snort-sigs September 2010 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rule

Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

From: waldo kitty <wkitty42_at_nospam>
Date: Tue Sep 28 2010 - 17:25:38 GMT
To: snort-sigs@lists.sourceforge.net

On 9/28/2010 11:03, infosec posts wrote:
> I have to ask, because I must be missing something here.
>
> SID:17494 - web-client.rules -

what's the GID? i suspect it is 3??

FWIW: i see that the GID is becoming more and more important when talking about
rules...

> alert tcp $HOME_NET any ->
> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer
> Long URL Buffer Overflow attempt"; flow:established,to_server;
> urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D
> 0A|"; metadata:service http; reference:bugtraq,19667;
> reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
>
> Unless I am mistaken, we got a brand new signature for something that
> was patched in 2006 (IE 6.0 SP1 on WinXP XP1). It was also written so
> broadly that I'm north of 90,000 alerts in an 8-hour overnight time
> window before I killed the signature, and still counting as the
> buffers flush out from my sensors.

ouch! that is a bit on the extreme side, isn't it :?

> Am I off my rocker, or is this a "WTF?" signature reminiscent of the
> great SMTP FP debacle in the past?

i think i missed that...

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs