'Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From:       Heine Lysemose <lysemose () gmail ! com>
Date:       2013-09-25 18:42:39
Message-ID: CAN4C-D=pN1JTs-k6sXPVaWyvbRVSNcrwyK-0KfNAX024+poHLg () mail ! gmail ! com
[Download RAW message or body]

Hi Matt

According to Adobe own listing, http://www.adobe.com/software/flash/about/,
the latest version is 11.8.800.175 for ActiveX.

Have you checked to see if there is a newer revision of the rule?

Regards,
Lysemose
On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Outdated Windows Flash Version IE"; flow:established,to_server;
> content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d 0a|";
> distance:0; within:14; http_header; content:"MSIE "; http_header;
> pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1,
> seconds 60, track by_src; reference:url,
> www.adobe.com/software/flash/about/; classtype:policy-violation;
> sid:2014726; rev:23;)
> 
> 
> On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose wrote:
> > Hi Matt
> > 
> > Could you post the whole rule, I'm not in front of a computer right now.
> > 
> > Regards,
> > 
> > Lysemose
> > 
> > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> > 
> > I'm trying to determine why this sig is firing.  Clients are all up to
> date, however it's a newer version that what's in the Snort rule.  Is this
> sig firing because it's not exactly what's stated in the rule?
> > 
> > 
> > 
> > 
> > Thx
> > 
> > 
> > 
> > --
> > 
> > You received this message because you are subscribed to the Google
> Groups "security-onion" group.
> > 
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to security-onio...@googlegroups.com.
> > 
> > To post to this group, send email to securit...@googlegroups.com.
> > 
> > Visit this group at http://groups.google.com/group/security-onion.
> > 
> > For more options, visit https://groups.google.com/groups/opt_out.
> 
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
> 

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[Attachment #3 (text/html)]

<p dir="ltr">Hi Matt </p>
<p dir="ltr">According to Adobe own listing, <a \
href="http://www.adobe.com/software/flash/about/">http://www.adobe.com/software/flash/about/</a>, \
the latest version is 11.8.800.175 for ActiveX. </p> <p dir="ltr">Have you checked to \
see if there is a newer revision of the rule? </p> <p dir="ltr">Regards, <br>
Lysemose </p>
<div class="gmail_quote">On Sep 25, 2013 8:35 PM, &quot;Matt Vaughan&quot; &lt;<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>&gt; wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> alert tcp $HOME_NET any -&gt; \
$EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET POLICY Outdated Windows Flash Version \
IE&quot;; flow:established,to_server; content:&quot;x-flash-version|3a| &quot;; \
http_header;content:!&quot;11,8,800,168|0d 0a|&quot;; distance:0; within:14; \
http_header; content:&quot;MSIE &quot;; http_header; \
pcre:&quot;/^User-Agent\x3a[^\r\n]+?MSIE/Hm&quot;; threshold: type limit, count 1, \
seconds 60, track by_src; reference:url,<a \
href="http://www.adobe.com/software/flash/about/" \
target="_blank">www.adobe.com/software/flash/about/</a>; classtype:policy-violation; \
sid:2014726; rev:23;)<br>

<br>
<br>
On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose wrote:<br>
&gt; Hi Matt<br>
&gt;<br>
&gt; Could you post the whole rule, I&#39;m not in front of a computer right now.<br>
&gt;<br>
&gt; Regards,<br>
&gt;<br>
&gt; Lysemose<br>
&gt;<br>
&gt; On Sep 25, 2013 6:30 PM, &quot;Matt Vaughan&quot; &lt;<a \
href="mailto:mcva...@gmail.com">mcva...@gmail.com</a>&gt; wrote:<br> &gt;<br>
&gt; I&#39;m trying to determine why this sig is firing.  Clients are all up to date, \
however it&#39;s a newer version that what&#39;s in the Snort rule.  Is this sig \
firing because it&#39;s not exactly what&#39;s stated in the rule?<br>

&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; Thx<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt;<br>
&gt; You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br> &gt;<br>
&gt; To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>
 &gt;<br>
&gt; To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> \
&gt;<br> &gt; Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> &gt;<br>
&gt; For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
--<br>
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
 To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
 Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> </blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups \
&quot;security-onion&quot; group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic