'Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From:       Jeremy Hoel <jthoel () gmail ! com>
Date:       2013-09-25 19:45:26
Message-ID: CAH_p-VM=x-MhxPqQh0ZmYouqV9hQbr0UJFO2x2O_vSrqi8fE6g () mail ! gmail ! com
[Download RAW message or body]

a quick fix with modifysid.conf looks like this:

2014726 "11,8,800,168" "11,8,800,175"


Set that up and rerun pulledpork with the -P flag and that should
update the sig (but not the sig in the snort/snorby db since the rev
didn't change, and you wouldn't want to do that since it's not
official), and that has the benefit of not working anymore when they
do update the rule, so it will be ignored.



On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <mcvaughan@gmail.com> wrote:
> Thx for the response guys.  I'll just hang tight until an update gets pushed
> out.
> 
> 
> 
> On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <lysemose@gmail.com> wrote:
> > 
> > It should. Around 07.00 GMT.
> > Maybe ET hasn't updated their rules yet.
> > 
> > You could disable or modify the rule temporary until a new revision is
> > available.
> > 
> > /Lysemose
> > 
> > On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> > > 
> > > Right.  My clients are on that now.
> > > 
> > > How can I check for a newer rule?  My assumption was that SO did this
> > > daily, or do I need to update rules manually?
> > > 
> > > 
> > > 
> > > On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lysemose@gmail.com>
> > > wrote:
> > > > 
> > > > Hi Matt
> > > > 
> > > > According to Adobe own listing,
> > > > http://www.adobe.com/software/flash/about/, the latest version is
> > > > 11.8.800.175 for ActiveX.
> > > > 
> > > > Have you checked to see if there is a newer revision of the rule?
> > > > 
> > > > Regards,
> > > > Lysemose
> > > > 
> > > > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> > > > > 
> > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> > > > > Outdated Windows Flash Version IE"; flow:established,to_server;
> > > > > content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d 0a|";
> > > > > distance:0; within:14; http_header; content:"MSIE "; http_header;
> > > > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1,
> > > > > seconds 60, track by_src; \
> > > > > reference:url,www.adobe.com/software/flash/about/; \
> > > > > classtype:policy-violation; sid:2014726; rev:23;) 
> > > > > 
> > > > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose
> > > > > wrote:
> > > > > > Hi Matt
> > > > > > 
> > > > > > Could you post the whole rule, I'm not in front of a computer right
> > > > > > now.
> > > > > > 
> > > > > > Regards,
> > > > > > 
> > > > > > Lysemose
> > > > > > 
> > > > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> > > > > > 
> > > > > > I'm trying to determine why this sig is firing.  Clients are all up
> > > > > > to date, however it's a newer version that what's in the Snort rule.  Is
> > > > > > this sig firing because it's not exactly what's stated in the rule?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Thx
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > --
> > > > > > 
> > > > > > You received this message because you are subscribed to the Google
> > > > > > Groups "security-onion" group.
> > > > > > 
> > > > > > To unsubscribe from this group and stop receiving emails from it,
> > > > > > send an email to security-onio...@googlegroups.com.
> > > > > > 
> > > > > > To post to this group, send email to securit...@googlegroups.com.
> > > > > > 
> > > > > > Visit this group at http://groups.google.com/group/security-onion.
> > > > > > 
> > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> > > > > 
> > > > > --
> > > > > You received this message because you are subscribed to the Google
> > > > > Groups "security-onion" group.
> > > > > To unsubscribe from this group and stop receiving emails from it, send
> > > > > an email to security-onion+unsubscribe@googlegroups.com.
> > > > > 
> > > > > To post to this group, send email to security-onion@googlegroups.com.
> > > > > Visit this group at http://groups.google.com/group/security-onion.
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
> > > > 
> > > > --
> > > > You received this message because you are subscribed to a topic in the
> > > > Google Groups "security-onion" group.
> > > > To unsubscribe from this topic, visit
> > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > > > To unsubscribe from this group and all its topics, send an email to
> > > > security-onion+unsubscribe@googlegroups.com.
> > > > To post to this group, send email to security-onion@googlegroups.com.
> > > > Visit this group at http://groups.google.com/group/security-onion.
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> > > 
> > > 
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "security-onion" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an
> > > email to security-onion+unsubscribe@googlegroups.com.
> > > To post to this group, send email to security-onion@googlegroups.com.
> > > Visit this group at http://groups.google.com/group/security-onion.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > 
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "security-onion" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.
> > Visit this group at http://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/groups/opt_out.
> 
> 
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic