Snort mailing list archives
Re: [Spam] Re: Possible FP 17363
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Tue, 26 Oct 2010 12:11:54 -0400
funny you used the term bleeding edge....
I'll let Joel explain the different rule sets available from VRT but if
you are getting your bleeding edge rules from Emerging Threats...
-J
-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Tuesday, October 26, 2010 12:06 PM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363
So let me understand this. My understanding of the Subscription
Rules were that these were the latest and greatest bleeding edge
rules...especially for 0-day items, new malware, trojans, etc. The
Subscription Rules also contained "fixed" rules?
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Tuesday, October 26, 2010 8:55 AM
To: Lay, James
Cc: snort-sigs () lists sourceforge net
Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
Importance: Low
Pastebin.
However, you aren't receiving the rule yet because it has not
come out of the 30 day window for registered users.
J
On Oct 26, 2010, at 10:48 AM, Lay, James wrote:
Thank you.
Oinkmaster.conf:
url =
http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-290
0.tar.gz
url =
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz
path = /bin:/usr/bin:/usr/local/bin
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf
disablesid
100000137,2002751,485,2006380,2001569,2011346,2011347,2003195,2003601,20
03602,1390,1394,17246,17276,17297,17363
The snort.conf file is kinda beefy...what's the best method to
put this online? Thanks again.
James
From: Weir, Jason [mailto:jason.weir () nhrs org]
Sent: Tuesday, October 26, 2010 8:21 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Possible FP 17363
have to see your oinkmaster.conf and snort.con
-J
-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Tuesday, October 26, 2010 10:13 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363
Hrmm....that's confusing then...oinkmaster says:
Loading /usr/local/etc/snort/oinkmaster.conf
Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Downloading file from
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disabled 8, enabled 0,
modified 0, total=21693
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating local rules files... done.
Yet:
[08:11:48 me@ids:~/rules$] sudo grep 17363 *.rules
web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS ->
$HOME_NET any (msg:"WEB-CLIENT Apple computer finder DMG volume name
memory corruption"; flow:to_client,established; content:"|4C 41 42 4C|";
byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:cve,2007-0197;
classtype:attempted-user; sid:17363; rev:1;)
Are rules not getting updated in 2900? Or is my
oinkmaster not doing what it's supposed to do? Thanks for any help.
James
From: Alex Kirk [mailto:akirk () sourcefire com]
Sent: Monday, October 25, 2010 10:44 AM
To: rmkml
Cc: Lay, James; snort-sigs () lists sourceforge net;
rmkml () free fr
Subject: [Spam] Re: [Snort-sigs] Possible FP 17363
Importance: Low
Actually, this rule is currently at rev:3 - adding a
flowbit check and some additional bytes to the content match - due to
earlier false positive reports. If you get further FPs with the current
revision of the rule, please let us know.
On Mon, Oct 25, 2010 at 12:38 PM, rmkml <rmkml () yahoo fr>
wrote:
Hi James,
maybe for "small" reduce FP add "isdataat:255,relative;"
after byte_test()?
another maybe null byte are separator? and instead
"isdataat:255,relative; content:!"|00|"; within:255;" ?
Regards
Rmkml
PS:
http://www.securityfocus.com/archive/1/archive/1/456578/100/0/threaded
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Possible FP 17363, (continued)
- Re: Possible FP 17363 Alex Kirk (Oct 25)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 L0rd Ch0de1m0rt (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: Possible FP 17363 Alex Kirk (Oct 25)
- Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Weir, Jason (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)