Tuesday, June 28, 2011

VRT Rule Update for 06/28/2011

The newest rule release for today from the VRT. In this release we introduce 105 new rules and make modifications to 34 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, ddos, dos, exploit, netbios, specific-threats, spyware-put, voip, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sourcefire Recognizes Seventh Annual SNORT Cybersecurity Scholarship Winners

Columbia, MD – June 28, 2011 – Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced that it has selected Darcie Cohee and Daniel Freer as the recipients of the 2011 Snort Scholarship. The scholarships, each worth up to $15,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

“As hackers continue to find new ways to access sensitive corporate and customer data, we need to groom a new generation of security professionals to identify and combat these exploits,” said Martin Roesch, CTO and founder of Sourcefire. “Snort and Sourcefire are built on the foundation of community development and these scholarships allow us to recognize the next great security professionals.”

To qualify, applicants must be enrolled in a university that uses Snort or Sourcefire products to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Sourcefire selected Darcie and Daniel from a pool of hundreds of applicants:


  • Darcie Cohee is a Bachelor of Science candidate in Information Systems Technologies at Southern Illinois University Carbondale. Darcie has worked on several projects using Snort to protect SharePoint deployments and is interested in the intersection of the Web and security.
  • Daniel Freer is a Bachelor of Science candidate in Networking at Indiana Tech. Daniel relied on Snort as an important weapon in his arsenal when he competed in the National Collegiate Cyber Defense Competition and is committed to exploring how Snort can help prevent evolving attacks.


To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. The winners also receive a $10,000 credit to use toward any training course or certification exam in the Sourcefire Security Education Program. The Sourcefire Security Education and Certification Programs deliver training and testing for IT staff on Sourcefire’s products and open source security solutions, either on-site or at dedicated locations around the world.

Sourcefire developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program seven years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. Martin Roesch founded Sourcefire in 2001 to deliver commercial security solutions that leverage his open source innovation, Snort. Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 300,000 registered users and nearly 4 million downloads to date. As the de facto standard for intrusion detection and prevention, Snort is used extensively by Fortune 100 enterprises and government agencies.

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions.  Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, Real-time Network Awareness and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Monday, June 27, 2011

Snort's output methods

Ever since the beginning of Snort, one of the main concerns was "how do I get data out of Snort".  Some of the options that are available have their advantages and disadvantages:


  1. There's some that aren't used.
  2. There's some that cause Snort to be slow.
  3. There's some that we don't maintain and don't frequently test.
  4. There's some that we want to get rid of.


One of those output methods is the "spo_database" module.  The module within Snort that directly inputs data from Snort into a mysql, postgres, or an Oracle database.  This logging method was written back in the late 90's by a college student (along with the db schema and the interface ACID) as a project for his thesis.

It hasn't been very well maintained since then.  In fact, we don't test against it, and we don't recommend it for use.  It makes Snort, which is a high-speed data processor, have to stop doing what it's doing (being an IPS), and insert data into the database.  While Snort is inserting into the database, this stops inspection waiting for the database connection.

So we are going to remove it.


If you look in your snort.conf and your "output" lines look like this:
output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>


This change will affect you.

In order to provide the type of functionality we'd like to provide with Snort in the next few releases (more data for you!), we needed someone to take over the maintenance of the db schema that is shipped with Snort as well.   As a result of the discussion on the Snort-devel list, the team members over at the barnyard2 project have agreed to take over the maintenance of these schemas.

It is our intention to distribute the unified2 format as our official output method, provide our documentation for it, and the u2spewfoo tool within Snort so that anyone is able to read it.  We are going to keep some other output methods as well, but...

At this point I'd like to hear from the community as well.  So please leave comments.

What output plugins do you use?
Will you be affected by this change (we hope a lot of you aren't using the spo_database method)?
What other output plugins do you think we can "show the door"?

Snort webcast

We didn't forget about the June webcast!

Things were a little crazy in the month of June and with the schedules the way they were, it was just hard to find a time when the presenter and I could sync up to deliver the webcast.

We'll make up for it in July!

Thanks for your patience, however, in the meantime, you can check out our repository of webcasts at http://www.snort.org/webcast_series.

Thanks.

Joel Esler
OpenSource Community Manager

Thursday, June 23, 2011

VRT Rule Update for 06/23/2011

The newest rule release for today from the VRT. In this release we introduce 10 new rules and make modifications to 1,158 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, finger, ftp, multimedia, netbios, nntp, pop3, rpc, smtp, specific-threats, spyware-put, voip, web-activex, web-cgi, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 21, 2011

VRT Rule Update for 06/21/2011

The newest rule release for today from the VRT. In this release we introduce 26 new rules and make modifications to 9 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the netbios, policy, shellcode, specific-threats and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

VRT Rule Update for 06/20/2011, Adobe Flash Player Vulnerabilities

The newest rule release for today from the VRT. In this release we introduce 7 new rules and make modifications to 7 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Adobe Security Bulletin APSB11-18:
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on an affected system via the use of ActionScript.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19262 through 19264.

The Sourcefire VRT has added and modified multiple rules in the ftp, shellcode and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 16, 2011

VRT Rule Update for 06/16/2011, Adobe Flash Player Vulnerabilities

The newest rule release for today from the VRT. In this release we introduce 4 new rules and make modifications to 5 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Adobe Security Bulletin APSB11-18:
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19257.

The Sourcefire VRT has also added and modified multiple rules in the exploit, specific-threats and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 14, 2011

VRT Rule Update for 06/14/2011, MS Tuesday, Adobe Reader, and Acrobat

The newest rule release for today from the VRT. In this release we introduce 77 new rules and make modifications to 9 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Advisory MS11-037:
The Microsoft implementation of MIME HTML (MHTML) contains programming errors that may allow a remote attacker to execute code on an affected system via a cross-site scripting attack.

A previously released rule will detect attacks targeting this vulnerability and is included in this release with updated reference information, it is identified with GID 1, SID 18335.

Microsoft Security Advisory MS11-038:
Microsoft Windows contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The error occurs when parsing specially crafted WMF data.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19184.

Microsoft Security Advisory MS11-039:
The Microsoft .NET Framework contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19185.

Microsoft Security Advisory MS11-040:
The TMG Firewall Client contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 19187.

Microsoft Security Advisory MS11-041:
The Adobe Font Driver included in the Microsoft Windows Operating System contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted font file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19188.

Microsoft Security Advisory MS11-042:
The Microsoft Distributed File System (DFS) contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19189 and 19221.

Microsoft Security Advisory MS11-043:
The Microsoft client implementation of the Server Message Block (SMB) protocol contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19199.

Microsoft Security Advisory MS11-045:
Microsoft Excel contains programming errors that may allow a remote attacker to execute code on an affected system via a specially crafted Excel file.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19200, 19222, 19225, 19227 and 19229 through 19232.

Microsoft Security Advisory MS11-046:
The Microsoft Windows Operating System contains a programming error that may allow an attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 18691.

Microsoft Security Advisory MS11-048:
The Microsoft implementation of the Server Message Block (SMB) protocol contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19191.

Microsoft Security Advisory MS11-049:
Microsoft Visual Studio contains a programming error that may allow a remote attacker to retrieve the content of local XML files via the use of a specially crafted XML file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19234.

Microsoft Security Advisory MS11-050:
Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system or use a cross-site scripting attack against the user.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19235 through 19246.

Additionally, a previously released rule will also detect attacks targeting these vulnerabilities and is included in this release with updated reference information. It is identified with GID 3, SID 17767.

Microsoft Security Advisory MS11-051:
The Microsoft Certification Service contains a programming error that may allow a remote attacker to use a cross-site scripting attack against the client using the service.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19186.

Microsoft Security Advisory MS11-052:
Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system via the use of specially crafted Vector Markup Language (VML) in a URL.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19241 and 19242.

Adobe Security Bulletin APSB11-16:
Adobe Reader and Acrobat contain programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19247 through 19255.

The Sourcefire VRT has also added and modified multiple rules in the bad-traffic, blacklist, dos, exploit, netbios, oracle, policy, smtp, specific-threats, sql, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 9, 2011

VRT Rule Update for 06/09/2011

The newest rule release for today from the VRT. In this release we introduce 5 new rules and make modifications to 25 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, netbios, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 7, 2011

VRT Rule Update for 06/07/2011

The newest rule release for today from the VRT. In this release we introduce 13 new rules and make modifications to 7 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, netbios, oracle, policy, rpc, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, June 6, 2011

VRT Rule Update for 06/02/2011

The newest rule release for today from the VRT. In this release we introduce 32 new rules and make modifications to 11 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, dos, exploit, netbios, policy, specific-threats, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!