'Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2013-09-25 18:57:30
Message-ID: CAK8kjrCG0UgJR15e3iEW=35w8uM5-Ees0hWgsDm+F2wGrZPb6g () mail ! gmail ! com
[Download RAW message or body]

Yes, you should be getting updated rules every day.  According to the
Emerging Threats site, you have the latest version of that rule (rev
23):
http://doc.emergingthreats.net/bin/view/Main/2014726

You might want to ask the ET folks to update that rule.

Thanks,
Doug

On Wed, Sep 25, 2013 at 2:55 PM, Matt Vaughan <mcvaughan@gmail.com> wrote:
> Right.  My clients are on that now.
> 
> How can I check for a newer rule?  My assumption was that SO did this daily,
> or do I need to update rules manually?
> 
> 
> 
> On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lysemose@gmail.com> wrote:
> > 
> > Hi Matt
> > 
> > According to Adobe own listing,
> > http://www.adobe.com/software/flash/about/, the latest version is
> > 11.8.800.175 for ActiveX.
> > 
> > Have you checked to see if there is a newer revision of the rule?
> > 
> > Regards,
> > Lysemose
> > 
> > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> > > 
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> > > Outdated Windows Flash Version IE"; flow:established,to_server;
> > > content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d 0a|";
> > > distance:0; within:14; http_header; content:"MSIE "; http_header;
> > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1,
> > > seconds 60, track by_src; reference:url,www.adobe.com/software/flash/about/;
> > > classtype:policy-violation; sid:2014726; rev:23;)
> > > 
> > > 
> > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose wrote:
> > > > Hi Matt
> > > > 
> > > > Could you post the whole rule, I'm not in front of a computer right
> > > > now.
> > > > 
> > > > Regards,
> > > > 
> > > > Lysemose
> > > > 
> > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> > > > 
> > > > I'm trying to determine why this sig is firing.  Clients are all up to
> > > > date, however it's a newer version that what's in the Snort rule.  Is this
> > > > sig firing because it's not exactly what's stated in the rule?
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Thx
> > > > 
> > > > 
> > > > 
> > > > --
> > > > 
> > > > You received this message because you are subscribed to the Google
> > > > Groups "security-onion" group.
> > > > 
> > > > To unsubscribe from this group and stop receiving emails from it, send
> > > > an email to security-onio...@googlegroups.com.
> > > > 
> > > > To post to this group, send email to securit...@googlegroups.com.
> > > > 
> > > > Visit this group at http://groups.google.com/group/security-onion.
> > > > 
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> > > 
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "security-onion" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an
> > > email to security-onion+unsubscribe@googlegroups.com.
> > > 
> > > To post to this group, send email to security-onion@googlegroups.com.
> > > Visit this group at http://groups.google.com/group/security-onion.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > 
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "security-onion" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > security-onion+unsubscribe@googlegroups.com.
> > 
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at http://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/groups/opt_out.
> 
> 
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



-- 
Doug Burks
http://securityonion.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic