[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Citrix CVE-2019-19781
From:       "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists ! snort ! org>
Date:       2020-01-15 17:52:14
Message-ID: 590F70B6-0266-4A28-B1B6-D7A2A307BC81 () cisco ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Thanks Rees!

On Jan 15, 2020, at 12:49 PM, rbevan <rbevan@swcp.com<mailto:rbevan@swcp.com>> wrote:

Joel,

I just figured it out. The highest number sid in our download appears to be 52470. \
Our oinkcode switched from subscriber to registered a couple months ago. Our \
purchasing department placed the order and the reseller went out of business. The \
person who registered the account "overlooked" the reminder emails.

Unfortunately I am pretty low in my org. I am just above whale poop, but way below \
the surface. I am definitely not high enough to be trusted logging into the rules \
account.

Purchasing is working to fix the issue now.

Thanks for your help.

Rees


On Jan 15 2020 10:31 AM, Joel Esler (jesler) wrote:
The oinkcode will always work. If your subscription expired, you will
roll over to the registered rule set. You should receive reminders 30
and 7 days prior to expiration.

On Jan 15, 2020, at 8:17 AM, Rees Bevan <rbevan@swcp.com<mailto:rbevan@swcp.com>> \
wrote:

Joel,

I have (or maybe had?) 145 subscriptions. There was an issue with our reseller at \
renewal time. The oinkcode still works, but maybe I am getting just the registered \
rule set. When I get to work this AM I will manually pull the rules and check for the \
most recent rule.

Regards,
Rees

FROM: Joel Esler (jesler) [mailto:jesler@cisco.com]
SENT: Wednesday, January 15, 2020 4:57 AM
TO: Rees Bevan
CC: Snort-sigs@lists.snort.org<mailto:Snort-sigs@lists.snort.org>
SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781

Maybe you don't have a subscription? If they were released in the last 30 days, a \
registered user would not see them.

Sent from my  iPhone

On Jan 14, 2020, at 22:18, Rees Bevan <rbevan@swcp.com<mailto:rbevan@swcp.com>> \
wrote:


Joel,

Thanks for the reply. A Cisco engineer contacted me directly and it sounds like I \
have some serious updating to do on the NGIPS.

Any clue why I am not seeing those rules in the VRT subscriber set? I have a mix of \
2.9.13.0 and 2.9.15.0 sensors. We are pulling the 2.9.13.0 rules and using them for \
both flavors.

Rees

FROM: Joel Esler (jesler) [mailto:jesler@cisco.com]
SENT: Tuesday, January 14, 2020 7:31 PM
TO: Rees Bevan
CC: Snort-sigs@lists.snort.org<mailto:Snort-sigs@lists.snort.org>
SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781

If you are using a Cisco Firepower device, probably the best course would be to call \
TAC. Are you sure you've updated your SRU?

Sent from my  iPhone

On Jan 14, 2020, at 20:04, Rees Bevan via Snort-sigs \
<snort-sigs@lists.snort.org<mailto:snort-sigs@lists.snort.org>> wrote:


Hello list,

The Talos blog post here: \
https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html [1] \
mentions three rules, signatures 52512, 52513, and 52603. The blog indicates that the \
rules have been available since 12/24/19.

My environment includes Sourcefire NGIPS and snort sensors running with the VRT \
subscription. I cannot locate these rules in either place. We are using "Security \
over Connectivity" on both the pulledpork config and the NGIPS config. I have grepped \
the rules files on our snort sensors and I see current rules, but not 52512, 52513, \
and 52603. On the NGIPS, I have sorted the intrusion rules by priority and tried \
searching by signatures and keywords, but no luck.

Where should I be looking for these rules?

Rees Bevan, CISSP, GCIA, MCSE
rbevan@swcp.com<mailto:rbevan@swcp.com>

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!



Links:
------
[1] https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: \
after-white-space;" class=""> Thanks Rees!<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Jan 15, 2020, at 12:49 PM, rbevan &lt;<a \
href="mailto:rbevan@swcp.com" class="">rbevan@swcp.com</a>&gt; wrote:</div> <br \
class="Apple-interchange-newline"> <div class=""><span style="caret-color: rgb(0, 0, \
0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Joel,</span><br style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""> <br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">I  just \
figured it out. The highest number sid in our download appears to be 52470. Our \
oinkcode switched from subscriber to registered a couple months ago. Our purchasing \
department placed the order and the reseller went out of business. The person who \
registered  the account &quot;overlooked&quot; the reminder emails.</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""> <span style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Unfortunately  I am pretty low in my org. I am just above whale \
poop, but way below the surface. I am definitely not high enough to be trusted \
logging into the rules account.</span><br style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""> <br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">Purchasing  \
is working to fix the issue now.</span><br style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""> <br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">Thanks  for \
your help.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""> <br style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""> <span \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; \
float: none; display: inline !important;" class="">Rees</span><br style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""> <br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""> <span style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">On  Jan 15 2020 10:31 AM, Joel Esler (jesler) wrote:</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""> <blockquote type="cite" style="font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; text-decoration: none;" class=""> The oinkcode will \
always work. If your subscription expired, you will<br class=""> roll over to the \
registered rule set. You should receive reminders 30<br class=""> and 7 days prior to \
expiration.<br class=""> <br class="">
<blockquote type="cite" class="">On Jan 15, 2020, at 8:17 AM, Rees Bevan &lt;<a \
href="mailto:rbevan@swcp.com" class="">rbevan@swcp.com</a>&gt; wrote:<br class=""> \
<br class=""> Joel,<br class="">
<br class="">
I have (or maybe had?) 145 subscriptions. There was an issue with our reseller at \
renewal time. The oinkcode still works, but maybe I am getting just the registered \
rule set. When I get to work this AM I will manually pull the rules and check for the \
most recent  rule.<br class="">
<br class="">
Regards,<br class="">
Rees<br class="">
<br class="">
FROM: Joel Esler (jesler) [<a href="mailto:jesler@cisco.com" \
                class="">mailto:jesler@cisco.com</a>]<br class="">
SENT: Wednesday, January 15, 2020 4:57 AM<br class="">
TO: Rees Bevan<br class="">
CC: <a href="mailto:Snort-sigs@lists.snort.org" \
                class="">Snort-sigs@lists.snort.org</a><br class="">
SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781<br class="">
<br class="">
Maybe you don't have a subscription? If they were released in the last 30 days, a \
registered user would not see them.<br class=""> <br class="">
Sent from my  iPhone<br class="">
<br class="">
On Jan 14, 2020, at 22:18, Rees Bevan &lt;<a href="mailto:rbevan@swcp.com" \
class="">rbevan@swcp.com</a>&gt; wrote:<br class=""> <br class="">
<blockquote type="cite" class=""><br class="">
Joel,<br class="">
<br class="">
Thanks for the reply. A Cisco engineer contacted me directly and it sounds like I \
have some serious updating to do on the NGIPS.<br class=""> <br class="">
Any clue why I am not seeing those rules in the VRT subscriber set? I have a mix of \
2.9.13.0 and 2.9.15.0 sensors. We are pulling the 2.9.13.0 rules and using them for \
both flavors.<br class=""> <br class="">
Rees<br class="">
<br class="">
FROM: Joel Esler (jesler) [<a href="mailto:jesler@cisco.com" \
                class="">mailto:jesler@cisco.com</a>]<br class="">
SENT: Tuesday, January 14, 2020 7:31 PM<br class="">
TO: Rees Bevan<br class="">
CC: <a href="mailto:Snort-sigs@lists.snort.org" \
                class="">Snort-sigs@lists.snort.org</a><br class="">
SUBJECT: Re: [Snort-sigs] Citrix CVE-2019-19781<br class="">
<br class="">
If you are using a Cisco Firepower device, probably the best course would be to call \
TAC. Are you sure you've updated your SRU?<br class=""> <br class="">
Sent from my  iPhone<br class="">
<br class="">
On Jan 14, 2020, at 20:04, Rees Bevan via Snort-sigs &lt;<a \
href="mailto:snort-sigs@lists.snort.org" class="">snort-sigs@lists.snort.org</a>&gt; \
wrote:<br class=""> <br class="">
<blockquote type="cite" class=""><br class="">
Hello list,<br class="">
<br class="">
The Talos blog post here:<span class="Apple-converted-space">&nbsp;</span><a \
href="https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html" \
class="">https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html</a><span \
class="Apple-converted-space">&nbsp;</span>[1]  mentions three rules, signatures \
52512, 52513, and 52603. The blog indicates that the rules have been available since \
12/24/19.<br class=""> <br class="">
My environment includes Sourcefire NGIPS and snort sensors running with the VRT \
subscription. I cannot locate these rules in either place. We are using "Security \
over Connectivity" on both the pulledpork config and the NGIPS config. I have grepped \
the rules  files on our snort sensors and I see current rules, but not 52512, 52513, \
and 52603. On the NGIPS, I have sorted the intrusion rules by priority and tried \
searching by signatures and keywords, but no luck.<br class=""> <br class="">
Where should I be looking for these rules?<br class="">
<br class="">
Rees Bevan, CISSP, GCIA, MCSE<br class="">
<a href="mailto:rbevan@swcp.com" class="">rbevan@swcp.com</a><br class="">
<br class="">
_______________________________________________<br class="">
Snort-sigs mailing list<br class="">
Snort-sigs@lists.snort.org<br class="">
https://lists.snort.org/mailman/listinfo/snort-sigs<br class="">
<br class="">
Please visit http://blog.snort.org for the latest news about Snort!<br class="">
<br class="">
Please follow these rules: \
https://snort.org/faq/what-is-the-mailing-list-etiquette<br class=""> <br class="">
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most &lt;a href=&quot; \
https://snort.org/downloads/#rule-downloads&quot;&gt;emerging threats&lt;/a&gt;!<br \
class=""> </blockquote>
</blockquote>
</blockquote>
<br class="">
<br class="">
<br class="">
Links:<br class="">
------<br class="">
[1]<span class="Apple-converted-space">&nbsp;</span><a \
href="https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html" \
class="">https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html</a></blockquote>
 </div>
</blockquote>
</div>
<br class="">
</body>
</html>



_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!

--===============5611683370226303464==--



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic