Tuesday, May 31, 2011

VRT Rule Update for 05/31/2011

The newest rule release for today from the VRT. In this release we introduce 6 new rules and make modifications to 10 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
This rule release contains protection for the recently discovered DOS in Bind's DNSSEC implementation. 1:19125.

The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, dos, multimedia, oracle and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sguil Version 0.8.0 released

In it's first release since 2008, Sguil Version 0.8.0 has been released.

Bamm states on the Sguil News site:


Okay, new direction. Time has been escaping me and Sguil development has suffered. When I do have time to spend on Sguil, I would rather be adding new features and fixing bugs versus testing installs and writing documentation. So starting with this release, I am going to focus on getting code out the door and hope our small community will document their experiences through blogs, wikis, mailing lists, tweets, and #snort-gui. 

Go out and download Sguil 0.8.0. Install it. Test it. Break it. And find some bad guys. 
 Downloads are available here.

Friday, May 27, 2011

Resolving Flowbit dependancies

Recently I've noticed an increase in emails asking about flowbits, so I thought I'd write a quick blog post about how to fix this, so people can have a reference for these error messages.

So you'll notice one of two conditions:
Warning: flowbits key 'http.rtf' is set but not ever checked.
or
Warning: flowbits key 'http.rtf' is checked but not ever set.

I'll break these warnings down and explain them, but first allow me to explain what a flowbit is for those that may not know.

The manual states the following:
"The flowbits keyword is used in conjunction with conversation tracking from the Stream preprocessor. It allows rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol.
There are eight keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and underscores. The keywords set and toggle take an optional argument which specifies the group to which the keywords will belong. When no group name is specified the flowbits will belong to a default group. All the flowbits in a particular group (with an exception of default group) are mutually exclusive. A particular flow cannot belong to more than one group."
In other words, flowbits allow you to set and track the state of a flow in between one or more rules.

Let me explain the two "warning" messages above.

First, the group name of the flowbit that has the "problem" is "http.rtf".  In the VRT, we have a naming convention that we use for flowbits, and this name above tells me that this is an "RTF" document being downloaded over HTTP.  In other words, the way the rules are going to be written means that someone on your network has requested an "rtf" document.

Warning: flowbits key 'http.rtf' is set but not ever checked.
The above warning means that there is one rule that uses the syntax: "flowbits:set,http.rtf", but the rule that "checks" the flowbit isn't turned on.  We are using the condition of the first rule that "set"s the flowbit to use later in other rules.  Let me give you an example rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC rtf download attempt"; flow:to_server,established; content:".rtf"; http_uri; flowbits:set,http.rtf;)

Someone on your network, connecting to "$EXTERNAL_NET" on an HTTP port, making a web request for a .rtf file.  Finally, we set the flowbit tracking the state.

We can then use an additional rule to check for a vulnerability inside of the ".rtf" file by using the "isset" keyword.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT .rtf file is bad!"; flowbits:isset,http.rtf; flow:from_server,established; content:"bad stuff";)

The above rule checks to see that the flowbit "isset" before checking the rest of the rule.  Essentially, in order for the second rule to fire, the first one has to have already fired.

The other warning above is the opposite.

Warning: flowbits key 'http.rtf' is checked but not ever set.


This indicates that the rule that reads "isset,http.rtf" is turned on, but the rule that reads "set,http.rtf" is not.

The above "Warnings" aren't fatal.   Meaning Snort will still start, even if you have these errors.  However, if you don't have one or the other "set" or "isset" rules turned on and you are receiving these errors, this indicates that effectively you aren't using that set of rules, or multiple rules.

The advantage of flowbits is that rule writers can write several different rules that check for vulnerabilities inside the rtf document file format, all checking to see if the "http.rtf" flowbit has been set first.  This will cause entire rule chains to not fire if an "rtf" file isn't downloaded first (for example).

There are two ways to fix this problem.  You can either:
  1. Go through the rules files individually to turn on the rules that will fix the flowbits.
  2. Use a tool that automates this process for you.
The tool that I most often recommend is PulledPork.  PulledPork, aside from managing your rules for you, even resolving and using Shared Object rules correctly, it also auto-resolves flowbit dependancies.  Turning on rules that should be on in order for all of your flowbits to work correctly.

You can read more about flowbits in section 3.6.10 of the Snort Manual:  http://www.snort.org/docs

Thursday, May 26, 2011

VRT Rule Update for 05/26/2011

The newest rule release for today from the VRT. In this release we introduce 39 new rules and make modifications to 23 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the botnet-cnc, dos, exploit, netbios, phishing-spam, policy, scan, snmp, specific-threats, spyware-put, web-activex, web-client and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Slides from John Gay's webcast posted

As we always strive to do after a webcast, we put up the slides for John Gay's webcast on Multiconfig Snort operation over at: http://www.snort.org/community/snort-webcast-series/.  Unfortunately, the webcast did not get recorded this time due to a technical error, so only the slides are available.

Please keep your eyes on the blog for further information regarding next month's webcast with Nick Moore again, in mid June!

Tuesday, May 24, 2011

VRT Rule Update for 05/24/2011

The newest rule release for today from the VRT. In this release we introduce 99 new rules and make modifications to 22 more.

The following edits were also made to the snort.conf recently, and we suggest you make the same changes:
  1. Add Port 81 to HTTP_PORTS and also to the http_inspect preprocessor.
  2. Replace your stream5 global line with the following:
    preprocessor stream5_global: track_tcp yes, \
    track_udp yes, \
    track_icmp no, \
    max_tcp 262144, \
    max_udp 131072, \
    max_active_responses 2, \
    min_response_seconds 5
  3. Remove the line "base 36 no\" from the http_inspect preprocessor

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, botnet-cnc, dos, exploit, imap, mysql, netbios, oracle,
phishing-spam, policy, smtp, specific-threats, spyware-put, tftp,
web-cgi and web-misc rule sets to provide coverage for emerging threats
from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, May 18, 2011

Register for next week's Snort Webcast with John Gay!


Snort Webinar -- Proper implementation of Multiconfig -- John Gay


This webinar is over, please find the slides at: http://www.snort.org/community/snort-webcast-series/


VRT Rule Update for 05/18/2011

The newest rule release for today from the VRT. In this release we introduce 14 new rules and make modifications to 6 more.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, exploit, oracle, policy,
specific-threats, web-activex and web-misc rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, May 16, 2011

Snort 2.9.0.3 Shared Object rules EOL announcement

As noted when we've End-Of-Life'd previous versions of Shared Object rules, 2.9.0.3 rules have now reached EOL and will no longer be released.  People using 2.9.0.3 should update to the newest version of Snort and Shared Object rules at 2.9.0.5.

The Shared Object rule builds for 2.8.6.1 are unaffected, however, as a reminder, support for 2.8.6.1 will end at the release of Snort 2.9.1 (+90 days), so those of you on 2.8.6.1 are encouraged to start upgrading.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Friday, May 13, 2011

VRT Rule Update for 05/12/2011

The newest rule release for today from the VRT. In this release we introduce 16 new rules and make modifications to 6 more.


In VRT's rule release:
Adobe Security Bulletin APSB11-12:
Adobe Flash player contains multiple vulnerabilities that may allow a
remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 18963 through 18971.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 10, 2011

VRT Rule Update for 05/10/2011, MS Tues

The newest rule release for today from the VRT. In this release we introduce 23 new rules and make modifications to 18 more.

Please also read this post on the VRT blog about this rule release and our coverage for the MacDefender and MacProtector OSX Malware.

In VRT's rule release:
Microsoft Security Advisory MS11-035:
The Microsoft Windows Internet Name Service (WINS) contains a
programming error that may allow a remote attacker to execute code on
an affected system. This vulnerability does not require authentication
before exploitation.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 18950.

Microsoft Security Advisory MS11-036:
Microsoft PowerPoint contains programming errors that may allow a
remote attacker to execute code on an affected system via a malformed
PowerPoint document.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18949.

Additionally, a previously released rule previously identified with GID
3, SID 16188 will also detect attacks targeting this issue. The rule is
now identified with GID 1, SID 16188 and has been updated with the
appropriate reference information.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 5, 2011

VRT Rule Update for 05/05/2011

Just released, is a rule release for today from the VRT. In this release we introduce 34 new rules and make modifications to 34 more.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the dos,
netbios, oracle, smtp, snmp, specific-threats, web-activex and web-misc
rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 3, 2011

VRT Rule Update for 05/03/2011

Just released, is a rule release for today from the VRT. In this release we introduce 160 new rules and make modifications to 25 more.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
attack-responses, blacklist, dos, exploit, ftp, policy, rpc, scada,
smtp, specific-threats, tftp, web-activex, web-cgi and web-misc rule
sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!