[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Snort-sigs Digest, Vol 35, Issue 19
From: Bình_Nguyễn_via_Snort-sigs <snort-sigs () lists ! snort ! org>
Date: 2020-04-24 2:15:08
Message-ID: CAC2c+wwVLm=Sziqz-o9rVFPKbaKL8=hiWaSN10zbgPHxc9ZDhg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We are using Antispam Baracuda to handle all spam emails into our system. I
think it works very well. please remove this IP again. thanks
V o Th 4, 22 thg 4, 2020 vào lúc 23:01 <snort-sigs-request@lists.snort.org>
đã viết:
> Send Snort-sigs mailing list submissions to
> snort-sigs@lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.snort.org/mailman/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
> snort-sigs-request@lists.snort.org
>
> You can reach the person managing the list at
> snort-sigs-owner@lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> Today's Topics:
>
> 1. Re: False positives(?) for spp_sip (Nitish Hejmadi)
> 2. Snort Subscriber Rules Update 2020-04-21 (Research)
>
>
>
> ---------- Forwarded message ----------
> From: Nitish Hejmadi <nitishh@gmail.com>
> To: "Pettersson, Emil" <emil.pettersson@sovos.com>
> Cc: "snort-sigs@lists.snort.org" <snort-sigs@lists.snort.org>
> Bcc:
> Date: Mon, 20 Apr 2020 11:15:13 -0400
> Subject: Re: [Snort-sigs] False positives(?) for spp_sip
> Could be Mis- configuration of Voip or video conferencing from clients
> side . Considering how many people are doing that now days .
> We seen a lot of blocks on our VC too
>
> Just for safety I run the blocked IP address through a automated threat
> hunting tool to make sure they are not targeting any other resources or
> services
>
>
>
> *Nitish Hejmadi*
>
> Founder & Strategist
>
>
> *T* *416 620 5535 <416%20620%205535> *
>
>
>
> *www.honeyteksystems.com <https://honeyteksystems.com/home>*
>
> On Apr 17, 2020, at 9:08 AM, Pettersson, Emil <emil.pettersson@sovos.com>
> wrote:
>
>
>
> Hi,
>
>
>
> We've been getting a few blocks for traffic from customers, from looking
> into the logs if I'm understanding correctly these are getting caught by
> spp_sip due to traffic in these instances having source port 5060 (they're
> doing a few thousand/day with random source port span).
>
> *Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long
> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
> [SOURCE_IP]:5060 -> [DESTINATION_IP]:443*
>
> There is no actual SIP traffic expected to go in or out from this network,
> so regardless of anything else I believe there's no real reason to have
> these rules enabled? However I am unsure of what the correct way would be
> to disable them?
> - This message and any attachments thereto contain information that may be
> privileged, confidential or otherwise protected from disclosure and is the
> property of Sovos Compliance, LLC. It is intended only for the person to
> whom it is addressed. If you are not the intended recipient, you are not
> authorized to read, print, retain, copy, disseminate, distribute, or use
> this message, any attachments thereto or any part thereof. If you receive
> this message in error, please delete all copies of this message and
> attachments. Sovos Compliance, LLC. has implemented anti-virus software on
> its computers and servers, however, it is the recipient's own
> responsibility to ensure that all attachments are scanned for viruses prior
> to usage. _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
>
>
> ---------- Forwarded message ----------
> From: Research <research@sourcefire.com>
> To: snort-sigs@lists.snort.org, shesu@sourcefire.com
> Cc:
> Bcc:
> Date: Tue, 21 Apr 2020 20:24:33 GMT
> Subject: [Snort-sigs] Snort Subscriber Rules Update 2020-04-21
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Talos Snort Subscriber Rules Update
>
> Synopsis:
> This release adds and modifies rules in several categories.
>
> Details:
> Talos has added and modified multiple rules in the server-webapp rule
> sets to provide coverage for recently released 0-day vulnerabilities in
> IBM's Data Risk Manager product. SIDs 53733-53735.
>
>
> For a complete list of new and modified rules please see:
>
> https://www.snort.org/advisories
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBAgAGBQJen1Z/AAoJEPE/nha8pb+tiikP/1etyXvV43gMIMPjdtBzv791
> b3ziH3TL0vXrySUy+2I1A5TAvZ6iuqk5+8iPEfYtgdGvtpQGgUIxyCU0tX+AxBoC
> UjQGdiXVljbGmXIksk4cq3C6ETW4FeRLhJc0M/h9fYZsxnvjpazKtb7xnpW6kTTO
> 54lXTbMfS03F8fD1YD85+IsIB91rj7E7DE7B2RQ5E8iOD/gVljdjFne6Mv94xAN+
> /ze2DXWbChGez4bisMfHRe/Oeb/zxEzha1RxG8b/IOUZoLNnskiNoCV0WfravdQ8
> mIEfLhBWiqjmDe3HaQLVtO165GTv85r+uB88pnef1gpGHKVRKIB1rDnpW362KLXy
> sA/gJZeLWpNby95sJEaqe2CoZv6/vdniagIISVmqa2kpqz6GTHGnzkFI1p66F8mC
> /tsJBS0PkqrWvH//FtotR0MrdlNBJr9jlWI15POXV+1d2Cj+pdmvb+C/kkA2f/Ky
> 0gIc2jbW6Ue1TaXwheIntwbqhUrO3UagsupSoAIxnpMaceLRDSm4CK5GpPY6H778
> KZM460YYq4uOIPB711PB9EDrtKMZ2kYPgwVutTbZpUiDopiy0Q0qvHNVPlvsLY5r
> bjwYYIUClsyluxtCvnnaojtTu77NmoI+05Knbw7IcBdXqVOxFI67wAw/1DN4yn2j
> 0BQ5yBg3S+vt6G4Pgkcu
> =SAjv
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> http://www.snort.org
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
[Attachment #5 (text/html)]
<div dir="ltr"><br class="gmail-Apple-interchange-newline"><span \
style="font-family:arial,sans-serif;font-size:28px;white-space:pre-wrap;background-color:rgb(248,249,250)">We \
are using Antispam Baracuda to handle all spam emails into our system. I think it \
works very well. please remove this IP again. thanks</span> <br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">V o Th 4, 22 thg 4, 2020 vào \
lúc 23:01 <<a href="mailto:snort-sigs-request@lists.snort.org">snort-sigs-request@lists.snort.org</a>> \
đã viết:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send Snort-sigs \
mailing list submissions to<br>
<a href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a><br> <br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" \
rel="noreferrer" target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:snort-sigs-request@lists.snort.org" \
target="_blank">snort-sigs-request@lists.snort.org</a><br> <br>
You can reach the person managing the list at<br>
<a href="mailto:snort-sigs-owner@lists.snort.org" \
target="_blank">snort-sigs-owner@lists.snort.org</a><br> <br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Snort-sigs digest..."<br>
Today's Topics:<br>
<br>
1. Re: False positives(?) for spp_sip (Nitish Hejmadi)<br>
2. Snort Subscriber Rules Update 2020-04-21 (Research)<br>
<br><br><br>---------- Forwarded message ----------<br>From: Nitish Hejmadi <<a \
href="mailto:nitishh@gmail.com" target="_blank">nitishh@gmail.com</a>><br>To: \
"Pettersson, Emil" <<a href="mailto:emil.pettersson@sovos.com" \
target="_blank">emil.pettersson@sovos.com</a>><br>Cc: "<a \
href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>" <<a \
href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>><br>Bcc: <br>Date: Mon, 20 Apr \
2020 11:15:13 -0400<br>Subject: Re: [Snort-sigs] False positives(?) for \
spp_sip<br><div dir="auto">Could be Mis- configuration of Voip or video conferencing \
from clients side . Considering how many people are doing that now days .<div>We seen \
a lot of blocks on our VC too</div><div><br></div><div>Just for safety I run the \
blocked IP address through a automated threat hunting tool to make sure they are not \
targeting any other resources or services \
</div><div><br></div><div><br></div><div><br><div dir="ltr"><p class="MsoNormal" \
style="margin:0cm 0cm 0.0001pt"><font><b \
style="background-color:rgba(255,255,255,0)">Nitish Hejmadi</b></font></p><p \
class="MsoNormal" style="margin:0cm 0cm 0.0001pt">Founder & Strategist</p><p \
class="MsoNormal" style="margin:0cm 0cm 0.0001pt"><b \
style="background-color:rgba(255,255,255,0);font-size:13pt"><br></b></p><p \
class="MsoNormal" style="margin:0cm 0cm 0.0001pt"><b \
style="background-color:rgba(255,255,255,0);font-size:13pt">T</b><b \
style="background-color:rgba(255,255,255,0);font-size:13pt"> </b><b \
style="background-color:rgba(255,255,255,0);font-size:13pt"><a \
href="tel:416%20620%205535" dir="ltr" target="_blank">416 620 5535</a> </b></p><p \
class="MsoNormal" style="margin:0cm 0cm 0.0001pt"><b \
style="background-color:rgba(255,255,255,0)"><br></b></p><p class="MsoNormal" \
style="margin:0cm 0cm 0.0001pt"></p><div style="height:71.6554px"><span \
style="background-color:rgba(255,255,255,0);width:303px;height:105px;display:inline-block"><img \
src="https://drive.google.com/a/confedde.com/uc?id=128s2cRROg4MZUwCx9l-geM9Nb_94DJy9&export=download" \
width="420" height="105" style="outline: 0px;"><br></span></div><p></p><div><b><a \
href="https://honeyteksystems.com/home" style="background-color:rgba(255,255,255,0)" \
target="_blank">www.honeyteksystems.com</a></b></div></div><div \
dir="ltr"><br><blockquote type="cite">On Apr 17, 2020, at 9:08 AM, Pettersson, Emil \
<<a href="mailto:emil.pettersson@sovos.com" \
target="_blank">emil.pettersson@sovos.com</a>> \
wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<div>
<p class="MsoNormal"><span lang="EN-GB">Hi,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB">We've been getting a few blocks for traffic \
from customers, from looking into the logs if I'm understanding correctly these are \
getting caught by spp_sip due to traffic in these instances having source port 5060 \
(they're doing a few thousand/day with random source port \
span).<u></u><u></u></span></p> <p class="MsoNormal" \
style="text-indent:36pt"><i><span lang="EN-GB">Apr 17 09:33:31 snort[17881]: \
[140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] \
[Priority: 2] {TCP} [SOURCE_IP]:5060 -> \
[DESTINATION_IP]:443<u></u><u></u></span></i></p> <p class="MsoNormal"><span \
lang="EN-GB">There is no actual SIP traffic expected to go in or out from this \
network, so regardless of anything else I believe there's no real reason to have \
these rules enabled? However I am unsure of what the correct way would be to disable \
them?<u></u><u></u></span></p> </div>
- This message and any attachments thereto contain information that may be \
privileged, confidential or otherwise protected from disclosure and is the property \
of Sovos Compliance, LLC. It is intended only for the person to whom it is addressed. \
If you are not the intended recipient, you are not authorized to read, print, \
retain, copy, disseminate, distribute, or use this message, any attachments thereto \
or any part thereof. If you receive this message in error, please delete all copies \
of this message and attachments. Sovos Compliance, LLC. has implemented anti-virus \
software on its computers and servers, however, it is the recipient's own \
responsibility to ensure that all attachments are scanned for viruses prior to usage.
<span>_______________________________________________</span><br><span>Snort-sigs \
mailing list</span><br><span><a href="mailto:Snort-sigs@lists.snort.org" \
target="_blank">Snort-sigs@lists.snort.org</a></span><br><span><a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a></span><br><span></span><br><span>Please \
visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for \
the latest news about Snort!</span><br><span></span><br><span>Please follow these \
rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" \
target="_blank">https://snort.org/faq/what-is-the-mailing-list-etiquette</a></span><br><span></span><br><span>Visit \
the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to \
date to catch the most <a href=" <a \
href="https://snort.org/downloads/#rule-downloads" \
target="_blank">https://snort.org/downloads/#rule-downloads</a>">emerging \
threats</a>!</span><br></div></blockquote></div></div><br><br><br>---------- \
Forwarded message ----------<br>From: Research <<a \
href="mailto:research@sourcefire.com" \
target="_blank">research@sourcefire.com</a>><br>To: <a \
href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>, <a href="mailto:shesu@sourcefire.com" \
target="_blank">shesu@sourcefire.com</a><br>Cc: <br>Bcc: <br>Date: Tue, 21 Apr \
2020 20:24:33 GMT<br>Subject: [Snort-sigs] Snort Subscriber Rules Update \
2020-04-21<br>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
Talos Snort Subscriber Rules Update<br>
<br>
Synopsis:<br>
This release adds and modifies rules in several categories.<br>
<br>
Details:<br>
Talos has added and modified multiple rules in the server-webapp rule<br>
sets to provide coverage for recently released 0-day vulnerabilities in<br>
IBM's Data Risk Manager product. SIDs 53733-53735.<br>
<br>
<br>
For a complete list of new and modified rules please see:<br>
<br>
<a href="https://www.snort.org/advisories" rel="noreferrer" \
target="_blank">https://www.snort.org/advisories</a><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQIcBAEBAgAGBQJen1Z/AAoJEPE/nha8pb+tiikP/1etyXvV43gMIMPjdtBzv791<br>
b3ziH3TL0vXrySUy+2I1A5TAvZ6iuqk5+8iPEfYtgdGvtpQGgUIxyCU0tX+AxBoC<br>
UjQGdiXVljbGmXIksk4cq3C6ETW4FeRLhJc0M/h9fYZsxnvjpazKtb7xnpW6kTTO<br>
54lXTbMfS03F8fD1YD85+IsIB91rj7E7DE7B2RQ5E8iOD/gVljdjFne6Mv94xAN+<br>
/ze2DXWbChGez4bisMfHRe/Oeb/zxEzha1RxG8b/IOUZoLNnskiNoCV0WfravdQ8<br>
mIEfLhBWiqjmDe3HaQLVtO165GTv85r+uB88pnef1gpGHKVRKIB1rDnpW362KLXy<br>
sA/gJZeLWpNby95sJEaqe2CoZv6/vdniagIISVmqa2kpqz6GTHGnzkFI1p66F8mC<br>
/tsJBS0PkqrWvH//FtotR0MrdlNBJr9jlWI15POXV+1d2Cj+pdmvb+C/kkA2f/Ky<br>
0gIc2jbW6Ue1TaXwheIntwbqhUrO3UagsupSoAIxnpMaceLRDSm4CK5GpPY6H778<br>
KZM460YYq4uOIPB711PB9EDrtKMZ2kYPgwVutTbZpUiDopiy0Q0qvHNVPlvsLY5r<br>
bjwYYIUClsyluxtCvnnaojtTu77NmoI+05Knbw7IcBdXqVOxFI67wAw/1DN4yn2j<br>
0BQ5yBg3S+vt6G4Pgkcu<br>
=SAjv<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org" \
target="_blank">Snort-sigs@lists.snort.org</a><br> <a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" rel="noreferrer" \
target="_blank">http://www.snort.org</a><br> <br>
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" \
target="_blank">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> \
</blockquote></div>
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic