Snort mailing list archives

Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Wed, 15 Sep 2010 11:33:49 -0400

On Wed, 15 Sep 2010 09:10:53 -0600, Bryan Arenal wrote:

Am I the only one who noticed that when downloading this rule update, 
it says that it's from August 12th?  

---
# wget

http://www.snort.org/pub-bin/oinkmaster.cgi/<OINKCODE>/snortrules-snapshot-2861.tar.gz

--2010-09-15 14:55:20--

http://www.snort.org/pub-bin/oinkmaster.cgi/<OINKCODE>/snortrules-snapshot-2861.tar.gz

Resolving www.snort.org... 68.177.102.20
Connecting to www.snort.org|68.177.102.20|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:

https://s3.amazonaws.com/snort.org/rules/20100812/snortrules-snapshot-2861.tar.gz?blah

[following]
--2010-09-15 14:55:21--

https://s3.amazonaws.com/snort.org/rules/20100812/snortrules-snapshot-2861.tar.gz?blah

Resolving s3.amazonaws.com... 72.21.202.164
Connecting to s3.amazonaws.com|72.21.202.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
---

Sure enough, those are the timestamps in the tarball as well:

---
root@localhost [~/tmp/rules]
# ls -ltr
total 9760
-rw-r--r-- 1 root root     396 Aug 18  2002 cgi-bin.list
-rw-r--r-- 1 root root   16724 Mar 10  2005 VRT-License.txt
-rw-r--r-- 1 root root    1327 May 16  2005 experimental.rules
-rw-r--r-- 1 root root     767 Jan 19  2010 Makefile.am
-rw-r--r-- 1 root root    1512 Aug 12 17:37 x11.rules
-rw-r--r-- 1 root root   52093 Aug 12 17:37 web-php.rules
-rw-r--r-- 1 root root  158362 Aug 12 17:37 web-misc.rules
-rw-r--r-- 1 root root   51639 Aug 12 17:37 web-iis.rules
-rw-r--r-- 1 root root   13768 Aug 12 17:37 web-frontpage.rules
-rw-r--r-- 1 root root   15411 Aug 12 17:37 web-coldfusion.rules
-rw-r--r-- 1 root root  167839 Aug 12 17:37 web-client.rules
-rw-r--r-- 1 root root  123693 Aug 12 17:37 web-cgi.rules
-rw-r--r-- 1 root root    1470 Aug 12 17:37 web-attacks.rules
-rw-r--r-- 1 root root 1921128 Aug 12 17:37 web-activex.rules
-rw-r--r-- 1 root root   26603 Aug 12 17:37 voip.rules
-rw-r--r-- 1 root root    1576 Aug 12 17:37 virus.rules
-rw-r--r-- 1 root root    5566 Aug 12 17:37 tftp.rules
-rw-r--r-- 1 root root    8067 Aug 12 17:37 telnet.rules
-rw-r--r-- 1 root root   47132 Aug 12 17:37 sql.rules
-rw-r--r-- 1 root root  552240 Aug 12 17:37 spyware-put.rules
-rw-r--r-- 1 root root  183524 Aug 12 17:37 specific-threats.rules
-rw-r--r-- 1 root root    7057 Aug 12 17:37 snmp.rules
-rw-r--r-- 1 root root   49205 Aug 12 17:37 smtp.rules
-rw-r--r-- 1 root root    8090 Aug 12 17:37 shellcode.rules
-rw-r--r-- 1 root root    5112 Aug 12 17:37 scan.rules
-rw-r--r-- 1 root root   15247 Aug 12 17:37 scada.rules
-rw-r--r-- 1 root root    3987 Aug 12 17:37 rservices.rules
-rw-r--r-- 1 root root   88695 Aug 12 17:37 rpc.rules
-rw-r--r-- 1 root root   15112 Aug 12 17:37 pop3.rules
-rw-r--r-- 1 root root    1048 Aug 12 17:37 pop2.rules
-rw-r--r-- 1 root root   36085 Aug 12 17:37 policy.rules
-rw-r--r-- 1 root root   22692 Aug 12 17:37 phishing-spam.rules
-rw-r--r-- 1 root root    6434 Aug 12 17:37 p2p.rules
-rw-r--r-- 1 root root    1493 Aug 12 17:37 other-ids.rules
-rw-r--r-- 1 root root  196992 Aug 12 17:37 oracle.rules
-rw-r--r-- 1 root root    1246 Aug 12 17:37 open-test.conf
-rw-r--r-- 1 root root    5806 Aug 12 17:37 nntp.rules
-rw-r--r-- 1 root root  214844 Aug 12 17:37 netbios.rules
-rw-r--r-- 1 root root   13432 Aug 12 17:37 mysql.rules
-rw-r--r-- 1 root root    6977 Aug 12 17:37 multimedia.rules
-rw-r--r-- 1 root root   31912 Aug 12 17:37 misc.rules
-rw-r--r-- 1 root root     199 Aug 12 17:37 local.rules
-rw-r--r-- 1 root root    1043 Aug 12 17:37 info.rules
-rw-r--r-- 1 root root   30718 Aug 12 17:37 imap.rules
-rw-r--r-- 1 root root    5474 Aug 12 17:37 icmp.rules
-rw-r--r-- 1 root root   16989 Aug 12 17:37 icmp-info.rules
-rw-r--r-- 1 root root   33679 Aug 12 17:37 ftp.rules
-rw-r--r-- 1 root root    4579 Aug 12 17:37 finger.rules
-rw-r--r-- 1 root root  121557 Aug 12 17:37 exploit.rules
-rw-r--r-- 1 root root   18664 Aug 12 17:37 dos.rules
-rw-r--r-- 1 root root   10826 Aug 12 17:37 dns.rules
-rw-r--r-- 1 root root 5042272 Aug 12 17:37 deleted.rules
-rw-r--r-- 1 root root    8239 Aug 12 17:37 ddos.rules
-rw-r--r-- 1 root root    8311 Aug 12 17:37 content-replace.rules
-rw-r--r-- 1 root root   19811 Aug 12 17:37 chat.rules
-rw-r--r-- 1 root root   23752 Aug 12 17:37 botnet-cnc.rules
-rw-r--r-- 1 root root   40034 Aug 12 17:37 blacklist.rules
-rw-r--r-- 1 root root    2830 Aug 12 17:37 bad-traffic.rules
-rw-r--r-- 1 root root  317279 Aug 12 17:37 backdoor.rules
-rw-r--r-- 1 root root    4647 Aug 12 17:37 attack-responses.rules
---

Seriously, WTF?


Well, your seriously wtf is that you have the registered rule set, not 
the subscriber set.

If you have a subscription, then you need to get in touch with 
snort-sub () sourcefire com.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Sourcefire VRT Certified Snort Rules Update 2010-09-14 Research (Sep 15)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 Bryan Arenal (Sep 15)
  - Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 Nigel Houghton (Sep 15)
  - Re: Sourcefire VRT Certified Snort Rules Update 2010-09-14 waldo kitty (Sep 15)