lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BLU148-W29619ECF184243560D9162B45F0@phx.gbl>
Date: Fri, 15 May 2009 10:07:32 -0500
From: John Jacobs <flamdugen@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: ISC Twitter/Google Snort Signatures


Hello FD, first and foremost thank you for the strong effort and excellent signatures.  As such, in an attempt to give back to a wonderful community, I humbly submitted the following Snort rules for inclusion into the ET signatures.  A brief explanation is provided below:

The first signature is designed to detect Google non-security related announcement articles on the ISC Diary; this seems to be a topic of extreme interest for some ISC Handlers despite having little to no security value.  I am unsure if this is a result of "Slow News Day" syndrome or another behavorial oddity which manifests at ISC.  This will detect on "Google is slow" style articles as well, however, I am sure this signature will require more tweaking as ISC encourages handing over more personal data to a 3rd party under the guise of functionality.

The second signature is designed to detect Joel peddling Twitter on the isc.sans.org Diary, as again, this isn't security related.  I suspect the Twitter signature may tend to fire more than the Google as Joel tends to get excited about "Tweeting" and "Twittering" and this spills over into the ISC Diary anytime he's the "Handler on Duty".

As always, please feel free to make changes to this signatures, especially regarding performance.  I've placed these into ET POLICY but they may be more applicable in another classes, perhaps a blocking class. I thank you in advance, feel free to modify for PCRE as well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert; flow:established,to_server; content:"|0D 0A|Host|3A 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/; classtype:policy-violation; sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans; flow:established,from_server; content:"google"; nocase; content:"slow"; nocase; reference:url,isc.sans.org/diary.html?storyid=6388; reference:url,isc.sans.org/diary.html?storyid=5443; classtype:policy-annoyance; sid:2009xxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans; flow:established,from_server; content:"Joel|20|Esler"; nocase; content:"Twitter"; nocase; reference:url,isc.sans.org/diary.html?storyid=6391; reference:url,isc.sans.org/diary.html?storyid=6388; classtype:policy-annoyance; sid:2009xxxx; rev:1;)

- John Jacobs
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