[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From: Heine Lysemose <lysemose () gmail ! com>
Date: 2013-09-25 18:59:57
Message-ID: CAN4C-DmBGz+38rb+Q=XYpo9RhvoCnL=88NM0eRajRTSbQK12KQ () mail ! gmail ! com
[Download RAW message or body]
It should. Around 07.00 GMT.
Maybe ET hasn't updated their rules yet.
You could disable or modify the rule temporary until a new revision is
available.
/Lysemose
On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> Right. My clients are on that now.
>
> How can I check for a newer rule? My assumption was that SO did this
> daily, or do I need to update rules manually?
>
>
>
> On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lysemose@gmail.com>wrote:
>
> > Hi Matt
> >
> > According to Adobe own listing,
> > http://www.adobe.com/software/flash/about/, the latest version is
> > 11.8.800.175 for ActiveX.
> >
> > Have you checked to see if there is a newer revision of the rule?
> >
> > Regards,
> > Lysemose
> > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> > > Outdated Windows Flash Version IE"; flow:established,to_server;
> > > content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d 0a|";
> > > distance:0; within:14; http_header; content:"MSIE "; http_header;
> > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1,
> > > seconds 60, track by_src; reference:url,
> > > www.adobe.com/software/flash/about/; classtype:policy-violation;
> > > sid:2014726; rev:23;)
> > >
> > >
> > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose wrote:
> > > > Hi Matt
> > > >
> > > > Could you post the whole rule, I'm not in front of a computer right
> > > now.
> > > >
> > > > Regards,
> > > >
> > > > Lysemose
> > > >
> > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> > > >
> > > > I'm trying to determine why this sig is firing. Clients are all up to
> > > date, however it's a newer version that what's in the Snort rule. Is this
> > > sig firing because it's not exactly what's stated in the rule?
> > > >
> > > >
> > > >
> > > >
> > > > Thx
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > You received this message because you are subscribed to the Google
> > > Groups "security-onion" group.
> > > >
> > > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to security-onio...@googlegroups.com.
> > > >
> > > > To post to this group, send email to securit...@googlegroups.com.
> > > >
> > > > Visit this group at http://groups.google.com/group/security-onion.
> > > >
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> > > Groups "security-onion" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to security-onion+unsubscribe@googlegroups.com.
> > >
> > > To post to this group, send email to security-onion@googlegroups.com.
> > > Visit this group at http://groups.google.com/group/security-onion.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "security-onion" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at http://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
<p dir="ltr">It should. Around 07.00 GMT. <br>
Maybe ET hasn't updated their rules yet. </p>
<p dir="ltr">You could disable or modify the rule temporary until a new revision is \
available. </p> <p dir="ltr">/Lysemose </p>
<div class="gmail_quote">On Sep 25, 2013 8:56 PM, "Matt Vaughan" <<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr">Right. My clients \
are on that now.<div><br></div><div>How can I check for a newer rule? My assumption \
was that SO did this daily, or do I need to update rules \
manually?</div><div><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose \
<span dir="ltr"><<a href="mailto:lysemose@gmail.com" \
target="_blank">lysemose@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<p dir="ltr">Hi Matt </p>
<p dir="ltr">According to Adobe own listing, <a \
href="http://www.adobe.com/software/flash/about/" \
target="_blank">http://www.adobe.com/software/flash/about/</a>, the latest version is \
11.8.800.175 for ActiveX. </p> <p dir="ltr">Have you checked to see if there is a \
newer revision of the rule? </p> <p dir="ltr">Regards, <br>
Lysemose </p>
<div class="gmail_quote"><div>On Sep 25, 2013 8:35 PM, "Matt Vaughan" \
<<a href="mailto:mcvaughan@gmail.com" target="_blank">mcvaughan@gmail.com</a>> \
wrote:<br type="attribution"></div><blockquote class="gmail_quote" style="margin:0 0 \
0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated \
Windows Flash Version IE"; flow:established,to_server; \
content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d \
0a|"; distance:0; within:14; http_header; content:"MSIE "; \
http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type \
limit, count 1, seconds 60, track by_src; reference:url,<a \
href="http://www.adobe.com/software/flash/about/" \
target="_blank">www.adobe.com/software/flash/about/</a>; classtype:policy-violation; \
sid:2014726; rev:23;)<br>
<br>
<br>
On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose wrote:<br>
> Hi Matt<br>
><br>
> Could you post the whole rule, I'm not in front of a computer right now.<br>
><br>
> Regards,<br>
><br>
> Lysemose<br>
><br>
> On Sep 25, 2013 6:30 PM, "Matt Vaughan" <<a \
href="mailto:mcva...@gmail.com" target="_blank">mcva...@gmail.com</a>> wrote:<br> \
><br> > I'm trying to determine why this sig is firing. Clients are all up \
to date, however it's a newer version that what's in the Snort rule. Is this \
sig firing because it's not exactly what's stated in the rule?<br>
><br>
><br>
><br>
><br>
> Thx<br>
><br>
><br>
><br>
> --<br>
><br>
> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> ><br>
> To unsubscribe from this group and stop receiving emails from it, send an email \
to <a href="mailto:security-onio...@googlegroups.com" \
target="_blank">security-onio...@googlegroups.com</a>.<br> ><br>
> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com" \
target="_blank">securit...@googlegroups.com</a>.<br> ><br>
> Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
--<br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br></div> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<div> <br>
To post to this group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.com</a>.<br> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> \
</div></blockquote></div><div><div>
<p></p>
-- <br>
You received this message because you are subscribed to a topic in the Google Groups \
"security-onion" group.<br> To unsubscribe from this topic, visit <a \
href="https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe" \
target="_blank">https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe</a>.<br>
To unsubscribe from this group and all its topics, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To post to this \
group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.com</a>.<br> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> \
</div></div></blockquote></div><br></div>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com" \
target="_blank">security-onion+unsubscribe@googlegroups.com</a>.<br> To post to this \
group, send email to <a href="mailto:security-onion@googlegroups.com" \
target="_blank">security-onion@googlegroups.com</a>.<br> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> </blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic