Re: msg update for these, please?

[Alex Kirk <akirk () sourcefire com>]

> well, i wasn't really asking anything... i was pointing out what i see in
> the rule... one's a download from a server to the client and the other is an
> upload from the client to a server... actually, "server" may be a misnomer
> here but that could be semantics, too...
>
>
>  Yes, SID 15306 is for data traveling "down" to the client,
> >
>
> yes, that's my take on it, too...
>
>
>  16425 looks at a packet coming "up" from the client -
> >
>
> yes, so the client is uploading a file... possibly a game or
> self-extracting binary to a file distribution channel like on the original
> BBS' where users uploaded and downloaded lottsa files all day long ;)
>
> No, it's not. It's sending a GET request to the server that has a URI which
contains .exe. It's asking for a .exe file.

>  which will then trigger data coming back "down" from the server that you
> > may
> > not want.
>
> hunh? where do you see that in 1:16425? it would be the job of /other/
> rules to detect that, wouldn't it? ;)

You don't see that in 16425. It's implied, though, from the fact that the
client has requested a .exe file that it's probably going to get such a file
returned to it. While 15306 will generally alert on the file being returned,
we have SID 16425 because some people want to drop outbound requests that
have .exe in the URI.


> in any case, i really do think it best that the one to the client denotes
> that and the one to the server denotes that as well... no matter what else
> may happen after it gets where it is going :)  i do try to adhere to the
> KISS principle and go with the most simple choice when i can instead of
> over-engineering things ;) :P
>
>
>      > Duplicate messages are generally no fun, though, so how about making
> > the
> >    second
> >     > one "WEB-CLIENT Portable Executable binary file transfer - .exe in
> > URI"?
> >
> >    that might work but see above... ;)
> >
> >     > On Tue, Sep 28, 2010 at 1:48 PM, waldo kitty <
> > wkitty42 () windstream net
> >    <mailto:wkitty42 () windstream net>
> >     > <mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>>>
> > wrote:
> >     >
> >     >
> >     >     can we get a MSG update for these, please??
> >     >
> >     >     OLD:
> >     >     15306   WEB-CLIENT Portable Executable binary file transfer
> >     >     16425   WEB-CLIENT Portable Executable binary file transfer
> >     >
> >     >     NEW:
> >     >     15306   WEB-CLIENT Portable Executable binary file transfer to
> > client
> >     >     16425   WEB-CLIENT Portable Executable binary file transfer to
> > server
> >     >
> >     >     or some such?
> >     >
> >     >     thanks!


-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users