Wednesday, December 28, 2011

VRT Rule Update for 12/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 4 additional rules.

The following changes were made to the snort.conf in this release, we suggest you use the most current snort.conf from the VRT tarball to upgrade, or use the snort.conf configuration download page found here: Snort.conf configuration page

Added a variable for GTP_PORTS

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]


Changed the rule path for the IP reputation preprocessor, you should modify this in your environment:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


Added a configure line for the GTP preprocessor (v2.9.2.0), off by default.

# config enable_gtp


Added some new http_methods to the http inspect preprocessor (v2.9.2.0):

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA }


Enabled javascript normalization by default in the http inspect preprocessor:

normalize_javascript


Added configurations for the modbus and dnp3 preprocessors:

# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc



In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the smtp,
specific-threats and web-client rule sets to provide coverage for
emerging threats from these technologies.
This release also provides coverage for a new FreeBSD telnetd overflow, this can be found in sids: 20812 and 20813.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 19, 2011

VRT Rule Update for 12/09/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 5169 additional rules.  This rule release also added support for Snort Version 2.9.2.0.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
attack-responses, bad-traffic, dns, dos, exploit, file-identify, ftp,
icmp, imap, misc, multimedia, netbios, nntp, p2p, policy, pop3, smtp,
snmp, specific-threats, sql, telnet, tftp, web-activex, web-cgi,
web-client, web-frontpage and web-misc rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sunday, December 18, 2011

Snort 2.9.0.5 EOL date has been posted

Last month we started publishing the EOL dates of the supported versions of Snort from the official Snort ruleset.

Posted here:
https://www.snort.org/eol

You will now see that the EOL date for Snort version 2.9.0.5 is set for 2012-03-13, that's March 13, 2012.

As always, any questions about the Snort EOL policy can be directed towards me: joel@snort.org and I'll get them answered for you.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 16, 2011

One Year of the Snort.org Blog

The other day passed the one year milestone of this blog being created.  So I thought I'd reflect a bit on how it's helped me, and ask you, the community, if it's done the same for you.

When I took over the Snort Community Manager position here at Sourcefire, I put out a news post that asked what the pain points were for the Snort project, suggestions on how to improve things, and whatever else people felt like writing me with.  (By the way, you can always write me at joel@snort.org.)  You all came up with some great stuff, and I've been implementing some of the ideas both in the community aspect (some people complained it was hard to find documentation and things like that) and in the engine itself (lots of improvements made, more coming).

One of the ideas that I wanted to bring to the table when I took over was to start a blog.  I wanted to start a Snort Blog, revive the ClamAV blog, and start a Sourcefire corporate blog.  The first two I accomplished quickly and the last was also implemented this year.  I wanted to have one place to get your news and information about Snort and one place to get your information about ClamAV.  If any changes were made to Snort.org, community happenings, improvements, etc.

This blog has allowed me to quickly and easily get information out to the community, as well as provide a forum for feedback to allow people to communicate easily with me.  The other thing it provides is to give a place for our developers to directly speak to you and explain new features of Snort (which we will be doing in the coming weeks about Snort 2.9.2).

But, let me hear from you.  What do you think?  Has the blog helped?  What can I do to make things better?  What suggestions do you have?

Snort-Devel Google Group

Just to let you all know, I've went ahead and transitioned the Snort-Devel Google Group.  I've taken everyone who was in the group and added them to the Snort-devel mailing list found here:

https://www.snort.org/community

The Snort-Devel Google Group has been locked and will reject any future attempts to post.

I'll move the other Groups as well soon.

Thank you, and have a Happy Holiday.

Wednesday, December 14, 2011

Google Groups, Mailing Lists, and Forums, redux

Snort Community --

A year ago I asked the Snort Community which route would be preferable to take with methods of interaction within the community, the three options presented were Google Groups, Forums (as they were), or Mailing lists.  People voted in the vast majority for Google Groups.

The original intention for the Google Groups was to collapse the Forums and the Mailing lists and consolidate everything in to the Google Groups structure so we could have both a web-based forum and an email based forum for interacting with the rest of the Snort Community as well as the developers and maintainers of Snort, the official Snort ruleset, and all the projects that surround this large community.

Unfortunately this isn't working out for many reasons. 

  1. Shortly after we did this, Google separated "Google" accounts and "Google Business" accounts.  Making it nearly impossible to use a public Google Groups forum with a private Google Business account.  It is possible to do, but it takes a lot of work and isn't worth the trouble.
  2. We found that you can only add 10 members to a Google Group at a time, if you add too many, Google thinks you are spamming and they close the Group.  Well, with over 7000 members between the three lists, that would take quite some time to complete.
  3. We have 10+ years of history on the Snort Mailing lists, and I don't want to abandon that.


So moving forward, what I intend to do is lock the Google Groups, and move the members of the 3 Google groups over to the respective Snort Mailing list and subscribe everyone.  In the subscribe email, i'll provide instructions on where to log in and change your delivery method (some people prefer digest-mode) or even unsubscribe if you don't wish to receive email.  I'll move Snort-Devel first, Snort-Sigs, then Snort-Users.

This will provide the community with one place to ask and receive answers to questions.

I'm interested in hearing your feedback.

Tuesday, December 13, 2011

VRT Rule Update for 12/13/2011, Microsoft Tuesday Coverage

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 76 new rules and made modifications to 661 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory MS11-087:
A vulnerability exists in the way that Microsoft Windows systems
process TrueType font files that may allow a remote attacker to execute
code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20735.

Microsoft Security Advisory MS11-089:
Microsoft Office contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20724 and 20734.

Microsoft Security Advisory MS11-090:
A vulnerability exists in the way that Microsoft Internet Explorer
handles ActiveX objects that may allow a remote attacker to execute
code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 20704 through 20716.

Microsoft Security Advisory MS11-091:
Microsoft Publisher contains programming errors that may allow a remote
attacker to elevate privileges on an affected host.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20719 through 20721.

Microsoft Security Advisory MS11-093:
The Microsoft Windows Object Linking and Embedding (OLE) framework
contains a vulnerability that may allow a remote attacker to execute
code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20717.

Microsoft Security Advisory MS11-094:
Microsoft PowerPoint contains programming errors that may allow a
remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20700 through 20703
and SID 20722.

Microsoft Security Advisory MS11-096:
A vulnerability exists in Microsoft Excel that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20718.

Microsoft Security Advisory MS11-099:
Microsoft Windows contains programming errors that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting these vulnerabilities is included in
this release and is identified with GID 1, SID 20699.

Additionally, previously released rules will also detect attacks
targeting this vulnerability and are included in this release with
updated reference information. They are identified with GID 1, SIDs
18208 and 18209.

The Sourcefire VRT has added and modified multiple rules in the
backdoor, bad-traffic, blacklist, botnet-cnc, chat, ddos, dns, dos,
exploit, file-identify, ftp, imap, misc, multimedia, mysql, netbios,
oracle, p2p, phishing-spam, policy, pop3, rservices, specific-threats,
spyware-put, sql, telnet, voip, web-activex, web-cgi, web-client,
web-iis and web-php rule sets to provide coverage for emerging threats
from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 9, 2011

Snort 2.9.1.2 Installation Guide on Mac OS X just posted!

Thanks to Christoph Murauer for an excellent guide to installing Snort 2.9.1.2 on Mac OS X!

Check out Christoph's Snort 2.9.1.2 install guide here.

Thanks to all of our Snort community contributors on their documentation, if you'd like to contribute some documentation and have it hosted on http://snort.org/docs, please feel free to contact me at joel@snort.org, and if we put your guides/whitepapers up on the site, we'll send you some Snort swag!

As always Snort.org makes no warranty or edits to submitted documentation, and we'd like to thank the contributors of the documentation for their time.

The argument 'mime' to 'file_data' rule option is deprecated.

TL;DR:   This hurts nothing.  Ignore it.  Read the below to learn why it's there.

A lot of people have been seeing this warning, Googling it, asking about it, and wondering what it means when it's displayed on Snort startup.

Prior to Snort version 2.9.1, we had the operator "mime" added to the "file_data" keyword to have it properly set the pointer for mime attachments in an email.  However, when Snort version 2.9.1 was released, we added the "mime" operator into the file_data keyword itself.  This makes it simpler for the rule author to be able to write one rule, and Snort will correctly set the pointer for http, smtp, ftp, smb, pop3, and imap protocols.

We will still include this keyword within the official Snort ruleset distributed by the VRT so long as we distribute rulesets for Snort version 2.9.0.5.  If you are using Snort >=2.9.1, you can safely ignore this warning.  After the EOL for Snort 2.9.0.5 has been reached (90 days after the release of Snort 2.9.2), we'll remove the mime operator from the ruleset, and this warning will go away.

Wednesday, December 7, 2011

VRT Rule Update for 12/07/2011, Adobe CVE-2011-2462 coverage

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 67 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, bad-traffic, botnet-cnc, chat, exploit, file-identify,
icmp-info, nntp, policy, rpc, scada, smtp, snmp, specific-threats,
telnet, web-client and web-php rule sets to provide coverage for
emerging threats from these technologies.
Protection is also included in this rule release for Adobe Reader CVE-2011-2462.  Sid 1:20659 can be used against this threat.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

If you are having problems with your flowbits

Some people have been experiencing a problem with their Snort downloads during the recent file-identify.rules transition.

During this transition we added a feature to the flowbit "set" rules called a "flowbit group". The intention of the flowbit group is, if a flowbit is set on a certain stream, and another flowbit comes along on the same stream and sets a flowbit it will unset the first flowbit.

This is EXTREMELY helpful for things like http pipelined streams where multiple downloads are done over a single stream and would result in the occasional false positive.

While we received zero false negative or false positive reports as a result of the flowbit group being in the file-identify ruleset, we decided to go back to the original method of flowbit "set" and "unset".  Unfortunately, this affected people that wrote custom rules that either checked or set a flowbit with the same flowbit name as ours, it also identified a minor restart bug that affected users of OpenSource Snort (not Sourcefire product) in Snort version 2.9.1.2 (It's fixed in 2.9.2).  This bug was basically a -HUP would not reload the presence of a flowbit group (or lack thereof).

So, in order for people to go into their rulesets and remove the fileidentify flowbit group name, you can either manually edit the rule files and remove ",fileidentify" from the rules, or you can use this quick bash script that I wrote and have not tested.


The error that some may see is:

sp_flowbits.c(510) Flowbits already belongs to a group

This error either means you are setting a flowbit with your custom rule that is the same name as a flowbit that we have in the system without the flowbit group added to it (and ours does), or, it means that you have a custom rule that is the same name as a flowbit that we have in the system and ours does not.


So this script should fix the problem either way by totally removing the fileidentify flowbit group.

First, decend into your rules/ directory where you keep your rules, and create and run this shell script:

#!/bin/sh
for x in `ls *.rules`
do
    sed -i -e 's/\,fileidentify//' $x
done


This will remove the fileidentify flowbit group from all the rules, and Snort will function as it was before.

Tuesday, December 6, 2011

VRT Snort.conf example files

Earlier today a Snort community member was asking where the most current snort.conf example files are that we (the VRT) use to test our rules with.

As the snort.conf that is contained inside the etc/ directory of the Snort tarball is a snapshot in time (at the time of the tarball release), it's necessary to occasionally update the snort.conf in order to take advantage of updated settings for the preprocessors and include new rule files.

So, in order to provide the latest functionality for all our users, the snort.conf files that are contained within the subscriber tarball are now listed https://www.snort.org/configurations here.

Also, we've included the automatically generated gen-msg.map and sid-msg.map file so that people may use those as well if you don't use a tool like PulledPork to automatically generate these files.

To stay current on the discussions surrounding all things Snort, we recommend you subscribe to the Snort Mailing lists found here: https://www.snort.org/community

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 1, 2011

VRT Rule Update for 12/01/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 36 new rules and made modifications to 773 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the attack-responses, backdoor, bad-traffic, botnet-cnc, deleted, dos, exploit, file-identify, netbios, oracle, rservices, scada, smtp, specific-threats, spyware-put, web-activex, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

Note:
The fileidentify flowbit group has been removed. This could lead to your local rules no longer working. You must modify local rules using this flowbit group before you can use them in policies.

For example, if you have a rule that uses the fileidentify flowbit group with the following set of options:

flowbits:set,http.mpeg,fileidentify;

You must remove the fileidentify group name for the rule to continue working. The modified rule would then contain the following:

flowbits:set,http.mpeg;

We are also starting to change the names of flowbits to more accurately represent what we are attempting to detect.  For instance, we are changing the names from "http.jpeg" to "file.jpeg".

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 28, 2011

VRT Rule Update for 11/28/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 15 new rules and made modifications to 637 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, botnet-cnc, dns, exploit, file-identify, ftp, icmp, imap, multimedia, netbios, pop3, scada, smtp, specific-threats, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.2 RC's output warnings

Beginning in Snort 2.9.2, if you are using an output method that is being depreciated in a future version of Snort, we are going to warn you on startup.

Examples of these depreciated output methods that you will be warned about are:
spo_database (Direct to database output method, or commonly referred to as the "database output method")
spo_aruba (Aruba output plugin)
spo_prelude (Prelude output plugin)

These output plugins will be totally removed in Snort version 2.9.3.

We are not depreciating "unified1" as an output method in 2.9.3, but we do have plans for it's EOL as well.

We suggest moving to unified2 as an output method, and also to barnyard2 (if you are still using the original barnyard)

Tuesday, November 22, 2011

Snort Rules EOL Versions are now posted

As requested by many members of the community, a chart for the End-of-life for Snort rule versions is now  posted on our EOL Policy page:  https://www.snort.org/eol.

Please note that "TBD" in the chart stands for "To Be Determined".

Snort 2.8.6.1 EOL, seriously

Last month we mistakenly announced the EOL of Snort 2.8.6.1, and the community let us know.
http://blog.snort.org/2011/10/snort-2861-isnt-eol-yet.html

November 23, 2011 marks the end of life for Snort 2.8.6.1 rule support.  So there will be one more Snort rule build will be the last version built with this support in it.

The current version of Snort is 2.9.1.2 and is available for download here: https://www.snort.org/downloads

Tuesday, November 15, 2011

VRT Rule Update for 11/15/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 23 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, botnet-cnc, chat, dns, dos, exploit, file-identify, misc, oracle, policy, smtp, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 10, 2011

VRT Rule Update for 11/10/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 41 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the dns,
exploit, file-identify, misc, multimedia, specific-threats and web-misc
rule sets to provide coverage for emerging threats from these
technologies


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 8, 2011

VRT Rule Update for 11/08/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 51 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory MS11-083:
The Microsoft Windows implementation of the TCP/IP networking stack contains a programming error that may allow a remote attacker to execute code or cause a Denial of Service (DoS) on an affected system.

A previously released rule will detect attacks targeting this vulnerability and is included in this release with updated reference information. It is identified with GID 1, SID 19678.

Microsoft Security Advisory MS11-085:
The Microsoft Windows Address Book component contains a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs when the application attempts to process a malicious Windows Address Book Library file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20541 and 20542.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 7, 2011

VRT Rule Update for 11/07/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 6 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of a vulnerability affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory (2639658):
The Microsoft Windows TrueType font parsing engine contains a vulnerability that may allow a remote attacker to execute code on an affected system. A succesful exploitation of this vulnerability may allow the attacker to execute code in kernel mode. This vulnerability is also related to the Duqu malware.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 20539.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 4, 2011

VRT Rule Update for 11/04/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 8 new rules and made modifications to 531 additional rules.

There were no changes made to the snort.conf in this release.

Phase 2 of the file-identify.rules rollout was done in this release.  For more information, please see the post here:

http://blog.talosintel.com/2011/11/say-hello-to-file-identify-category.html

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, file-identify, multimedia, specific-threats, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 2, 2011

VRT Rule Update for 11/02/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 99 new rules and made modifications to 423 additional rules.

There were two changes made to the snort.conf in this release.

The addition of the FILE_DATA_PORTS variable

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]


As well as the inclusion of the file-identify.rules category

include $RULE_PATH/file-identify.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, chat, deleted, dos, exploit, file-identify, ftp, misc, multimedia, policy, specific threats, spyware-put, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

This release introduces the file-identify.rules category. The purpose of this category is to standardize the structure of rules that set a flowbit used to identify file downloading activities. A new port variable, FILE_DATA_PORTS, accompanies this category and contains a ports list used by these rules to identify the download of file types.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Introducing the file-identify rule category.

This week we are introducing a new category into the VRT ruleset.  It's named "file-identify".

Instead of rehashing everything we wrote here, I'll just point you over to the post on the VRT Blog.

Please go here:  http://blog.talosintel.com/2011/11/say-hello-to-file-identify-category.html

Friday, October 28, 2011

Snort 2.8.6.1 isn't EOL yet!

This mornings post (and the previous week's posts) were in error.  Snort 2.8.6.1's EOL date is 90 days past the release of 2.9.1.

Snort 2.9.1 was released on August 23rd.  That places our 90 day window at November 23rd.  We apologize for any panic and inconvenience this may have caused.

We do highly recommend you take the next month to upgrade to Snort 2.9.1.2.  It should be our last release (unless something catastrophic comes up) until Snort 2.9.2.

Again, apologies.

Thursday, October 27, 2011

VRT Rule Release for 10/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 137 new rules and made modifications to 707 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the netbios, oracle, voip and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 26, 2011

Razorback 0.3 has been released!

Please see the article over on the VRT Blog about Razorback's 0.3 release.

We're excited to see all the new uses that people are dreaming up for Razorback, and look forward to the feedback!

Check out the article here: http://blog.talosintel.com/2011/10/razorback-03-released.html

Thursday, October 20, 2011

VRT Rule release for 10/20/2011, Snort 2.9.1.2

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 1003 additional rules. In this rulepack we also introduce support for Snort 2.9.1.2.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 18, 2011

The VRT is looking for more good test environments.

Over the years we have developed a large rule test environment, both internally at Sourcefire and externally with test sensors and customer networks. We are looking to expand this trusted group of Snort rule contributors. When we have a rule we'd like to deploy "in the wild" we will send these rules into these environments. We're looking to expand this group another 20 or so.

This group needs to have a large variety of things on the network.  Servers, clients, Windows, Macs, Linux, malware, the works. .EDU, .MIL, .GOV, .COM. These need to be large environments with lots of diversity. The rules we send to you will be governed under the VRT license, and may or may not make it into the official VRT ruleset.

You will be required to sign a NDA with us in order to be a part of this group, because in addition, as an added benefit to being a member of this group, we’ll be giving you access to our blacklist IP ruleset. This ruleset used by the IP reputation preprocessor currently contains about 3 Million IPs, and will change by approximately 20,000 to 100,000 per day.

Information we'd need back from you:

  • Performance of the rule.
  • Detection of the rule (Is it false positive prone? Is it useful to you?)
  • The ability to grab full session packet captures of traffic, if needed.
  • The ability to provide the packet captures to us, of course, under the NDA.


As a reward, we will receive a free VRT subscription, Tshirts, calendars, and of course, access to the blacklist IP feed.

If you are interested, please respond back to me, personally, at jesler@sourcefire.com. Please do not respond to the list, to preserve your anonymity.

VRT Rule release for 10/18/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 4 new rules and make modifications to 526 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, oracle, policy, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, October 14, 2011

A Comparison of 3 Popular Snort GUIs

James Lay, an outstanding Snort Community Member, sent me this great comparison of three popular Snort GUIs:

  • BASE 1.4.5
  • Snorby 2.3.9
  • SQueRT 0.9.2
I've posted it on http://snort.org/docs as well, but for those of you that would like a direct link:

https://www.snort.org/documents/29

I'd like to take the time to thank James for the time he took to set all three of these up and compare the two.

If anyone would like to add another Snort GUI that you use to this matrix, please send me the name of the product, version, and the points as laid out in the document.  If you'd like to add some fields, that'd be fine too.

Tuesday, October 11, 2011

VRT Rule Update for 10/11/2011, MS Tuesday

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 48 new rules and make modifications to 20 additional rules.

There were two changes made to the snort.conf in this release.  Since the last of the Shared Object rules have been moved out of the pop3 and sql categories, the following two files are removed from the snort.conf:

# include $SO_RULE_PATH/pop3.rules
# include $SO_RULE_PATH/sql.rules


In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Advisory MS11-075:
The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20253 and 20254.

Microsoft Security Advisory MS11-076:
The Microsoft Windows Media Player contains a vulnerability that may allow a remote attacker to execute code on an affected system via the loading of a dynamic-link library from a remote location.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 18496 and 18497.

Microsoft Security Advisory MS11-077:
The Microsoft Windows operating system contains a vulnerability that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20261 and 20269.

Microsoft Security Advisory MS11-078:
Microsoft Silverlight contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20255.

Microsoft Security Advisory MS11-079:
Microsoft Forefront contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20256 through 20260 and 20272.

Microsoft Security Advisory MS11-080:
The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20270.

Microsoft Security Advisory MS11-081:
Microsoft Internet Explorer contains multiple vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 20262 through 20268 and 20273.

Microsoft Security Advisory MS11-082:
The Microsoft Host Integration Server contains a vulnerability that may allow a remote attacker to cause a Denial of Service (DoS) against a vulnerable host.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20271.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 6, 2011

Snort 2.9.1.1 Manuals are updated

The PDF documentation available at http://www.snort.org/docs as well as the HTTP manual at http://manual.snort.org have been updated to Snort 2.9.1.1.

Snort 2.9.1.1 has been posted!

As noted earlier today in the "release notes" post, we've just released Snort 2.9.1.1, as well as a new version of DAQ.

This release introduces a number of bug fixes, as well as introducing unicode, "zlib deflated", and "raw compress" data decoding to the http_inspect preprocessor and the file_data keyword.

Snort 2.9.1.1 is available immediately from the Snort download site.

To make installation easier for our users, you simply need to compile Snort with
./configure --enable-sourcefire

We'll be working with our community documentation writers in order to update the documentation to reflect this information.

VRT Rule release for 10/06/2011, Snort 2.9.1.1

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we didn't introduce any new rules and made modifications to 16 additional rules. In this rulepack we also introduce support for Snort 2.9.1.1.

There were minor changes made to the snort.conf in this release:

max_spaces 0
small_chunk_length { 10 5 }


Were inserted into the http_inspect preprocessor configuration.
and

uu_decode_depth 0



was inserted into the SMTP preprocessor configuration. (Note the lowercase "d" in depth)

These changes are included in the etc/ directory of the VRT tarball for subscribers. If you are a registered Snort user, you may make the changes manually to your Snort.conf as seen above, or you can download the 2.9.1.1 snort.conf here.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the p2p rule set to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.1 Release Notes

As mentioned on Twitter yesterday, we will be releasing Snort 2.9.1.1 today.  I'll have an additional post when it is released along with the accompanying VRT rule release.

In the meantime here are the release notes:


2011-10-05 - Snort 2.9.1.1
[*] New Additions
  * Added the ability to use shared memory (linux only) for the
    experimental IP reputation preprocessor. See README.reputation for details.

  * Added a Unix control socket (linux only), used to issue commands to
    running Snort processes. Currently, it is only used by the IP
    Reputation preprocessor for communication regarding the shared memory.
    See the Snort Manual and the tools/control directory for more details.

[*] Improvements
  * Improved HTTP Inspect and rule processing for both raw compress
    and zlib deflated data. Expanded coverage of normalization for
    Unicode encoded data.

  * Updated HTTP Inspect PAF support to better handle HTTP 1.1 responses.

Tuesday, October 4, 2011

VRT Rule Update for 10/04/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 20 new rules and make modifications to 152 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, botnet-cnc, chat, deleted, dns, dos, exploit, ftp, netbios, policy, rpc, smtp, specific-threats, sql, web-activex, and web-misc rule sets to provide coverage for emerging threats from these
technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, October 3, 2011

Sourcefire - SC Award Nominee for Best IPS/IDS and Best Cloud Security

"It’s crunch time for security enthusiasts who are preparing for next year’s RSA Conference in San Francisco. One key item is gearing up for the SC Awards - ‘the Oscars’ of the week’s events - which honors best-in-class security products.

Each year the SC Awards honor companies whose products have most strongly contributed to the security and reliability of North America’s IT industry. Sourcefire is honored to have been nominated in two categories:

1. Best IPS/IDS for our breadth of IPS solutions
2. Best Cloud Security for our Virtual 3D sensor

The voting process runs through October 7. Voting is open to SC Magazine subscribers who are security end users and practitioners - 25,000 of which have been pre-approved by the magazine.

If you fit into this description, and truly believe that Sourcefire technologies are the best of the best, please vote today.

Finalists for all categories will be announced the first week of November and the winners will be announced on Feb. 28, 2012, at the SC Awards U.S. Dinner at RSA Conference in San Francisco.

Wish us luck!"

-- Marc Solomon
Originally posted here.  Reposted for the Snort.org audience.

Thursday, September 29, 2011

VRT Rule Update for 09/29/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 266 new rules and make modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, blacklist, botnet-cnc, deleted, dos, exploit, misc, netbios, scada, specific-threats, spyware-put, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 27, 2011

VRT Rule release for 09/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 170 new rules and make modifications to 14 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dos, exploit, misc, netbios, policy, pop3, scada, shellcode, smtp, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 26, 2011

Snort 2.9.1: Registered Users now have access to the VRT ruleset

As you know, per the VRT license, registered users must wait 30 days between the time of release of the rules and when they have access to them.  Subsequently people who are not subscribers could not run the Snort version 2.9.1.0 release of the older Shared Object rules available from the VRT.

Well, since the release of 2.9.1, it's been 30 days now, and those that couldn't upgrade to 2.9.1 because of this restriction, your days of waiting are over.

Registered users have now passed the 30 day mark, and can now upgrade to Snort 2.9.1.

Please be sure and read all the blog posts that are associated with Snort 2.9.1 here.

Snort 2.9.1: SIP preprocessor

The Session Initiation Protocol (SIP) is widely used in Internet telephone calls and for multimedia distribution. It is an application layer control (signaling) protocol, and is actually very similar to the HTTP protocol in terms of syntax. But because of its increasing popularity and vulnerabilities found, we designed the SIP preprocessor to tackle these challenges. In this article, I will show you how to effectively use several key features of the preprocessor in detail.

In summary, there are three key features in this preprocessor:

1) Built-in alerts on most found common vulnerabilities
2) Writing your own rule using rule options provided by SIP preprocessor
3) Ignore the call channel

Built-in alerts

When I wrote this preprocessor, I collected all the SIP related vulnerabilities found in recent years. I was actually very surprised with how much those vulnerabilities were in common. You can get the full list from the snort manual or the README.reputation file. The majority of vulnerabilities are related with the format of the SIP message, either a field missing or a field is too long. Let's look at an example:

URI field

1) This field is required, and shouldn't be empty. I provide one alert for empty field (show below). If you don't want this alert, you can simply delete it from the preprocessor.rules. If you want to change to other action, you can replace "alert" with that action (drop, pass, etc).

alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; )

2) In general, the length of this field should be limited to some number, such as 512. When the length exceeds the normal range, either the packet is bad or it is exploring a potential vulnerability through an extra long field. If you want to enforce a particular length in your system, you can change the length through the SIP preprocessor configuration max_uri_len.

alert ( msg: "SIP_EVENT_BAD_URI"; sid: 3; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Apart from inspecting format, the SIP preprocessor also inspects call sequence. The "InviteReplay" billing attack and "FakeBusy" billing attack are alerted. These attacks are difficult to detect simply only by using rules. The SIP preprocessor provides a simple and quick way to detect them.

SIP preprocessor rule options

In you want to expand your inspection beyond built-in alerts, you may write your own rule or simply use our rule pack. SIP preprocessor provides four new rule options to help you:

sip_method
sip_stat_code
sip_header
sip_body



Those options are similar to the rule options used in HTTP inspector, but they are not content modifiers. I will not go the details of every keyword, as you can find the details in the snort manual and README.reputation.

However, I want to emphasize two features here:

One powerful feature of sip_method/sip_stat_code is: you can specify several methods/status codes together. This will make rule writing easy. For example:
If you want to apply a rule to invite message and cancel message, you can use:

alert udp any any -> any 5060 (sip_method:invite, cancel; sid:1000000)


Another feature is that you can use pcre option H and P for SIP message:

H: Match SIP request or SIP response header, Similar to sip_header.
P: Match SIP request or SIP response body, Similar to sip_body

Ignore call channel

Similar to the FTP preprocessor, the SIP preprocessor also provides ability to ignore the call channel. It can be enabled through the SIP preprocessor configuration: ignore_call_channel. After a media session is created, the media data is transmitted in the call channel. If a user is not interested with that data, Snort can focus on other traffic by totally ignoring the data channel. When the media session is terminated using SIP, the ignored channel will be reinspected again. If there is not a termination signal received, Snort uses a timeout to reinspect the channel again.

Friday, September 23, 2011

Snort 2.9.1 Installation Guide for RHEL 6.1 has been released

Thanks to Randal Rioux for producing his awesome installation guide for RHEL 6.1 Server x64 for Snort 2.9.1.

Not only does Randy display how to set up Snort 2.9.1, but also includes the instructions for Barnyard2.  Nice work.

Once again, thanks Randy for his document, it's posted on http://www.snort.org/docs as always!

Snort 2.9.1 Installation Guide for CentOS 5.6 has been released

Thanks to Nick Moore for producing his awesome installation guide for CentOS 5.6 for Snort 2.9.1.

One of the biggest changes of note for Snort 2.9.1 that troubled people in the past was all the compile tags that we recommend that you build in.  The recommended configuration was to download the VRT ruleset and use the compile tags at the top of the snort.conf included in that ruleset and compile Snort with those options.  So, in order to ease the pain of installation of Snort, we took those compile options (except for the rule performance monitoring and preprocessor monitoring compile options) and built those in by default.

Building Snort with the recommended options is as simple as "./configure" now, in addition, if you want to enable the performance monitoring for rules and preprocessors, just add the --enable-sourcefire compile tag to your configure line (./configure --enable-sourcefire) and you'll have the same Snort build we use here at Sourcefire.

Once again, thanks Nick for his document, it's posted on http://www.snort.org/docs as always!

Wednesday, September 21, 2011

VRT Rule Update for 09/21/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 4 new rules and make modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the exploit, specific-threats, and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 20, 2011

VRT Rule Update for 09/20/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 9 new rules and make modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, deleted, dos, exploit, policy, specific-threats, spyware-put, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, September 16, 2011

VRT Rule Update for 09/16/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 41 new rules and make modifications to 63 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, deleted, dos, exploit, policy, specific-threats, spyware-put, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1 HTTP and SMTP logging features

To provide better context to the alerts generated by Snort, Snort version 2.9.1 introduced some new logging features for HTTP and SMTP which will help the user to better analyze the alerts. This logging of extra data by HTTP Inspect and SMTP preprocessors is similar to the X-Forwarded-For/True-Client-IP logging introduced prior to Snort 2.9.1.

HTTP Logging:


Let's talk about HTTP URI and Hostname logging.

How to enable logging of HTTP URI and Hostname?

To turn on the logging of the HTTP Request URI, the config option to use is "log_uri" and to enable the logging of hostnames, use the config option "log_hostname" as shown in the example below:

preprocessor http_inspect: global memcap
preprocessor http_inspect_server: log_uri \
log_hostname


The memcap here will determine the maximum amount of memory the HTTP Inspect preprocessor will use for logging the URI and Hostname data. You can refer to the Snort Manual for further details.

When these features are turned on in HTTP Inspect, the HTTP Request URI and HTTP Request hostname headers are extracted and logged to unified2 as an "extra data event" with each alert generated for that particular session. It is recommended to turn on stream5 reassembly with PAF on HTTP ports to ensure correctness and accuracy.

When a HTTP Request URI is greater than 2048 or when a HTTP hostname (specified in the "Host" Request header) is greater than 256, Snort will log the truncated the URI and/or hostname. A preprocessor alert with GID:119 and SID:25 is generated when hostname exceeds 256 bytes.

There is also a preprocessor alert with GID:119 and SID:24 for multiple "Host" headers in one HTTP request.

Please note that the URI and hostname are only logged in Unified2 mode and not logged with -A cmg.

So, how do you read the output?

Unified2 can be read using the Snort tool u2spewfoo. You can find it under the tools/u2spewfoo directory in the Snort tarball.

Example of the Output:


(Event)
sensor id: 0 event id: 2 event second: 1299776137 event microsecond: 355217
sig id: 1 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 10.1.2.3 ip destination: 10.9.8.7
src port: 60710 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 2 event second: 1299776137
packet second: 1299776137 packet microsecond: 355217
linktype: 1 packet_length: 214
[ 0] 02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 ..............E.
[ 16] 00 C8 00 04 00 00 40 06 5C 19 0A 01 02 03 0A 09 ......@.\.......
[ 32] 08 07 ED 26 00 50 00 00 00 02 00 00 00 02 50 10 ...&.P........P.
[ 48] 01 00 0C 19 00 00 47 45 54 20 2F 20 48 54 54 50 ......GET / HTTP
[ 64] 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 2E /1.0..Host: www.
[ 80] 77 33 2E 0D 0A 20 6F 72 67 20 0D 0A 55 73 65 72 w3... org ..User
[ 96] 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F -Agent: Mozilla/
[ 112] 35 2E 30 20 28 58 31 31 3B 20 55 3B 20 4C 69 6E 5.0 (X11; U; Lin
[ 128] 75 78 20 78 38 36 5F 36 34 3B 20 65 6E 2D 55 53 ux x86_64; en-US
[ 144] 3B 20 72 76 3A 31 2E 39 2E 32 2E 31 35 29 20 47 ; rv:1.9.2.15) G
[ 160] 65 63 6B 6F 2F 32 30 31 31 30 33 30 33 20 55 62 ecko/20110303 Ub
[ 176] 75 6E 74 75 2F 31 30 2E 31 30 20 28 6D 61 76 65 untu/10.10 (mave
[ 192] 72 69 63 6B 29 20 46 69 72 65 66 6F 78 2F 33 2E rick) Firefox/3.
[ 208] 36 2E 31 35 0D 0A 6.15..



(Event)
sensor id: 0 event id: 3 event second: 1299776137 event microsecond: 355254
sig id: 1 gen id: 1 revision: 0 classification: 0
priority: 0 ip source: 10.1.2.3 ip destination: 10.9.8.7
src port: 60710 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 3 event second: 1299776137
packet second: 1299776137 packet microsecond: 355254
linktype: 1 packet_length: 176
[ 0] 02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 ..............E.
[ 16] 00 A2 00 05 00 00 40 06 5C 3E 0A 01 02 03 0A 09 ......@.\>......
[ 32] 08 07 ED 26 00 50 00 00 00 A2 00 00 00 02 50 10 ...&.P........P.
[ 48] 01 00 8F E5 00 00 41 63 63 65 70 74 2D 45 6E 63 ......Accept-Enc
[ 64] 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C oding: gzip,defl
[ 80] 61 74 65 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 ate..Accept-Char
[ 96] 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C set: ISO-8859-1,
[ 112] 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 71 3D utf-8;q=0.7,*;q=
[ 128] 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 0.7..Keep-Alive:
[ 144] 20 31 31 35 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 115..Connection
[ 160] 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A : keep-alive....


(ExtraDataHdr)
event type: 4 event length: 33


(ExtraData)
sensor id: 0 event id: 2 event second: 1299776137
type: 9 datatype: 1 bloblength: 9 HTTP URI: /


(ExtraDataHdr)
event type: 4 event length: 43


(ExtraData)
sensor id: 0 event id: 2 event second: 1299776137
type: 10 datatype: 1 bloblength: 19 HTTP Hostname: www.w3.org


In the output above, two extra data events are generated for the event with GID:1 and SID: 1. The first extra data event displays the URI and the second displays the hostname associated with that session.

It is important to note that the unique "event id" and "event second" are used to correlate the alerts with their extra data. The "event type" indicates the presence of an "extra data" record and the unique "type" will determine the type of the extra data event logged. Here is a list of extra data types used in Snort.

Type 1: True-Client-IP/XFF IPv4 address
Type 2: True-Client-IP/XFF IPv6 address
Type 4: HTTP Gzip decompressed data
Type 5: SMTP filename
Type 6: SMTP MAIL FROM addresses
Type 7: SMTP RCPT TO addresses
Type 8: SMTP Email headers
Type 9: HTTP Request URI
Type 10: HTTP Request Hostname
Type 11: Packet's IPv6 Source IP Address
Type 12: Packet's IPv6 Destination IP Address

SMTP Logging:


The SMTP preprocessor, similar to HTTP Inspect preprocessor, can log extra data associated with each alert. The data that SMTP logs are as follows:

1. The email addresses in the MAIL FROM command.
2. The email addresses in the RCPT TO command. When there are multiple RCPT TO headers, the email addresses are concatenated using commas.
3. The filename of the MIME attachment extracted from the "Content-Disposition" header. Multiple filenames are appended with commas.
4. SMTP email headers.

How to enable logging of SMTP "extra data"?

SMTP preprocessor can log the extra data mentioned above using the following config options.

preprocessor smtp: memcap 838860 \
log_mailfrom \
log_rcptto \
log_filename \
log_email_hdrs \
email_hdrs_log_depth 56


The config options "log_mailfrom", "log_rcptto", "log_filename" and "log_email_hdrs" do not take any arguments. However, email_hdrs_log_depth requires the user to pass a number between 0-20480, which will determine in bytes the amount of email headers logged. The config option "memcap" is used to determine the maximum memory used for logging the above mentioned data.

Again, stream5 reassembly needs to be turned on for SMTP ports for this feature to work correctly. Without stream5 reassembly, the SMTP extra data won't be logged.

How to read the Output?

Like HTTP extra data, SMTP extra data can be read using the u2spewfoo and "event id" and "event second" are used to correlate the alerts with their extra data events.

Example of the Output:


(ExtraData)
sensor id: 0 event id: 2 event second: 1273194706
type: 6 datatype: 1 bloblength: 33 SMTP MAIL FROM Addresses:

(ExtraData)
sensor id: 0 event id: 2 event second: 1273194706
type: 7 datatype: 1 bloblength: 57 SMTP RCPT TO Addresses: ,

(ExtraData)
sensor id: 0 event id: 2 event second: 1273194706
type: 5 datatype: 1 bloblength: 26 SMTP Attachment Filename: sample.txt,foo.txt

(ExtraData)
sensor id: 0 event id: 2 event second: 1273194706
type: 8 datatype: 1 bloblength: 323 SMTP EMAIL HEADERS:
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_12731947069000"
Date: Thu, 6 May 2010 21:11:46 -0400
From: bbantwal@sourcefire.com
To: bbantwal@sourcefire.com
Subject: Email Sent via Perl
X-Mailer: MIME::Lite 3.027 (F2.74; T1.29; A2.06; B3.07; Q3.07
<bbantwal@sourcefire.com><bbantwal@sourcefire.com><foo-barfoo@gmail.com>


We will not be updating the spo_database output method to insert this information into the database.  As a reminder, this output method will be removed in a future Snort release in 2012.  Sourcefire has turned over the maintenance of the "ACID" database schema to the Barnyard2 group, and will also, no longer be maintaing it either.

Tuesday, September 13, 2011

VRT Rule Update for 09/13/2011, MS Tuesday

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 24 new rules and make modifications to 27 additional rules.

There were two changes made to the snort.conf in this release.  Since all pop3 and sql Shared object rules have been moved to GID 1 format, we've removed the following two files:

include $SO_RULE_PATH/pop3.rules
include $SO_RULE_PATH/sql.rules


In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Details: Microsoft Security Advisory MS11-071: A programming error in the Microsoft Windows operating system may allow a remote attacker to execute code on an affected system. The problems occur due to certain components being allowed to load DLL files from untrusted locations.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20118 and 20119.

Microsoft Security Advisory MS11-072: Microsoft Excel contains programming errors that may allow a remote attacker to execute code on an affected system.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 20121 through 20128.

Microsoft Security Advisory MS11-073: Microsoft Office contains a programming error that may allow a remote attacker to execute code on an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20129.

Additionally, previously released rules will also detect attacks targeting this vulnerability and are included in this release with updated reference information. The are identified with GID 3, SIDs 18494 and 18495.

Microsoft Security Advisory MS11-074: Microsoft SharePoint contains programming errors that may allow a remote attacker to elevate privileges on an affected system.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 20111 through 20117.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 12, 2011

Snort 2.9.1 Guide for OSX Lion published!

Christoph Murauer updated his install guide for Snort 2.9.1 on OSX 10.7 "Lion" this past week.

Check out the install guide here.

We'd like to thank Christoph, and all of our Open Source contributors, with their patches, install guides, and documentation.  You are what makes the community powerful.  Thanks!

Friday, September 9, 2011

What is PAF?

Snort is constantly being updated to improve detection and/or performance to keep pace with the networks it monitors. The stream5 preprocessor was updated for 2.9.0 to perform stream normalization that enables better detection prior to acknowledgement of the data. In Snort 2.9.1 we further that effort with the addition of what we call Protocol Aware Flushing (PAF).

To understand PAF, we need to look at how TCP, the Transmission Control Protocol, is used to provide reliable communication between hosts. The basic idea with TCP is that a sequence of octets goes in one end and that exact same sequence comes out the other, nothing added, deleted, or otherwise changed.

The key here is that we are talking about a sequence. TCP knows nothing of how the data is structured or where one message ends and the next begins. That makes things interesting for Snort because, internally, TCP will slice an arbitrarily long sequence of octets into segments as it sees fit.

Consider this example where an HTTP client wants to send two GETs to a server (one packet per line):

GET /1 HTTP/1.0\r\n\r\n
GET /2 HTTP/1.0\r\n\r\n



Snort might see one packet per GET, but in the general case, especially where the payload is longer than the MTU, there will be multiple packets and Snort may see something like this:

GET /1 HT
TP/1.0\r\n\r\nGET /2
HTTP/1.0\r\n\r\n



There are literally billions of ways to slice this little 38 character sequence, from one character per packet to both requests in a single packet. Historically, IDS evasion techniques used small TCP segments, and those were overcome by doing TCP reassembly within Snort. Without reassembly, rule contents would not reliably match.

Reassembling the accumulated data and releasing the associated buffers is called flushing. Prior to PAF, stream5 would flush when the number of segments and the number of octets accumulated reached certain thresholds. These thresholds were effective but ultimately a "one-size-fits-all" approach.

To take detection to the next level, the flush points had to be protocol specific and PAF allows the application preprocessors to determine when to flush. The first preprocessors to use this stream5 feature are http_inspect and dce2. In the example above, each GET request will be flushed separately, regardless of how it is segmented by TCP.

To enable PAF, add this to your snort.conf:

config paf_max: 16000



In our testing, using 16k has resulted in improved accuracy of detection. Larger values can improve detection but also increase packet processing latency and variance.

HTTP and DCE/RPC were the first choices based on traffic volume and complexity, respectively. Later releases of Snort will add PAF support for other protocols, and new preprocessors are being designed to use this feature.

Thursday, September 8, 2011

Flow matters

Recently on one of the Snort lists, there was a thread that argued that the "flow" statement in rules didn't matter if you had your variables set correctly.  This is a common misconception, so I thought I'd write a post about it and explain why flow, and its use in rules is important.

First let's talk about what flow is.  The Snort reference manual says:
The flow keyword is used in conjunction with TCP stream reassembly. It allows rules to only apply to certain directions of the traffic flow.
You can click on the link above to read all about the different flow operators there are, I'm not going to regurgitate them here.  But one thing to keep in mind, is that to_client and from_server are the same.  As are to_server and from_client.

Let's take four rules for example.  
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (flow:to_server,established;) 
Simple.  Someone on your HOME_NET going to EXTERNAL_NET on a HTTP_PORTS specified port, and the client initiated the conversation. 
Example:  Someone going to "www.google.com" or any Web site from your network outbound.

What about the opposite of that?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (flow:to_client,established;)
Again, pretty simple, someone went to a webpage, and now your rule is looking for the result of that action.  The webpage (or file, or whatever) is coming down to the browser from the server.
Example:  Someone went to "www.maliciouspdf.com" and downloaded a malicious PDF.  You are not attempting to see if someone requested a ".pdf" as a download, (although you may do that to set a flowbit, see my post on resolving flowbit dependancies here), but you are looking for the actual PDF coming back down from the server. 
So, let's take our first example and flip the flow.  Remember, this is all assuming that you have HOME_NET and EXTERNAL_NET set, just like the email thread was implying.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (flow:to_client,established;)
So, traffic headed outbound from my network over HTTP_PORTS, but HOME_NET did not initiate the conversation.
Example:  Let's say someone sets their source port as 80, and then infiltrates your network through a connection that starts outside (the initial SYN packet was sent inbound to HOME_NET), you are looking for the traffic leaving your network headed back to that attacker who set his source port as 80.  Maybe they are exfiltrating the DOC files off of your network.
Finally, let's look at the opposite of example two above.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (flow:to_server,established;)
Traffic headed inbound to the network over $HTTP_PORTS but HOME_NET again did not initiate the conversation.
Example:  Again, let's say someone sets their source port as 80, and then infiltrates your network, this rule will look for the connections inbound to your network.  Let's say they are requesting a DOC file from your network.  Whereas the previous rule would look for the DOC file leaving, this rule will look for the initial request.
These are very simplistic examples, hopefully this post will help explain why flow is so important.  Variables tell Snort which direction the traffic is going (inbound or outbound of your network in the simplest of terms), flow tells Snort who is responsible for which aspect of the conversation (are you a server, or a client?).

Any further questions about Snort and it's operation should be directed to the Snort mailing lists.  The best place to get your questions answered.

Wednesday, September 7, 2011

Snez: New Snort GUI has been posted

If you head over to our "additional-downloads" page on Snort.org, you'll notice a new project at the bottom of the list named "Snez".  From the project's Sourceforge page:

SNEZ is a web interface to the popular open source IDS program SNORT® . The main design feature of SNEZ is the ability to filter (or dismiss) alerts without having to delete.
 Take a look at this new project and help the author out by providing feedback!

VRT Rule Update for 09/07/2011

Just updated, is a rule release for today from the VRT.  This rule release contains 48 new rules and 20 rule updates, mostly malware:

There are no changes to the snort.conf in this release.

The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, chat, exploit, scada, specific-threats, spyware-put, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Friday, September 2, 2011

VRT Rule Update for 09/01/2011

Just updated, is a rule release for today from the VRT.  This rule release contains 88 new rules and 28 rule updates, mostly malware:

There are no changes to the snort.conf in this release.

The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, content-replace, exploit, imap, netbios, pop3, shellcode, specific-threats, spyware-put, sql, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 30, 2011

VRT Rule Update for 08/30/2011

Just updated, is a rule release for today from the VRT.  This rule release contains 68 new rules and 25 rule updates, mostly malware:

There are no changes to the snort.conf in this release.

The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, deleted, dos, exploit, netbios, policy, specific-threats, spyware-put and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Friday, August 26, 2011

Snort 2.9.1: Where does file_data point?

For the first article in our Snort 2.9.1 series, we thought we'd talk about file_data. Its function has changed from Snort version 2.9.0.5, so it's important that we discuss the differences.

Where does file_data point?

Prior to Snort 2.9.1:

* In the earlier versions of Snort, file_data pointed to one of the following:
  1. The decompressed/dechunked/normalized HTTP response body (when the data was chunked/compressed/encoded)
  2. SMTP attachments or data body when file_data was used with the argument "mime".
In Snort 2.9.1:

* file_data will set the cursor used for detection to one of the following buffers based on the traffic.

1. HTTP response body (Raw/encoded/chunked/compressed)

Example:
Consider the following HTTP response:

HTTP/1.0 200 OK
Date: Wed, 24 Aug 2011 23:59:59 GMT
Content-Type: text/html
Content-Length: 1354
<html>
<body>
<h1>Snort 2.9.1 released!</h1>
(more file contents)
.
.
.

</body>
</html>

For this packet file_data points to the start of the HTML text. This response body can be chunked/compressed/encoded/etc, and in such cases, file_data points to the dechunked/decompressed/normalized data.

2. SMTP/POP/IMAP data body.

When the traffic is SMTP/POP/IMAP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body.

The argument "mime" to file_data is deprecated. However, rules that use this argument will still function as they did before.

How does file_data work?

Prior to Snort 2.9.1:

* file_data had to be followed by a relative rule option. Any absolute (non relative) rule options start their search from the beginning of the payload. To access the file_data buffer again, a rule had to specify file_data rule option again.

Examples:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)
alert tcp any any -> any any (file_data; content:"HTTP/1.0"; depth:10; file_data; content:"<html>"; within:10; ...)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)

In Snort 2.9.1:

* Any non-HTTP (without the HTTP modifiers http_uri/http_header/etc.) content matches (relative or absolute) without the keyword "rawbytes" or payload detecting rule options that follow the file_data in a rule will apply to the cursor set by file_data until explicitly reset by other rule options such as pkt_data/base64_data/SIP modifiers.

A new rule option in Snort 2.9.1, "pkt_data", will reset the cursor to the start of the TCP payload. This rule option is intended to give the rule writer the ability to change the context of subsequent detection options. Any content matches (excluding HTTP/rawbytes) and other detection options (such as "byte_test", "byte_jump", etc.) will apply to the TCP payload.

Other rule options that change the cursor are base64_data, sip_header, sip_body, etc.

Example:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)
alert tcp any any -> any any (file_data; content:"<html>"; ...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; within:10; pkt_data; content:"HTTP/1.0"; depth:10; ....)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; rawbytes;...)
alert tcp any any -> any any (file_data; pkt_data; content:"<html>"; depth:10; rawbytes;...)

Thursday, August 25, 2011

VRT Rule Update for 08/25/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 55 new rules and make modifications to 19 additional rules.

The registered users of Snort have emailed me and told me that they will not be able to access the snort.conf for 2.9.1 until the 30 day window is open.  This is correct, however, for registered users's convenience you may access the 2.9.1 snort.conf here:
http://www.snort.org/assets/184/snort.conf

The following changes have been made to the snort.conf in this release:

Modifications to HTTP_PORTS

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]


Modifications to Stream5 configuration:

ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555


Modifications to http_inspect

ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }


Increase to the Max sessions in the SIP preprocessor

preprocessor sip: max_sessions 40000


Increase to the max_content_len parameter in the SIP preprocessor

max_content_len 2048


Modifications to the file names in the IP Blacklist Preprocessor

preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, rpc, specific-threats, spyware-put and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!