Re: Rule 19253

[Joel Esler <jesler () sourcefire com>]

Exactly what happened.  It will be fixed tomorrow.  


On Jun 15, 2011, at 11:10 AM, rmkml wrote:

> Hi James,
> Maybe simply vrt missed flowbits:isset,http.engtesselate; on this rule? (this flowbits created on sid 19252 but never 
> used on clear text rules)
> These two rules are "curious" because first sid 19252 are web-client file but this rule check http_uri and flow are 
> to_client...
> Regards
> Rmkml
>
>
> On Wed, 15 Jun 2011, Lay, James wrote:
>
> > Yowza…this thing fires CONSTANTLY:
> > 06/15-08:08:12.474932  [**] [1:19253:1] WEB-CLIENT Adobe Reader malicious language.engtesselate.ln file download 
> > attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.88:80 -> int.ip:18960
> > [08:10:18 ids:~/snort$] sudo grep language.engtesselate.l ~/internetalert.fast -c
> > 235
> > That’s in 10 minutes…crazy.
> > Suppressed and restarted…eww
> > James
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org


------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org