space William Herrin (Feb 15)
Hi Mark,

When I said bull-headed, this is exactly what I had in mind. Happy
eyeballs and things like
https://bill.herrin.us/freebies/libeasyv6-0.1/ aren't first-class
citizens in the APIs. Their code has to be independently added to each
application individually. Getaddrinfo() is core standard. Fix the
problem in the place that fixes it in every place or else it's never
really fixed.

Regards,
Bill Herrin

Re: DoD IP Space nanog (Feb 15)
Yet both ps5 and xbox series x have ipv6 support

A console released in 2013 do not, but its successor released in 2020
have it

How wild is this, I wonder why ?

Re: DoD IP Space Mark Andrews (Feb 14)
Complain to your vendors about not implementing RFC 8305, RFC 6724, and
RFC 7078. RFC 8305 or RFC6724 + RFC 7078 would fix your issue.

Thats Happy Eyeballs and tuneable address selection rules.

You don’t have to perform the naive connection from getaddrinfo() man page.

struct addrinfo hints, *res, *res0;
int error;
int s;
const char *cause = NULL;

memset(&hints, 0, sizeof(hints));...

Re: DoD IP Space Mark Tinka (Feb 14)
This is not unique to IPv6. Almost every protocol (including IPv4) has
some inherent design problem that keeps lists like this alive with
swaths of advice and solutions.

But at its core, if money is going to stand in the way of IPv6 gaining
global interest, the issues you, me and others face with SLAAC and other
technical IPv6 annoyances will never receive the attention they need to
get resolved.

Why fix something nobody wants to use in...

Re: DoD IP Space William Herrin (Feb 14)
Well actually, that's not entirely true. One thing holding back IPv6
is the unfortunately routine need to turn it off in order to get one
or another IPv4 thing back working again. Like the disney thing
earlier in this thread. Or like my experience yesterday where I had to
disable IPv6 to fetch files on a particular server because SLAAC was
serving up invalid addresses but the app insisted on trying all 8 IPv6
addresses before it would...

Re: DoD IP Space Mark Tinka (Feb 14)
Dropping a few feet from cloud nine, there, really, is no other thing
that will facilitate or hold back the adoption of IPv6, like money.

It will distill down into who is willing to spend it, make it or lose it.

All (other) discussions about IPv6's adoption (or lack thereof) are just
recycled revolutions around this reality. I mean, there's a reason that
in 2021, PS4 still does not support IPv6.

Mark.

Re: DoD IP Space Sabri Berisha (Feb 14)
----- On Feb 14, 2021, at 11:56 AM, Randy Bush randy () psg com wrote:

Hi,

You are 100% Correct. Perhaps we can get Jeff Bezos to give 25% extra off
at the next Cyber Monday event to those accessing amazon.com via IPv6.

That will not only drive IPv6 deployment at eyeball networks, it's a
feasible plan as well. IF good ol' Jeff wants to cooperate :)

Thanks,

Sabri

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.49 RISKS List Owner (Feb 12)
RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 49

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.49>
The current issue can also be found at
<...

Risks Digest 32.48 RISKS List Owner (Feb 05)
RISKS-LIST: Risks-Forum Digest Friday 5 February 2021 Volume 32 : Issue 48

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.48>
The current issue can also be found at
<...

Risks Digest 32.47 RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Friday 29 January 2021 Volume 32 : Issue 47

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.47>
The current issue can also be found at
<...

Risks Digest 32.46 RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Monday 25 January 2021 Volume 32 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.46>
The current issue can also be found at
<...

Risks Digest 32.45 RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Monday 18 January 2021 Volume 32 : Issue 45

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.45>
The current issue can also be found at
<...

Risks Digest 32.45 RISKS List Owner (Jan 25)
RISKS-LIST: Risks-Forum Digest Monday 18 January 2021 Volume 32 : Issue 45

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.45>
The current issue can also be found at
<...

Risks Digest 32.45 RISKS List Owner (Jan 18)
RISKS-LIST: Risks-Forum Digest Tuesday 18 January 2021 Volume 32 : Issue 45

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.45>
The current issue can also be found at
<...

