[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Sig 2014726 - Outdated Windows Flash Version IE
From: Matt Vaughan <mcvaughan () gmail ! com>
Date: 2013-09-26 14:26:04
Message-ID: dd15eeec-d66d-47ef-ad36-65f9db4cda5d () googlegroups ! com
[Download RAW message or body]
Thx, Doug.
On Thursday, September 26, 2013 6:25:17 AM UTC-5, Doug Burks wrote:
> An updated Flash rule just hit the Emerging Threats mailing list, so I
>
> would expect to see it in today's ruleset update (you should get it
>
> tomorrow):
>
> https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022839.html
>
>
>
> On Wed, Sep 25, 2013 at 5:15 PM, Matt Vaughan <mcvaughan@gmail.com> wrote:
>
> > How do I do that?
>
> >
>
> >
>
> > On Wednesday, September 25, 2013 3:52:01 PM UTC-5, Heine Lysemose wrote:
>
> > > No you would have to run pulledpork manually...
>
> > >
>
> > > On Sep 25, 2013 10:51 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> > >
>
> > > Would that work using the rule-update script?
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > On Wednesday, September 25, 2013 2:45:26 PM UTC-5, Jeremy wrote:
>
> > >
>
> > > > a quick fix with modifysid.conf looks like this:
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > 2014726 "11,8,800,168" "11,8,800,175"
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > Set that up and rerun pulledpork with the -P flag and that should
>
> > >
>
> > > >
>
> > >
>
> > > > update the sig (but not the sig in the snort/snorby db since the rev
>
> > >
>
> > > >
>
> > >
>
> > > > didn't change, and you wouldn't want to do that since it's not
>
> > >
>
> > > >
>
> > >
>
> > > > official), and that has the benefit of not working anymore when they
>
> > >
>
> > > >
>
> > >
>
> > > > do update the rule, so it will be ignored.
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > On Wed, Sep 25, 2013 at 7:37 PM, Matt Vaughan <mcva...@gmail.com> wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > Thx for the response guys. I'll just hang tight until an update gets \
> > > > > pushed
>
> > >
>
> > > >
>
> > >
>
> > > > > out.
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > On Wed, Sep 25, 2013 at 1:59 PM, Heine Lysemose <lyse...@gmail.com> wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > It should. Around 07.00 GMT.
>
> > >
>
> > > >
>
> > >
>
> > > > > > Maybe ET hasn't updated their rules yet.
>
> > >
>
> > > >
>
> > >
>
> > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > You could disable or modify the rule temporary until a new revision is
>
> > >
>
> > > >
>
> > >
>
> > > > > > available.
>
> > >
>
> > > >
>
> > >
>
> > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > /Lysemose
>
> > >
>
> > > >
>
> > >
>
> > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > On Sep 25, 2013 8:56 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > Right. My clients are on that now.
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > How can I check for a newer rule? My assumption was that SO did this
>
> > >
>
> > > >
>
> > >
>
> > > > > > > daily, or do I need to update rules manually?
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > On Wed, Sep 25, 2013 at 1:42 PM, Heine Lysemose <lyse...@gmail.com>
>
> > >
>
> > > >
>
> > >
>
> > > > > > > wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Hi Matt
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > According to Adobe own listing,
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > http://www.adobe.com/software/flash/about/, the latest version is
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > 11.8.800.175 for ActiveX.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Have you checked to see if there is a newer revision of the rule?
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Regards,
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Lysemose
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > On Sep 25, 2013 8:35 PM, "Matt Vaughan" <mcva...@gmail.com> wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET \
> > > > > > > > > POLICY
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > Outdated Windows Flash Version IE"; flow:established,to_server;
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > content:"x-flash-version|3a| "; \
> > > > > > > > > http_header;content:!"11,8,800,168|0d 0a|";
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > distance:0; within:14; http_header; content:"MSIE "; http_header;
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, \
> > > > > > > > > count 1,
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > seconds 60, track by_src; \
> > > > > > > > > reference:url,www.adobe.com/software/flash/about/;
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > classtype:policy-violation; sid:2014726; rev:23;)
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > On Wednesday, September 25, 2013 12:33:31 PM UTC-5, Heine Lysemose
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Hi Matt
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Could you post the whole rule, I'm not in front of a computer \
> > > > > > > > > > right
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > now.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Regards,
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Lysemose
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > On Sep 25, 2013 6:30 PM, "Matt Vaughan" <mcva...@gmail.com> \
> > > > > > > > > > wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > I'm trying to determine why this sig is firing. Clients are all \
> > > > > > > > > > up
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > to date, however it's a newer version that what's in the Snort \
> > > > > > > > > > rule. Is
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > this sig firing because it's not exactly what's stated in the \
> > > > > > > > > > rule?
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Thx
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > You received this message because you are subscribed to the \
> > > > > > > > > > Google
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Groups "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > To unsubscribe from this group and stop receiving emails from it,
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > send an email to security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > Visit this group at \
> > > > > > > > > > http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > You received this message because you are subscribed to the Google
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > Groups "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > To unsubscribe from this group and stop receiving emails from it, \
> > > > > > > > > send
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > an email to security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > You received this message because you are subscribed to a topic in \
> > > > > > > > the
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Google Groups "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > To unsubscribe from this topic, visit
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
> > > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > To unsubscribe from this group and all its topics, send an email to
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > > > You received this message because you are subscribed to the Google \
> > > > > > > Groups
>
> > >
>
> > > >
>
> > >
>
> > > > > > > "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > To unsubscribe from this group and stop receiving emails from it, send \
> > > > > > > an
>
> > >
>
> > > >
>
> > >
>
> > > > > > > email to security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > > You received this message because you are subscribed to a topic in the
>
> > >
>
> > > >
>
> > >
>
> > > > > > Google Groups "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > > To unsubscribe from this topic, visit
>
> > >
>
> > > >
>
> > >
>
> > > > > > https://groups.google.com/d/topic/security-onion/Kxcbc8xSCQg/unsubscribe.
>
> > >
>
> > > >
>
> > >
>
> > > > > > To unsubscribe from this group and all its topics, send an email to
>
> > >
>
> > > >
>
> > >
>
> > > > > > security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > You received this message because you are subscribed to the Google Groups
>
> > >
>
> > > >
>
> > >
>
> > > > > "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > To unsubscribe from this group and stop receiving emails from it, send an
>
> > >
>
> > > >
>
> > >
>
> > > > > email to security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
>
> > >
>
> > >
>
> > >
>
> > > --
>
> > >
>
> > > You received this message because you are subscribed to the Google Groups \
> > > "security-onion" group.
>
> > >
>
> > > To unsubscribe from this group and stop receiving emails from it, send an email \
> > > to security-onio...@googlegroups.com.
>
> > >
>
> > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > --
>
> > You received this message because you are subscribed to the Google Groups \
> > "security-onion" group.
>
> > To unsubscribe from this group and stop receiving emails from it, send an email \
> > to security-onion+unsubscribe@googlegroups.com.
>
> > To post to this group, send email to security-onion@googlegroups.com.
>
> > Visit this group at http://groups.google.com/group/security-onion.
>
> > For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>
>
>
> --
>
> Doug Burks
>
> http://securityonion.blogspot.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic