[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From: Doug Burks <doug.burks () gmail ! com>
Date: 2013-09-26 11:25:17
Message-ID: CAK8kjrBF+hyRo2_34AXhG7u6ojREqv6drKEbWZV3na8F4CD09Q () mail ! gmail ! com
[Download RAW message or body]
An updated Flash rule just hit the Emerging Threats mailing list, so I
would expect to see it in today's ruleset update (you should get it
tomorrow):
https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022839.html
On Wed, Sep 25, 2013 at 5:15 PM, Matt Vaughan <mcvaughan@gmail.com> wrote:
> How do I do that?
>
>
> On Wednesday, September 25, 2013 3:52:01 PM UTC-5, Heine Lysemose wrote:
> > No you would have to run pulledpork manually...
> >
> > On Sep 25, 2013 10:51 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> >
> > Would that work using the rule-update script?
> >
> >
> >
> >
> >
> > On Wednesday, September 25, 2013 2:45:26 PM UTC-5, Jeremy wrote:
> >
> > > a quick fix with modifysid.conf looks like this:
> >
> > >
> >
> > >
> >
> > >
> >
> > > 2014726 "11,8,800,168" "11,8,800,175"
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > Set that up and rerun pulledpork with the -P flag and that should
> >
> > >
> >
> > > update the sig (but not the sig in the snort/snorby db since the rev
> >
> > >
> >
> > > didn't change, and you wouldn't want to do that since it's not
> >
> > >
> >
> > > official), and that has the benefit of not working anymore when they
> >
> > >
> >
> > > do update the rule, so it will be ignored.
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <mcva...@gmail.com> wrote:
> >
> > >
> >
> > > > Thx for the response guys. I'll just hang tight until an update gets pushed
> >
> > >
> >
> > > > out.
> >
> > >
> >
> > > >
> >
> > >
> >
> > > >
> >
> > >
> >
> > > >
> >
> > >
> >
> > > > On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <lyse...@gmail.com> wrote:
> >
> > >
> >
> > > > >
> >
> > >
> >
> > > > > It should. Around 07.00 GMT.
> >
> > >
> >
> > > > > Maybe ET hasn't updated their rules yet.
> >
> > >
> >
> > > > >
> >
> > >
> >
> > > > > You could disable or modify the rule temporary until a new revision is
> >
> > >
> >
> > > > > available.
> >
> > >
> >
> > > > >
> >
> > >
> >
> > > > > /Lysemose
> >
> > >
> >
> > > > >
> >
> > >
> >
> > > > > On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > > Right. My clients are on that now.
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > > How can I check for a newer rule? My assumption was that SO did this
> >
> > >
> >
> > > > > > daily, or do I need to update rules manually?
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > > On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lyse...@gmail.com>
> >
> > >
> >
> > > > > > wrote:
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > Hi Matt
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > According to Adobe own listing,
> >
> > >
> >
> > > > > > > http://www.adobe.com/software/flash/about/, the latest version is
> >
> > >
> >
> > > > > > > 11.8.800.175 for ActiveX.
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > Have you checked to see if there is a newer revision of the rule?
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > Regards,
> >
> > >
> >
> > > > > > > Lysemose
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> >
> > >
> >
> > > > > > > >
> >
> > >
> >
> > > > > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> >
> > >
> >
> > > > > > > > Outdated Windows Flash Version IE"; flow:established,to_server;
> >
> > >
> >
> > > > > > > > content:"x-flash-version|3a| "; http_header;content:!"11,8,800,168|0d \
> > > > > > > > 0a|";
> >
> > >
> >
> > > > > > > > distance:0; within:14; http_header; content:"MSIE "; http_header;
> >
> > >
> >
> > > > > > > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count \
> > > > > > > > 1,
> >
> > >
> >
> > > > > > > > seconds 60, track by_src; \
> > > > > > > > reference:url,www.adobe.com/software/flash/about/;
> >
> > >
> >
> > > > > > > > classtype:policy-violation; sid:2014726; rev:23;)
> >
> > >
> >
> > > > > > > >
> >
> > >
> >
> > > > > > > >
> >
> > >
> >
> > > > > > > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose
> >
> > >
> >
> > > > > > > > wrote:
> >
> > >
> >
> > > > > > > > > Hi Matt
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > Could you post the whole rule, I'm not in front of a computer right
> >
> > >
> >
> > > > > > > > > now.