Risks Digest 32.44 RISKS List Owner (Jan 09)
RISKS-LIST: Risks-Forum Digest Saturday 9 January 2021 Volume 32 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.44>
The current issue can also be found at
<...

Risks Digest 32.43 RISKS List Owner (Dec 31)
RISKS-LIST: Risks-Forum Digest Friday 31 December 2020 Volume 32 : Issue 43

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.43>
The current issue can also be found at
<...

Risks Digest 32.42 RISKS List Owner (Dec 25)
RISKS-LIST: Risks-Forum Digest Friday 25 December 2020 Volume 32 : Issue 42

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.42>
The current issue can also be found at
<...

Risks Digest 32.41 RISKS List Owner (Dec 19)
RISKS-LIST: Risks-Forum Digest Saturday 19 December 2020 Volume 32 : Issue 41

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.41>
The current issue can also be found at
<...

Risks Digest 32.40 RISKS List Owner (Dec 11)
RISKS-LIST: Risks-Forum Digest Friday 11 December 2020 Volume 32 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.40>
The current issue can also be found at
<...

Risks Digest 32.39 RISKS List Owner (Dec 04)
RISKS-LIST: Risks-Forum Digest Friday 4 December 2020 Volume 32 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.39>
The current issue can also be found at
<...

Risks Digest 32.38 RISKS List Owner (Nov 22)
RISKS-LIST: Risks-Forum Digest Sunday 22 November 2020 Volume 32 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.38>
The current issue can also be found at
<...

Risks Digest 32.37 RISKS List Owner (Nov 13)
RISKS-LIST: Risks-Forum Digest Friday 13 November 2020 Volume 32 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.37>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: pcapng decoding error when preamble is shortened Timmy Brolin (Feb 13)
Yes, the capture device is indeed capturing data completely accurately.

You are referring to the transmission section of IEEE 802.3br-2016.
If you look at the receive section on page 51, you will find that receivers are required to accept any length preamble.
Hence, Wireshark is not compliant with the IEEE 802.3br-2016 specification.

It is just like the specification requires the FCS to always be transmitted correct, but receivers are required...

Re: pcapng decoding error when preamble is shortened Jaap Keuter (Feb 13)
Hi,

The capture file (View | Reload as File Format/Capture) contains an Interface Descriptor Block which states Link Type
274.
According to https://www.tcpdump.org/linktypes.html <https://www.tcpdump.org/linktypes.html> the Packet Data in the
capture file must adhere to "mPackets, as specified by IEEE 802.3br Figure 99-4, starting with the preamble and always
ending with a CRC field.”
According to IEEE 802.3br-2016 the mPacket...

Re: How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Feb 11)
Proposed solution

I have investigated this in more depth and found that Wireshark simply does not do any kind of graceful termination of
extcaps. It always kills extcaps forcefully, which causes loss of data on the capture pipe.
Particularly the pcapng “Interface Statistics Block” is always lost, which probably is why none of the built-in extcaps
in Wireshark supports the Interface Statistics block at the moment: They can’t.

Win32...

Re: Fwd: [Season of Docs - Announcements] The 2021 Season of Docs application for organizations is open! RAGE (Feb 10)
Hi Moshe.

It is. For now I can see the wiki has outdated info or not has a
description at all for some technologies and tools the Wireshark project
accumulates.. my after project time I would still want to help with it's
improvement if I can. But if you want to become a participant of gsod
either as an organization or writer - go for it! It definitely worth it! <3
I'm open to discuss the details in IRC or other communication...

Remote Developer Den, February 2021 Gerald Combs (Feb 10)
I've scheduled the next remote Developer Den for next Wednesday, February 17th. This is remote version of the Developer
Den at SharkFest, a room that we set aside for office hours where everyone is welcome to stop in, say hello, ask
questions, etc.

The link below has a "join from browser" option, so it should be possible to connect without installing Zoom's client.

----
Gerald Combs is inviting you to a scheduled Zoom...

Re: Submitting Replacement Code Paul Offord (Feb 10)
Thanks Pascal

Sent from my iPad

Fwd: [Season of Docs - Announcements] The 2021 Season of Docs application for organizations is open! Moshe Kaplan (Feb 10)
Is this worth participating in again?

Moshe

---------- Forwarded message ---------
From: Season of Docs - Announce <season-of-docs-announce () googlegroups com>
Date: Tue, Feb 9, 2021 at 1:09 PM
Subject: [Season of Docs - Announcements] The 2021 Season of Docs
application for organizations is open!
To: Season of Docs - Announce <season-of-docs-announce () googlegroups com>

We’re delighted to announce Season of Docs
<...

Re: Submitting Replacement Code Pascal Quantin (Feb 10)
Hi Paul,

Le mer. 10 févr. 2021 à 18:37, Paul Offord <paul.offord58 () gmail com> a
écrit :

As explained in
https://gitlab.com/wireshark/wireshark/-/wikis/Development/SubmittingPatches,
you can amend your change and do a 'git push downstream +HEAD' to force an
update of your branch. This will automatically update the associated MR.

Best regards,
Pascal.

Submitting Replacement Code Paul Offord (Feb 10)
Hi,

I need some GitLab guidance. The procedure for submitting code is:

- Commit code changes to the local copy of my personal Wireshark repo
- Push the changes to my upstream personal repo
- Press the "Create merge request" button

Let's imagine that my code fails in the pipeline tests (mine often does :-(
). Should I close the original merge request or does my later push of
revised code simply reactivate the original...

Re: Gerrit commit missing in Gitlab Guy Harris (Feb 09)
Issue filed with GitLab:

https://gitlab.com/gitlab-org/gitlab/-/issues/321008

Re: Gerrit commit missing in Gitlab chuck c (Feb 09)
Thanks. I should have phrased that better.

I was trying to use "Blame" in the Gitlab web interface to look at a typo.

Re: Gerrit commit missing in Gitlab Guy Harris (Feb 09)
"Doesn't exist" as in "immediately tells you no such commit" or as in "takes a long time and eventually gives you a 500
error"? I get the latter; presumably that's "500 Internal Server Error".

The commit *is* in repositories I've cloned from GitLab, as per "git show 2eb7b05b8c9c6408268f0d1e81f0a18a02610f1c", so
this may just be an error in GitLab's Web view of commits -...

Gerrit commit missing in Gitlab chuck c (Feb 09)
2eb7b05b - Convert most UDP dissectors to use "auto" preferences.

Exists in Gerrit:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2eb7b05b8c9c6408268f0d1e81f0a18a02610f1c

Links to it in Gitlab on these pages:
https://gitlab.com/wireshark/wireshark/-/blame/master/epan/dissectors/packet-uftp.c
https://gitlab.com/wireshark/migration-test/-/commit/c59f7fc8fec4e8c9fca27053e3c63a93adca3cb5

The commit doesn't...

Re: Procedure to solve/close issues in Gitlab Jirka Novak (Feb 09)
Hi Pascal,

OK, for next time.

Please, find all issues with 'rtp' in description and about half has
note from me at end that they are solved and can be closed.
My plan is to review the rest, but it will take some time...

Best regards,

Jirka Novak

Re: Procedure to solve/close issues in Gitlab Pascal Quantin (Feb 09)
Hi Jirka,

Le mar. 9 févr. 2021 à 12:51, Jirka Novak <j.novak () netsystem cz> a écrit :

When you have a MR fixing a given bug, please add a fixes #XXX comment in
you commit message so that GitLab can close the issue automatically. It
will avoid the need to manually close them afterwards.

Can I or someone else close them?

I do not know if you have the rights to close an issue in GitLab, but if
not leave a comment and we will close...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2021-02-11 Research (Feb 11)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-webkit,
file-image, file-pdf, malware-cnc, malware-other, netbios, os-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-02-09 Research (Feb 09)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2021-1698:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 57106 through 57107.

Microsoft Vulnerability...

Re: Bug in community ruleset rule (sid 975) Alex McDonnell (Feb 09)
Reference was fixed and will be out shortly in rev 27 of the rule.

Thanks for pointing it out!

On Mon, Feb 8, 2021 at 5:06 AM Noah Dietrich <noah_dietrich () 86penny org>
wrote:

Bug in community ruleset rule (sid 975) Noah Dietrich (Feb 08)
While parsing the community-rules file, i found an incorrectly-formatted
reference:url:
the url is listed as:
support.microsoft.com/default.aspx?scid=kb*\;*EN-US*\;*q188806
(you'll note the *\;* here which seems incorrect)

The whole Rule is:
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg:"SERVER-IIS Alternate Data streams ASP file access attempt";
flow:to_server,established; http_uri; content:".asp|3A...

Snort Subscriber Rules Update 2021-02-04 Research (Feb 04)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the
indicator-compromise, indicator-scan, os-windows and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
Hit send too fast, sorry.. While we do not support suricata rules http_header is very flexible in Snort 3. It can be
used in conjunction with any header field arbitrarily without having to add rule options to the engine:

snort_user.html <https://snort.org/downloads/snortplus/snort_user.html>

Please check out the section on the HTTP preprocessor (can be found on the left)

Re: the snort3 how to support the suricata rules ? like this keywords? Joel Esler (jesler) via Snort-devel (Feb 02)
We do not support suricata rules.

Snort Subscriber Rules Update 2021-02-02 Research (Feb 02)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-image, file-pdf, indicator-compromise, malware-other, os-windows,
protocol-scada, protocol-voip, server-oracle and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please...

the snort3 how to support the suricata rules ? like this keywords? 15135147016--- via Snort-devel (Feb 02)
the snort3 how to support the suricata rules ? like this keywords?

Keyword
Legacy Content Modifier
Direction
http.urihttp_uriRequest
http.uri.rawhttp_raw_uriRequest
http.methodhttp_methodRequest
http.request_linehttp_request_line (*)Request
http.request_bodyhttp_client_bodyRequest
http.headerhttp_headerBoth
http.header.rawhttp_raw_headerBoth
http.cookiehttp_cookieBoth
http.user_agenthttp_user_agentRequest
http.hosthttp_hostRequest...

Re: Bug in alert_syslog module? Michael Altizer (mialtize) via Snort-devel (Feb 01)
Yep, that's a bug - thanks for reporting it. The workaround for now
would be to explicitly configure the alert_syslog module in your
snort.lua (alert_syslog = { }) rather than just specifying it on the
command line.

Bug in alert_syslog module? W. Michael Petullo (Jan 31)
I have found that loading the alert_syslog module crashes snort
3.1.0.0 on OpenWrt. (I am the maintainer of the OpenWrt snort packages).

It looks like ModuleManager's get_default_module unconditionally passes
NULL to the third argument of mod->verified_end():

Module* ModuleManager::get_default_module(const char* s, SnortConfig* sc)
{
Module* mod = get_module(s);

if ( mod )
{
mod->verified_begin(s, 0, sc);...

Re: OpenAppId archive from snort.org (version 339) has bug in DetectorCommon: getStringValue Shravan Rangarajuvenkata (shrarang) via Snort-devel (Jan 28)
Thanks a lot for bringing this to our attention! We will fix this issue in the next openAppId release.

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org>
Date: Thursday, January 28, 2021 at 9:24 AM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] OpenAppId archive from snort.org (version 339) has bug in DetectorCommon: getStringValue
Hello , in OpenAppId archive from...

Snort Subscriber Rules Update 2021-01-28 Research (Jan 28)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-webkit,
exploit-kit, malware-cnc, malware-other and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

OpenAppId archive from snort.org (version 339) has bug in DetectorCommon: getStringValue Meridoff via Snort-devel (Jan 28)
Hello , in OpenAppId archive from snort.org (version 339) has bug in
DetectorCommon: getStringValue (...)

Patch that fixes:

local function getStringValue (data, length)
- local stringValue
- local hexValue = '0x'
+ local stringValue = '0x'
local index = 0
while (index < length) do
stringValue = string.format('%s%.2x', stringValue,
string.byte(data,index+1))

Snort Subscriber Rules Update 2021-01-26 Research (Jan 26)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-image,
file-other, indicator-compromise, malware-cnc and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.