Snort mailing list archives
Re: CVE-2015-0204
From: <snort () outlook com>
Date: Tue, 10 Mar 2015 10:36:47 +0000
If by "DC" you mean Defence Center, then there is a way to view the rules body, given that permissions allow analysts to do that. The above is not based on my experience, just demos/documents I have read about DC. On Tue, Mar 10, 2015 at 3:08 AM -0700, <kestutis.malakauskas () barclays com> wrote: Thanks, Yes this is correct, this is the way I imagine it as well, the issue was that not all the rules are triggered so far, which our analysts could examine. Without the rule being triggered on DC our analysts can't see the exact rule so naturally they can't identify this distinction which is seen only if you can examine the rules itself. So I thought maybe someone has the separation done already for those and could provide which SIDs correspond to which (server side, client side). Regards, Kestutis Kestutis Malakauskas | Lead Attack Monitoring Analyst | Global Information Security | Security Operations Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () barclays com> Barclays , 8th Floor | BalĨikonio str. 7 | Vilnius | Lithuania GMT+2 Barclays.com Hotline: +370 520 62424 P Please consider the environment before printing this email From: Y M [mailto:snort () outlook com] Sent: 10 March 2015 11:50 To: Malakauskas, Kestutis : RBB COO Cc: snort-sigs Subject: RE: [Snort-sigs] CVE-2015-0204 This can be inferred from the rules themselves. Looking at the rules you mentioned, logically speaking, the distinction can be made from - Rule direction: "external" to "home" or "home" to "external", and the associated - SSL State: ssl_state, either server_hello or client_hello. "external" to "home" with server_hello looks for the server side while "home" to "external" with client_hello looks for the client side. Please correct me if I am wrong. If the above holds true, then for usability purposes, may be you can modify the rules messages (using PulledPork, if you use it) to reflect client or server side alerts. Hope this helps. ________________________________ From: kestutis.malakauskas () barclays com To: snort-sigs () lists sourceforge net Date: Tue, 10 Mar 2015 09:06:36 +0000 Subject: [Snort-sigs] CVE-2015-0204 Hello, There is SIDs with GID 1, 33686 through 33703 which covering CVE-2015-0204. I assume part of them are covering identification of vulnerable server configuration and the other part of those are covering vulnerable browsers. Is it possible to distinguish this defining which once are for vulnerable browsers and which once are for vulnerable servers? Anyone from VRT? Thanks, Kestutis Kestutis Malakauskas | Lead Attack Monitoring Analyst | Global Information Security | Security Operations Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () barclays com> Barclays , 8th Floor | BalĨikonio str. 7 | Vilnius | Lithuania GMT+2 Barclays.com Hotline: +370 520 62424 P Please consider the environment before printing this email This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CVE-2015-0204 kestutis.malakauskas (Mar 10)
- Re: CVE-2015-0204 Y M (Mar 10)
- Re: CVE-2015-0204 kestutis.malakauskas (Mar 10)
- Re: CVE-2015-0204 snort (Mar 10)
- Re: CVE-2015-0204 Joel Esler (jesler) (Mar 10)
- Re: CVE-2015-0204 kestutis.malakauskas (Mar 10)
- Re: CVE-2015-0204 kestutis.malakauskas (Mar 10)
- Re: CVE-2015-0204 Y M (Mar 10)