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > Regards,
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > Lysemose
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > I'm trying to determine why this sig is firing. Clients are all up
> >
> > >
> >
> > > > > > > > > to date, however it's a newer version that what's in the Snort \
> > > > > > > > > rule. Is
> >
> > >
> >
> > > > > > > > > this sig firing because it's not exactly what's stated in the rule?
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > Thx
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > --
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > You received this message because you are subscribed to the Google
> >
> > >
> >
> > > > > > > > > Groups "security-onion" group.
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > To unsubscribe from this group and stop receiving emails from it,
> >
> > >
> >
> > > > > > > > > send an email to security-onio...@googlegroups.com.
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > > > > > >
> >
> > >
> >
> > > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > > > > > > >
> >
> > >
> >
> > > > > > > > --
> >
> > >
> >
> > > > > > > > You received this message because you are subscribed to the Google
> >
> > >
> >
> > > > > > > > Groups "security-onion" group.
> >
> > >
> >
> > > > > > > > To unsubscribe from this group and stop receiving emails from it, \
> > > > > > > > send
> >
> > >
> >
> > > > > > > > an email to security-onio...@googlegroups.com.
> >
> > >
> >
> > > > > > > >
> >
> > >
> >
> > > > > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > > > > > >
> >
> > >
> >
> > > > > > > --
> >
> > >
> >
> > > > > > > You received this message because you are subscribed to a topic in the
> >
> > >
> >
> > > > > > > Google Groups "security-onion" group.
> >
> > >
> >
> > > > > > > To unsubscribe from this topic, visit
> >
> > >
> >
> > > > > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > > > > > >
> >
> > >
> >
> > > > > > > To unsubscribe from this group and all its topics, send an email to
> >
> > >
> >
> > > > > > > security-onio...@googlegroups.com.
> >
> > >
> >
> > > > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > >
> >
> > >
> >
> > > > > > --
> >
> > >
> >
> > > > > > You received this message because you are subscribed to the Google Groups
> >
> > >
> >
> > > > > > "security-onion" group.
> >
> > >
> >
> > > > > > To unsubscribe from this group and stop receiving emails from it, send an
> >
> > >
> >
> > > > > > email to security-onio...@googlegroups.com.
> >
> > >
> >
> > > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > > > >
> >
> > >
> >
> > > > > --
> >
> > >
> >
> > > > > You received this message because you are subscribed to a topic in the
> >
> > >
> >
> > > > > Google Groups "security-onion" group.
> >
> > >
> >
> > > > > To unsubscribe from this topic, visit
> >
> > >
> >
> > > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> >
> > >
> >
> > > > > To unsubscribe from this group and all its topics, send an email to
> >
> > >
> >
> > > > > security-onio...@googlegroups.com.
> >
> > >
> >
> > > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > >
> >
> > > >
> >
> > >
> >
> > > >
> >
> > >
> >
> > > > --
> >
> > >
> >
> > > > You received this message because you are subscribed to the Google Groups
> >
> > >
> >
> > > > "security-onion" group.
> >
> > >
> >
> > > > To unsubscribe from this group and stop receiving emails from it, send an
> >
> > >
> >
> > > > email to security-onio...@googlegroups.com.
> >
> > >
> >
> > > > To post to this group, send email to securit...@googlegroups.com.
> >
> > >
> >
> > > > Visit this group at http://groups.google.com/group/security-onion.
> >
> > >
> >
> > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> >
> > --
> >
> > You received this message because you are subscribed to the Google Groups \
> > "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email \
> > to security-onio...@googlegroups.com.
> > To post to this group, send email to securit...@googlegroups.com.
> >
> > Visit this group at http://groups.google.com/group/security-onion.
> >
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic