Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Back to Green InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Back to Green

Published: 2005-12-30
Last Updated: 2005-12-30 07:57:23 UTC
by Scott Fendley (Version: 3)
0 comment(s)
As it has been 24 hours since we elevated the Infocon to yellow in response to the WMF 0-day exploit, we will be lowering the Infocon level to Green

An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.

Moving to green signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information.  Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.

Update:

We just got this very nicely done set of snort rules from Chris Ries at Vigilantminds:

The HTTP check is a slight performance booster for this rule.  
The issue we had with it, though, is that in cases where we don't
perform server-side stream reassembly for performance reasons,
the sig would occassionally false-negative.

We broke this out into 4 rules:

# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)

# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8; content:"|0D 0A 0D 0A|";
pcre:"/.{0,8}[]

Keywords:
0 comment(s)
Diary Archives