[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From: Matt Vaughan <mcvaughan () gmail ! com>
Date: 2013-09-25 21:15:30
Message-ID: 31625b7a-84c3-4fb4-8b32-bdc36ae8a019 () googlegroups ! com
[Download RAW message or body]
How do I do that?
On Wednesday, September 25, 2013 3:52:01 PM UTC-5, Heine Lysemose wrote:
> No you would have to run pulledpork manually...
>
> On Sep 25, 2013 10:51 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> Would that work using the rule-update script?
>
>
>
>
>
> On Wednesday, September 25, 2013 2:45:26 PM UTC-5, Jeremy wrote:
>
> > a quick fix with modifysid.conf looks like this:
>
> >
>
> >
>
> >
>
> > 2014726 "11,8,800,168" "11,8,800,175"
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Set that up and rerun pulledpork with the -P flag and that should
>
> >
>
> > update the sig (but not the sig in the snort/snorby db since the rev
>
> >
>
> > didn't change, and you wouldn't want to do that since it's not
>
> >
>
> > official), and that has the benefit of not working anymore when they
>
> >
>
> > do update the rule, so it will be ignored.
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <mcva...@gmail.com> wrote:
>
> >
>
> > > Thx for the response guys. I'll just hang tight until an update gets pushed
>
> >
>
> > > out.
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <lyse...@gmail.com> wrote:
>
> >
>
> > > >
>
> >
>
> > > > It should. Around 07.00 GMT.
>
> >
>
> > > > Maybe ET hasn't updated their rules yet.
>
> >
>
> > > >
>
> >
>
> > > > You could disable or modify the rule temporary until a new revision is
>
> >
>
> > > > available.
>
> >
>
> > > >
>
> >
>
> > > > /Lysemose
>
> >
>
> > > >
>
> >
>
> > > > On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> >
>
> > > > >
>
> >
>
> > > > > Right. My clients are on that now.
>
> >
>
> > > > >
>
> >
>
> > > > > How can I check for a newer rule? My assumption was that SO did this
>
> >
>
> > > > > daily, or do I need to update rules manually?
>
> >
>
> > > > >
>
> >
>
> > > > >
>
> >
>
> > > > >
>
> >
>
> > > > > On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lyse...@gmail.com>
>
> >
>
> > > > > wrote:
>
> >
>
> > > > > >
>
> >
>
> > > > > > Hi Matt
>
> >
>
> > > > > >
>
> >
>
> > > > > > According to Adobe own listing,
>
> >
>
> > > > > > http://www.adobe.com/software/flash/about/, the latest version is
>
> >
>
> > > > > > 11.8.800.175 for ActiveX.
>
> >
>
> > > > > >
>
> >
>
> > > > > > Have you checked to see if there is a newer revision of the rule?
>
> >
>
> > > > > >
>
> >
>
> > > > > > Regards,
>
> >
>
> > > > > > Lysemose
>
> >
>
> > > > > >
>
> >
>
> > > > > > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> >
>
> > > > > > >
>
> >
>
> > > > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>
> >
>
> > > > > > > Outdated Windows Flash Version IE"; flow:established,to_server;
>
> >
>
> > > > > > > content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d \
> > > > > > > 0a|";
>
> >
>
> > > > > > > distance:0; within:14; http_header; content:"MSIE "; http_header;
>
> >
>
> > > > > > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count \
> > > > > > > 1,
>
> >
>
> > > > > > > seconds 60, track by_src; \
> > > > > > > reference:url,www.adobe.com/software/flash/about/;
>
> >
>
> > > > > > > classtype:policy-violation; sid:2014726; rev:23;)
>
> >
>
> > > > > > >
>
> >
>
> > > > > > >
>
> >
>
> > > > > > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose
>
> >
>
> > > > > > > wrote:
>
> >
>
> > > > > > > > Hi Matt
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > Could you post the whole rule, I'm not in front of a computer right
>
> >
>
> > > > > > > > now.
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > Regards,
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > Lysemose
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > I'm trying to determine why this sig is firing. Clients are all up
>
> >
>
> > > > > > > > to date, however it's a newer version that what's in the Snort rule. \
> > > > > > > > Is
>
> >
>
> > > > > > > > this sig firing because it's not exactly what's stated in the rule?
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > Thx
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > --
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > You received this message because you are subscribed to the Google
>
> >
>
> > > > > > > > Groups "security-onion" group.
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > To unsubscribe from this group and stop receiving emails from it,
>
> >
>
> > > > > > > > send an email to security-onio...@googlegroups.com.
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > > > > > >
>
> >
>
> > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > > > > > >
>
> >
>
> > > > > > > --
>
> >
>
> > > > > > > You received this message because you are subscribed to the Google
>
> >
>
> > > > > > > Groups "security-onion" group.
>
> >
>
> > > > > > > To unsubscribe from this group and stop receiving emails from it, send
>
> >
>
> > > > > > > an email to security-onio...@googlegroups.com.
>
> >
>
> > > > > > >
>
> >
>
> > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > > > > >
>
> >
>
> > > > > > --
>
> >
>
> > > > > > You received this message because you are subscribed to a topic in the
>
> >
>
> > > > > > Google Groups "security-onion" group.
>
> >
>
> > > > > > To unsubscribe from this topic, visit
>
> >
>
> > > > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
>
> >
>
> > > > > > To unsubscribe from this group and all its topics, send an email to
>
> >
>
> > > > > > security-onio...@googlegroups.com.
>
> >
>
> > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > > > >
>
> >
>
> > > > >
>
> >
>
> > > > > --
>
> >
>
> > > > > You received this message because you are subscribed to the Google Groups
>
> >
>
> > > > > "security-onion" group.
>
> >
>
> > > > > To unsubscribe from this group and stop receiving emails from it, send an
>
> >
>
> > > > > email to security-onio...@googlegroups.com.
>
> >
>
> > > > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > > >
>
> >
>
> > > > --
>
> >
>
> > > > You received this message because you are subscribed to a topic in the
>
> >
>
> > > > Google Groups "security-onion" group.
>
> >
>
> > > > To unsubscribe from this topic, visit
>
> >
>
> > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
>
> >
>
> > > > To unsubscribe from this group and all its topics, send an email to
>
> >
>
> > > > security-onio...@googlegroups.com.
>
> >
>
> > > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > --
>
> >
>
> > > You received this message because you are subscribed to the Google Groups
>
> >
>
> > > "security-onion" group.
>
> >
>
> > > To unsubscribe from this group and stop receiving emails from it, send an
>
> >
>
> > > email to security-onio...@googlegroups.com.
>
> >
>
> > > To post to this group, send email to securit...@googlegroups.com.
>
> >
>
> > > Visit this group at http://groups.google.com/group/security-onion.
>
> >
>
> > > For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to \
> security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at http://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic