Monday, February 28, 2011

Snort 2.9.0.4 Build 111 Posted

We have had a number of users writing in to report a simple http bug. In order to assist the open source community, we have reissued a patched version of the Snort 2.9.0.4 release. There are no other changes to Snort that would warrant a change in the version number, so we have updated the build number to 111.

Additionally, Snort 2.9.0.5 already includes the fix for this bug and is still planned for release in Q1 of 2011.

Thursday, February 24, 2011

Shared Object Rule Platform Support - Upcoming Changes

Next week, with the usual rule release from the VRT, the following shared object platforms will be retired:

  • Fedora Core 9 i386
  • Fedora Core 9 x86-64
  • Fedora Core 11 i386

The following platform support will be added:

  • Fedora Core 12 x86-64
  • Fedora Core 14 i386
  • Fedora Core 14 x86-64

As always, please refer to the pre-compiled shared object rule page to view which platforms and operating systems are currently supported in Certified VRT Rule Releases.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 23, 2011

VRT Rule Update for 2/23/2011

Just updated, is a rule release for today from the VRT. This rule release only contains a couple updates.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 22, 2011

Snort Shared Object Rules

The questions that I receive the most often via my Inbox is "What are Shared Object rules?", or "How do I use them?"

Commonly referred to as "Shared Object rules", "SO rules", "pre-compiled rules", or "Shared Objects" are detection that is written in the Shared Object rule language, which is, essentially, "C".   This allows for primarily two things for the Snort platform:

  1. Detection that is not possible under the regular Snort rules language.  Since Shared Object rules are "C" based, they can essentially be coded to detect a much greater set of conditions than regular Snort rules can.   One of the common misconceptions about Shared Object rules are that they are closed source, and while under certain conditions ([2] below) that may be true, they are not inherently closed source.  You can, in fact write your own shared object rules, or even run your rules through the shared object generator to see how shared object rules are structured.  Check out this blog post on the VRT blog for more information on that.
  2. It allows for obfuscation of exact detection in the rule language.  Under certain conditions (Agreements with vendors, use of Shared Object rules in 'classified' environments, Sourcefire 0-day detection, etc) it may be necessary to obfuscate how detection is performed with a particular rule.   Since Shared Object rules have to be compiled in order to use them, that's why the VRT distributes "pre-compiled" rules.  
The VRT distributes shared object rules on a variety of platforms, easy to install and use.

However, some may be finding it difficult to use the rules, so let me point you to a couple guides.  One guide is here, on Snort.org, at the bottom of the "platform" list.  The VRT also has a blog post that can help you install the Shared Object rules.

But, by far, the easiest way to use Shared Object rules reliably is through the configuration and use of a tool called PulledPork, which JJ Cummings of Sourcefire is the primary author of.  After the configuration of PulledPork, the tool will generate the Shared Object rule stubs for you, and place everything in the correct directories for ease of use.  This is amongst the many features of PulledPork (including flowbit dependency resolving) which are useful.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Sunday, February 20, 2011

Snort Data Acquisition Library from the Internet Storm Center

Snort Data Acquisition Library

In the above post Handler Guy Bruneau over at the Internet Storm Center has a post that talks about his upgrade from Snort 2.8.6 to Snort 2.9.0.2, and some tweaks he found for DAQ.

Those of you preparing to upgrade or experiencing problems with upgrade to Snort 2.9.0.x may want to take a look at his post and see if it solves any problems for them.

Thanks Guy!

Friday, February 18, 2011

Improving your Custom Snort Rules -- New Whitepaper Posted

Originally posted in December's hackin9 magazine, Leon Ward authored this paper entitled "Improving your Custom Snort Rules".  We've just added this document to the http://www.snort.org/docs page under "Snort Related Whitepapers".

So be sure and check it out.

Thanks go out to Leon Ward, Alex Kirk, and Dave Venman of Sourcefire for this document.

Thursday, February 17, 2011

VRT Rule Update for 2/17/2011

Just updated, is a rule release for today from the VRT.  This rule release only contains a couple updates.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 16, 2011

FreeBSD 8.1 x86-64 and 7.3 x86-64 Platforms are now supported

In addition to the rule update that went out yesterday, the rulepack also introduced support for:
  • FreeBSD 8.1 x86-64
  • FreeBSD 7.3 x86-64
platforms as well.

Please see the Shared Object Rule page (This is a new link!  People complained that the old one was hard to find.) for the complete list of supported Shared Object rule platforms in the VRT rule build.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Thanks!

Sourcefire wins Best IDS/IPS - SC Magazine US

This week out at RSA, SC Magazine gives away their annual "best of" awards. Sourcefire won this award, citing our innovation, detection, and of course our wonderful 300,000+ strong Snort community (you all!).

While it mentions in the article that Sourcefire is "based  on Snort".  Our detection engine IS Snort.  It's the ease of use, other technologies, and GUIs that set Sourcefire apart.

We'd like to thank the Snort Community for all the bugs they file, the false positive reports, the ideas, and the criticisms. This only serves to make our IPS, community, and detection better.

Thank you all!

Best IDS/IPS - SC Magazine US

Tuesday, February 15, 2011

VRT Rule Update for 2/15/2011

Just updated, is a rule release for today from the VRT.  This rule release contains many updates in several categories, however, the highlight for this release is the following:

Microsoft Windows Server 2003 contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 18462.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Reminder: Oklahoma City ISSA Meeting tomorrow

Mitch Russell, a member of the Snort Community is giving a talk about Snort at the Oklahoma City ISSA Meeting tomorrow, February 16, 2011.

The meeting will take place at Noon CST, at the Spaghetti Warehouse at 101 East Sheridan, Oklahoma City.

If you are in the area, you are encouraged to attend!

If you know of a Snort speaking event, or if you are giving one, please let me know, and we'll put it up on the Snort.org website on the Snort Speaking Events page, and we'll publicize it on the Snort.org blog for you as well.

Monday, February 14, 2011

Snort 2.9.0.4 Install Guide for Fedora Core 14 is posted

Our own Nick Moore of Sourcefire has published his guide for installing Snort 2.9.0.4 on Fedora Core 14.  Thanks Nick!  Great job!

Please see http://snort.org/docs for the complete guide.

Sunday, February 13, 2011

Snort 2.9.0.4 install guide for Slackware 13.1 and OpenBSD 4.8 posted

Randal Rioux is our first documenter out of the gate with Snort 2.9.0.4 with an install guide for not only Slackware 13.1 but also OpenBSD 4.8!  Nice Job Randal!

Be sure and check out his guides at http://snort.org/docs

We're going to send Randal out some Snort swag!

Thanks to all of our Snort community contributors on their documentation, if you'd like to contribute some documentation and have it hosted on http://snort.org/docs, please feel free to contact me at joel@snort.org, and if we put your guides/whitepapers up on the site, we'll send you some Snort swag!

Friday, February 11, 2011

White Papers on Snort.org

We just wanted to point to a new section that we're putting together on Snort.org, a whitepapers section.  Previously we've had about three different pages on Snort.org that contained this type of content.   In the process of cleaning up the Snort.org website and bringing the information that people need to the front and more organized, we've created a new section on the Documentation section on Snort.org.

If you visit the bottom of http://www.snort.org/docs, you'll see a new section entitled "Snort Related Whitepapers".  Over time we'll consolidate more and more whitepaper-type content into this section and try and keep it updated with information.  A couple of the papers on there currently are rather old, however, their content is still very relevant, and it may help the users of Snort to understand the internals of how the tool works.

Please check out this section.  We should be adding several more papers soon.

In addition I've received several emails asking when we are going to restart the webinar series that we were using to teach content.  My answer is soon.  Sorry I can't give you a better date, but I want to make sure we have great content.

If you have suggestions for content you'd like to see on the webinar series or the whitepaper section, please feel free to leave a comment.  Thanks

Snort 2.9.0.4 port for FreeBSD now available

Last version of Snort (2.9.0.3) Sourcefire's own Dean Freeman started maintaining the official FreeBSD port of Snort, which allows faster updates from Snort release to port package.

Case in point is today's release of Snort 2.9.0.4 in FreeBSD's port system.

We would also like to thank Michael Scheidell of SECNAP for helping out a lot getting Snort bootstrapped and read to go with the Snortsam patches in the port system as well!

Thanks!

Thursday, February 10, 2011

SQueRT 0.8 has been released

SQueRT 0.8, a web GUI interface for SGuiL's database format (SGuiL uses Snort) has been released. Check out the below note from Paul Halliday:

-- country mappings can now be done in the background via cron
-- an input box has been added that will accept country names and
codes to filter queries
-- a country 'tag cloud' that can be primed prior to event queries has bee added
-- an exclude input box has been added so that you can pick away at
your query results
-- different property files can be used when creating link graphs
-- different split modes can be used when creating link graphs
-- canvas colour can be changed when creating link graphs
-- fixed protocol function to acknowledge unknown entries
-- fixed sorting problem with 'existing files' drop down
-- sensor selection now fully enumerates the sensor table and
(supported) agent types

## Pictures are here:

http://www.pintumbler.org/sq8

## More information is available here:

http://www.pintumbler.org/Code/squert

## You can download it here:

http://sourceforge.net/projects/squert/files/

Sourcefire doesn't make any official endorsement to projects surrounding Snort.

Snort 2.9.0.4 has been released!

As previously mentioned a couple days ago, Snort 2.9.0.4 has now been released.  Please check out the release notes and the Changelog for this version over on Snort.org, and check out my previous blog post about the release.

Start your upgrade engines!

You can get to the 2.9.0.4 download page here.

EOL for 2.9.0.0 Shared Object Rules

With today's release of the VRT Rule pack, the EOL of 2.9.0.0 support for Shared Object rules is also taking place.   As a result of the changes in the Shared Object rule API earlier in the 2.9.0.x build tree, it has become necessary to remove 2.9.0.0 from the precompiled Shared Object builds.

Snort 2.9.0.4, which has also been released today, will now be supported with the VRT Shared Object rules, and anyone running 2.9.0.0, should go ahead and move to the current patch level of the 2.9.0.x tree:  2.9.0.4.

The Shared Object rule builds for 2.8.6.1 are unaffected, however, as a reminder, support for 2.8.6.1 will end at the release of Snort 2.9.1 (+90 days), so those of you on 2.8.6.1 are encouraged to start upgrading.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

VRT Rule Update for 2/10/2011

Just updated, is a rule release for today from the VRT.  This rule release contains many updates in several categories, however, the highlight for this release is the following:

SIDs 18458 and 18459, providing coverage for the "Night Dragon" Trojan, released in the Botnet-CNC rule category (the rules will be enabled by default in all policies, due to their low false positive potential and high speed).  PulledPork has the ability to manage policies within it's configuration.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 9, 2011

Google Groups are alive!

Late last year I put out a poll that discussed the merging of the Mailing lists and Forums and it seemed that most of the people that answered the poll thought that Google Groups was the way to go (82% of you!).

So we've stood up three Google Groups that mimic our Snort Mailing lists.  These groups are unmoderated, open to the community for posting, and have the same criteria as our mailing lists.


  • Snort-Users
  • Snort-Signatures
  • Snort-Devel


Right now the Google Groups and the Mailing lists are not merged and do not cross post (they used to, but after testing a bit, it didn't really integrate correctly, so the link was broken this morning).

If you join the Google Groups and you select "email" as your delivery method, you will receive an email for every post (just like the Mailing list), even the subject tags will be the same.  i.e. [Snort-Users], [Snort-Sigs], and [Snort-Devel].

However, the advantage of Google Groups is that you do NOT have to select email has a delivery method and can interact in Google Groups solely via the web.

As of March 1, 2011, the forums at Snort.org will be locked and will be read only.  The content will still be preserved, however, after that date, no more posting will be allowed.  A persistent banner has been put on http://forums.snort.org to remind people of this fact.

At this time we are not merging the Mailing Lists and Google Groups.  We'll let it balance out for awhile, see how the new Google Groups go, and we'll revisit the merging of the Mailing Lists again after awhile.  So, if you are a member of the Snort Mailing Lists, and would like to sign up for the Google Groups, feel free, as they are still separate entities.

The Groups will be handled the same as the mailing lists.  Spammers will be banned, and their posts deleted, etc.

To sign up for the new Google Groups, you may visit this page:
http://www.snort.org/community/Groups/

Where I have placed sign-up boxes for all three of the groups.

I'd like to hear feedback on the groups.  That way I can improve what I can.  Thanks all, and thanks to our IT and web teams for helping out on the testing for the Google Groups and various other uncountable things they've been able to help me with during this transition.

Debian Lenny (and other) Shared Object rule support ends

Tomorrow, with the release of a VRT Rule pack, support for the following platforms will no longer be distributed as pre-compiled Shared Object rules:

Debian-Lenny (Replaced by Debian 5.07)
RHEL 5.0 (Replaced by RHEL 5.5)

The VRT is currently working on supporting FreeBSD 7.3 and 8.1 x86-64 platforms, and support for these platforms will be released soon.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 8, 2011

VRT Rule update for 2/8/2011

Just updated, is a rule release for today from the VRT.  This rule release contains many updates in several categories, however, the highlights for this release is the following:

Microsoft Security Advisory MS11-003:
Microsoft Internet Explorer suffers from a programming error that may
allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18403 and 18404.

Previously released rules to detect attacks targeting this
vulnerability have been updated with the appropriate reference and are
identified with GID 1, SIDs 18196 and 18240.

Microsoft Security Advisory MS11-004:
The Microsoft FTP Service included with IIS, suffers from a programming
error that may allow a remote attacker to execute code on an affected
system.

A previously released rule to detect attacks targeting this
vulnerability has been updated with the appropriate reference and is
identified with GID 1, SID 18243.

Microsoft Security Advisory MS11-005:
Microsoft Windows Server 2003 contains a programming error that may
allow a remote attacker to execute a Denial of Service (DoS) attack
against a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18406 and 18407.

Microsoft Security Advisory MS11-006:
Microsoft Office suffers from a programming error that may allow a
remote attacker to execute code on a vulnerable system via a malicious
bitmap file.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18398.

Microsoft Security Advisory MS11-007:
The Microsoft ATMFD Adobe font driver included in Microsoft Windows
contains a programming error that may allow a remote attacker to
execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18402.

Microsoft Security Advisory MS11-008:
Microsoft Visio contains programming errors that may allow a remote
attacker to execute code on a vulnerable system via a malicious Visio
file.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18415, 18416 and
18417.

Microsoft Security Advisory MS11-009:
Microsoft Internet Explorer contains a programming error that may allow
a remote attacker to obtain information regarding the vulnerable system
via malicious JScript or VBScript.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18401.

Microsoft Security Advisory MS11-010:
The Microsoft Windows Client/Server run-time subsystem contains a
programming error that may allow a remote attacker to elevate
privileges on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18400.

Microsoft Security Advisory MS11-011:
The Microsoft Windows kernel contains a programming error that may
allow a remote attacker to elevate privileges on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18408 and 18413.

Microsoft Security Advisory MS11-012:
Microsoft Windows systems suffer from programming errors that may allow
remote attackers to elevate privileges on a vulnerable system via
kernel-mode drivers.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18409, 18410, 18411
and 18412.

Microsoft Security Advisory MS11-013:
The Microsoft Windows Kerberos implementation may allow a remote
attacker to downgrade the authentication mechanism to use DES so that
the vulnerable system is subject to a spoofing vulnerability.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18414.

Microsoft Security Advisory MS11-014:
The Microsoft Local Security Authority Subsystem Service (LSASS)
contains a programming error that may allow a remote attacker to
execute code with elevated privileges on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18405.

Adobe Security Advisory APSB11-03:
Adobe Reader and Acrobat contain programming errors that may allow a
remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18418 through 18421,
18444 and 18447 through 18456.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.0.4 is coming this week!

Snort 2.9.0.4 is currently slated for release on Thursday.  It brings about several improvements to the Snort code and documentation (thanks to those members of the Snort Community who submitted bugs for both the code and documentation!), as well as the inclusion of SaaC (Snort as a Collector) code for Razorback.

Below are the 2.9.0.4 release notes, along with some inline bullet points on the improvements, (thanks to Russ providing the information below to me):

[*] Improvements
  * Added the Razorback "Snort as a Collector" (SaaC) dynamic preprocessor.
    This is for experimental use only! Enable it by compiling with
    --enable-rzb-saac.

  * Fixed false positives in HTTP traffic, which were caused by large HTTP
    chunks split across two packets.
* When there is a large chunk length (not in the first packet), and the packet size is less than the chunk length, copy fails and hence the DecodeBuffer is not overwritten. Any subsequent packets uses the decode buffer without overwriting it and hence the false positive.  The fix was to extract the packet size when packet size is less than the chunk length.

  * Made several updates to the Snort manual and READMEs.

  * Fixed a false positive on Stream5 rule 129:15, caused by a RST following
    a FIN.
* When a TCP FIN was processed the FIN pseudo-octet was not always accounted for in the sequence number tracking within the stream5 preprocessor.  A subsequent TCP RST in the FIN-Wait-1 or FIN-Wait-2 states could then lead to a false positive for 129:15.  The fix is to ensure proper accounting of the TCP FIN pseudo-octet.  This problem did not affect TCP RSTs while the session was fully established.

* Fixed a bug in HTTP_STAT_MSG
* HTTP STATUS MSG BUFFER included the CR LF from the status line.  With the fix HTTP STATUS MSG BUFFER now contains the status message from the HTTP response and not the CR LF from the status line.

Tuesday, February 1, 2011

VRT Rule Update for 2/1/2011

Just updated, is a rule release for today from the VRT.  This rule release contains many updates in several categories, however, the highlight for this release is the following:

Microsoft Security Advisory (CVE-2011-0096):
Microsoft Internet Explorer suffers from a programming error that may allow a remote attacker to execute a cross-site scripting attack. This attack could then lead to information disclosure.


A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 18335.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!