[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From: Heine Lysemose <lysemose () gmail ! com>
Date: 2013-09-25 20:52:01
Message-ID: CAN4C-Dm8BQ5VO6z8FEYo3nBM5XxN8EWpbX+tmYL6OBFFkm7Aug () mail ! gmail ! com
[Download RAW message or body]
No you would have to run pulledpork manually...
On Sep 25, 2013 10:51 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> Would that work using the rule-update script?
>
>
> On Wednesday, September 25, 2013 2:45:26 PM UTC-5, Jeremy wrote:
> > a quick fix with modifysid.conf looks like this:
> >
> >
> >
> > 2014726 "11,8,800,168" "11,8,800,175"
> >
> >
> >
> >
> >
> > Set that up and rerun pulledpork with the -P flag and that should
> >
> > update the sig (but not the sig in the snort/snorby db since the rev
> >
> > didn't change, and you wouldn't want to do that since it's not
> >
> > official), and that has the benefit of not working anymore when they
> >
> > do update the rule, so it will be ignored.
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <mcvaughan@gmail.com>
> wrote:
> >
> > > Thx for the response guys. I'll just hang tight until an update gets
> pushed
> >
> > > out.
> >
> > >
> >
> > >
> >
> > >
> >
> > > On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <lysemose@gmail.com>
> wrote:
> >
> > > >
> >
> > > > It should. Around 07.00 GMT.
> >
> > > > Maybe ET hasn't updated their rules yet.
> >
> > > >
> >
> > > > You could disable or modify the rule temporary until a new revision is
> >
> > > > available.
> >
> > > >
> >
> > > > /Lysemose
> >
> > > >
> >
> > > > On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcvaughan@gmail.com> wrote:
> >
> > > > >
> >
> > > > > Right. My clients are on that now.
> >
> > > > >
> >
> > > > > How can I check for a newer rule? My assumption was that SO did this
> >
> > > > > daily, or do I need to update rules manually?
> >
> > > > >
> >
> > > > >
> >
> > > > >
> >
> > > > > On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lysemose@gmail.com>
> >
> > > > > wrote:
> >
> > > > > >
> >
> > > > > > Hi Matt
> >
> > > > > >
> >
> > > > > > According to Adobe own listing,
> >
> > > > > > http://www.adobe.com/software/flash/about/, the latest version is
> >
> > > > > > 11.8.800.175 for ActiveX.
> >
> > > > > >
> >
> > > > > > Have you checked to see if there is a newer revision of the rule?
> >
> > > > > >
> >
> > > > > > Regards,
> >
> > > > > > Lysemose
> >
> > > > > >
> >
> > > > > > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcvaughan@gmail.com>
> wrote:
> >
> > > > > > >
> >
> > > > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> POLICY
> >
> > > > > > > Outdated Windows Flash Version IE"; flow:established,to_server;
> >
> > > > > > > content:"x-flash-version|3a| ";
> http_header;content:!"11,8,800,168|0d 0a|";
> >
> > > > > > > distance:0; within:14; http_header; content:"MSIE "; http_header;
> >
> > > > > > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit,
> count 1,
> >
> > > > > > > seconds 60, track by_src; reference:url,
> www.adobe.com/software/flash/about/;
> >
> > > > > > > classtype:policy-violation; sid:2014726; rev:23;)
> >
> > > > > > >
> >
> > > > > > >
> >
> > > > > > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose
> >
> > > > > > > wrote:
> >
> > > > > > > > Hi Matt
> >
> > > > > > > >
> >
> > > > > > > > Could you post the whole rule, I'm not in front of a computer
> right
> >
> > > > > > > > now.
> >
> > > > > > > >
> >
> > > > > > > > Regards,
> >
> > > > > > > >
> >
> > > > > > > > Lysemose
> >
> > > > > > > >
> >
> > > > > > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com>
> wrote:
> >
> > > > > > > >
> >
> > > > > > > > I'm trying to determine why this sig is firing. Clients are all
> up
> >
> > > > > > > > to date, however it's a newer version that what's in the Snort
> rule. Is
> >
> > > > > > > > this sig firing because it's not exactly what's stated in the
> rule?
> >
> > > > > > > >
> >
> > > > > > > >
> >
> > > > > > > >
> >
> > > > > > > >
> >
> > > > > > > > Thx
> >
> > > > > > > >
> >
> > > > > > > >
> >
> > > > > > > >
> >
> > > > > > > > --
> >
> > > > > > > >
> >
> > > > > > > > You received this message because you are subscribed to the
> Google
> >
> > > > > > > > Groups "security-onion" group.
> >
> > > > > > > >
> >
> > > > > > > > To unsubscribe from this group and stop receiving emails from it,
> >
> > > > > > > > send an email to security-onio...@googlegroups.com.
> >
> > > > > > > >
> >
> > > > > > > > To post to this group, send email to securit...@googlegroups.com
> .
> >
> > > > > > > >
> >
> > > > > > > > Visit this group at
> http://groups.google.com/group/security-onion.
> >
> > > > > > > >
> >
> > > > > > > > For more options, visit https://groups.google.com/groups/opt_out
> .
> >
> > > > > > >
> >
> > > > > > > --
> >
> > > > > > > You received this message because you are subscribed to the Google
> >
> > > > > > > Groups "security-onion" group.
> >
> > > > > > > To unsubscribe from this group and stop receiving emails from it,
> send
> >
> > > > > > > an email to security-onion+unsubscribe@googlegroups.com.
> >
> > > > > > >
> >
> > > > > > > To post to this group, send email to
> security-onion@googlegroups.com.
> >
> > > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > > > > >
> >
> > > > > > --
> >
> > > > > > You received this message because you are subscribed to a topic in
> the
> >
> > > > > > Google Groups "security-onion" group.
> >
> > > > > > To unsubscribe from this topic, visit
> >
> > > > > >
> https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> >
> > > > > > To unsubscribe from this group and all its topics, send an email to
> >
> > > > > > security-onion+unsubscribe@googlegroups.com.
> >
> > > > > > To post to this group, send email to
> security-onion@googlegroups.com.
> >
> > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > > > >
> >
> > > > >
> >
> > > > > --
> >
> > > > > You received this message because you are subscribed to the Google
> Groups
> >
> > > > > "security-onion" group.
> >
> > > > > To unsubscribe from this group and stop receiving emails from it,
> send an
> >
> > > > > email to security-onion+unsubscribe@googlegroups.com.
> >
> > > > > To post to this group, send email to security-onion@googlegroups.com
> .
> >
> > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > > >
> >
> > > > --
> >
> > > > You received this message because you are subscribed to a topic in the
> >
> > > > Google Groups "security-onion" group.
> >
> > > > To unsubscribe from this topic, visit
> >
> > > >
> https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> >
> > > > To unsubscribe from this group and all its topics, send an email to
> >
> > > > security-onion+unsubscribe@googlegroups.com.
> >
> > > > To post to this group, send email to security-onion@googlegroups.com.
> >
> > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > >
> >
> > > --
> >
> > > You received this message because you are subscribed to the Google
> Groups
> >
> > > "security-onion" group.
> >
> > > To unsubscribe from this group and stop receiving emails from it, send
> an
> >
> > > email to security-onion+unsubscribe@googlegroups.com.
> >
> > > To post to this group, send email to security-onion@googlegroups.com.
> >
> > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
<p dir="ltr">No you would have to run pulledpork manually... </p>
<div class="gmail_quote">On Sep 25, 2013 10:51 PM, "Matt Vaughan" <<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Would that work using the \
rule-update script?<br> <br>
<br>
On Wednesday, September 25, 2013 2:45:26 PM UTC-5, Jeremy wrote:<br>
> a quick fix with modifysid.conf looks like this:<br>
><br>
><br>
><br>
> 2014726 "11,8,800,168" "11,8,800,175"<br>
><br>
><br>
><br>
><br>
><br>
> Set that up and rerun pulledpork with the -P flag and that should<br>
><br>
> update the sig (but not the sig in the snort/snorby db since the rev<br>
><br>
> didn't change, and you wouldn't want to do that since it's not<br>
><br>
> official), and that has the benefit of not working anymore when they<br>
><br>
> do update the rule, so it will be ignored.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>> wrote:<br> ><br>
> > Thx for the response guys. I'll just hang tight until an update gets \
pushed<br> ><br>
> > out.<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <<a \
href="mailto:lysemose@gmail.com">lysemose@gmail.com</a>> wrote:<br> ><br>
> >><br>
><br>
> >> It should. Around 07.00 GMT.<br>
><br>
> >> Maybe ET hasn't updated their rules yet.<br>
><br>
> >><br>
><br>
> >> You could disable or modify the rule temporary until a new revision \
is<br> ><br>
> >> available.<br>
><br>
> >><br>
><br>
> >> /Lysemose<br>
><br>
> >><br>
><br>
> >> On Sep 25, 2013 8:56 PM, "Matt Vaughan" <<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>> wrote:<br> ><br>
> >>><br>
><br>
> >>> Right. My clients are on that now.<br>
><br>
> >>><br>
><br>
> >>> How can I check for a newer rule? My assumption was that SO did \
this<br> ><br>
> >>> daily, or do I need to update rules manually?<br>
><br>
> >>><br>
><br>
> >>><br>
><br>
> >>><br>
><br>
> >>> On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <<a \
href="mailto:lysemose@gmail.com">lysemose@gmail.com</a>><br> ><br>
> >>> wrote:<br>
><br>
> >>>><br>
><br>
> >>>> Hi Matt<br>
><br>
> >>>><br>
><br>
> >>>> According to Adobe own listing,<br>
><br>
> >>>> <a href="http://www.adobe.com/software/flash/about/" \
target="_blank">http://www.adobe.com/software/flash/about/</a>, the latest version \
is<br> ><br>
> >>>> 11.8.800.175 for ActiveX.<br>
><br>
> >>>><br>
><br>
> >>>> Have you checked to see if there is a newer revision of the \
rule?<br> ><br>
> >>>><br>
><br>
> >>>> Regards,<br>
><br>
> >>>> Lysemose<br>
><br>
> >>>><br>
><br>
> >>>> On Sep 25, 2013 8:35 PM, "Matt Vaughan" <<a \
href="mailto:mcvaughan@gmail.com">mcvaughan@gmail.com</a>> wrote:<br> ><br>
> >>>>><br>
><br>
> >>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"ET POLICY<br> ><br>
> >>>>> Outdated Windows Flash Version IE"; \
flow:established,to_server;<br> ><br>
> >>>>> content:"x-flash-version|3a| "; \
http_header;content:!"11,8,800,168|0d 0a|";<br> ><br>
> >>>>> distance:0; within:14; http_header; content:"MSIE \
"; http_header;<br> ><br>
> >>>>> pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; \
threshold: type limit, count 1,<br> ><br>
> >>>>> seconds 60, track by_src; reference:url,<a \
href="http://www.adobe.com/software/flash/about/" \
target="_blank">www.adobe.com/software/flash/about/</a>;<br> ><br>
> >>>>> classtype:policy-violation; sid:2014726; rev:23;)<br>
><br>
> >>>>><br>
><br>
> >>>>><br>
><br>
> >>>>> On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine \
Lysemose<br> ><br>
> >>>>> wrote:<br>
><br>
> >>>>> > Hi Matt<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > Could you post the whole rule, I'm not in front of \
a computer right<br> ><br>
> >>>>> > now.<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > Regards,<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > Lysemose<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > On Sep 25, 2013 6:30 PM, "Matt Vaughan" \
<<a href="mailto:mcva...@gmail.com">mcva...@gmail.com</a>> wrote:<br> ><br>
> >>>>> ><br>
><br>
> >>>>> > I'm trying to determine why this sig is firing. \
Clients are all up<br> ><br>
> >>>>> > to date, however it's a newer version that \
what's in the Snort rule. Is<br> ><br>
> >>>>> > this sig firing because it's not exactly \
what's stated in the rule?<br> ><br>
> >>>>> ><br>
><br>
> >>>>> ><br>
><br>
> >>>>> ><br>
><br>
> >>>>> ><br>
><br>
> >>>>> > Thx<br>
><br>
> >>>>> ><br>
><br>
> >>>>> ><br>
><br>
> >>>>> ><br>
><br>
> >>>>> > --<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > You received this message because you are subscribed \
to the Google<br> ><br>
> >>>>> > Groups "security-onion" group.<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > To unsubscribe from this group and stop receiving \
emails from it,<br> ><br>
> >>>>> > send an email to <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>
><br>
> >>>>> ><br>
><br>
> >>>>> > To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br> \
><br> > >>>>> ><br>
><br>
> >>>>> > Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> >>>>> ><br>
><br>
> >>>>> > For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
> >>>>><br>
><br>
> >>>>> --<br>
><br>
> >>>>> You received this message because you are subscribed to the \
Google<br> ><br>
> >>>>> Groups "security-onion" group.<br>
><br>
> >>>>> To unsubscribe from this group and stop receiving emails \
from it, send<br> ><br>
> >>>>> an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
><br>
> >>>>><br>
><br>
> >>>>> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
><br>
> >>>>> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> >>>>> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
> >>>><br>
><br>
> >>>> --<br>
><br>
> >>>> You received this message because you are subscribed to a topic \
in the<br> ><br>
> >>>> Google Groups "security-onion" group.<br>
><br>
> >>>> To unsubscribe from this topic, visit<br>
><br>
> >>>> <a \
href="https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe" \
target="_blank">https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe</a>.<br>
><br>
> >>>> To unsubscribe from this group and all its topics, send an \
email to<br> ><br>
> >>>> <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
><br>
> >>>> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
><br>
> >>>> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> >>>> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
> >>><br>
><br>
> >>><br>
><br>
> >>> --<br>
><br>
> >>> You received this message because you are subscribed to the Google \
Groups<br> ><br>
> >>> "security-onion" group.<br>
><br>
> >>> To unsubscribe from this group and stop receiving emails from it, \
send an<br> ><br>
> >>> email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
><br>
> >>> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
><br>
> >>> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> >>> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
> >><br>
><br>
> >> --<br>
><br>
> >> You received this message because you are subscribed to a topic in \
the<br> ><br>
> >> Google Groups "security-onion" group.<br>
><br>
> >> To unsubscribe from this topic, visit<br>
><br>
> >> <a href="https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe" \
target="_blank">https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe</a>.<br>
><br>
> >> To unsubscribe from this group and all its topics, send an email to<br>
><br>
> >> <a href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
><br>
> >> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
><br>
> >> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> >> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> ><br>
> ><br>
><br>
> ><br>
><br>
> > --<br>
><br>
> > You received this message because you are subscribed to the Google \
Groups<br> ><br>
> > "security-onion" group.<br>
><br>
> > To unsubscribe from this group and stop receiving emails from it, send \
an<br> ><br>
> > email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
><br>
> > To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
><br>
> > Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> ><br>
> > For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> <br>
--<br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>
To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>
Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br> For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br> </blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic