Tuesday, June 28, 2011

VRT Rule Update for 06/28/2011

The newest rule release for today from the VRT. In this release we introduce 105 new rules and make modifications to 34 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, ddos, dos, exploit, netbios, specific-threats, spyware-put, voip, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sourcefire Recognizes Seventh Annual SNORT Cybersecurity Scholarship Winners

Columbia, MD – June 28, 2011 – Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced that it has selected Darcie Cohee and Daniel Freer as the recipients of the 2011 Snort Scholarship. The scholarships, each worth up to $15,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

“As hackers continue to find new ways to access sensitive corporate and customer data, we need to groom a new generation of security professionals to identify and combat these exploits,” said Martin Roesch, CTO and founder of Sourcefire. “Snort and Sourcefire are built on the foundation of community development and these scholarships allow us to recognize the next great security professionals.”

To qualify, applicants must be enrolled in a university that uses Snort or Sourcefire products to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Sourcefire selected Darcie and Daniel from a pool of hundreds of applicants:


  • Darcie Cohee is a Bachelor of Science candidate in Information Systems Technologies at Southern Illinois University Carbondale. Darcie has worked on several projects using Snort to protect SharePoint deployments and is interested in the intersection of the Web and security.
  • Daniel Freer is a Bachelor of Science candidate in Networking at Indiana Tech. Daniel relied on Snort as an important weapon in his arsenal when he competed in the National Collegiate Cyber Defense Competition and is committed to exploring how Snort can help prevent evolving attacks.


To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. The winners also receive a $10,000 credit to use toward any training course or certification exam in the Sourcefire Security Education Program. The Sourcefire Security Education and Certification Programs deliver training and testing for IT staff on Sourcefire’s products and open source security solutions, either on-site or at dedicated locations around the world.

Sourcefire developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program seven years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. Martin Roesch founded Sourcefire in 2001 to deliver commercial security solutions that leverage his open source innovation, Snort. Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 300,000 registered users and nearly 4 million downloads to date. As the de facto standard for intrusion detection and prevention, Snort is used extensively by Fortune 100 enterprises and government agencies.

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions.  Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, Real-time Network Awareness and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Monday, June 27, 2011

Snort's output methods

Ever since the beginning of Snort, one of the main concerns was "how do I get data out of Snort".  Some of the options that are available have their advantages and disadvantages:


  1. There's some that aren't used.
  2. There's some that cause Snort to be slow.
  3. There's some that we don't maintain and don't frequently test.
  4. There's some that we want to get rid of.


One of those output methods is the "spo_database" module.  The module within Snort that directly inputs data from Snort into a mysql, postgres, or an Oracle database.  This logging method was written back in the late 90's by a college student (along with the db schema and the interface ACID) as a project for his thesis.

It hasn't been very well maintained since then.  In fact, we don't test against it, and we don't recommend it for use.  It makes Snort, which is a high-speed data processor, have to stop doing what it's doing (being an IPS), and insert data into the database.  While Snort is inserting into the database, this stops inspection waiting for the database connection.

So we are going to remove it.


If you look in your snort.conf and your "output" lines look like this:
output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>


This change will affect you.

In order to provide the type of functionality we'd like to provide with Snort in the next few releases (more data for you!), we needed someone to take over the maintenance of the db schema that is shipped with Snort as well.   As a result of the discussion on the Snort-devel list, the team members over at the barnyard2 project have agreed to take over the maintenance of these schemas.

It is our intention to distribute the unified2 format as our official output method, provide our documentation for it, and the u2spewfoo tool within Snort so that anyone is able to read it.  We are going to keep some other output methods as well, but...

At this point I'd like to hear from the community as well.  So please leave comments.

What output plugins do you use?
Will you be affected by this change (we hope a lot of you aren't using the spo_database method)?
What other output plugins do you think we can "show the door"?

Snort webcast

We didn't forget about the June webcast!

Things were a little crazy in the month of June and with the schedules the way they were, it was just hard to find a time when the presenter and I could sync up to deliver the webcast.

We'll make up for it in July!

Thanks for your patience, however, in the meantime, you can check out our repository of webcasts at http://www.snort.org/webcast_series.

Thanks.

Joel Esler
OpenSource Community Manager

Thursday, June 23, 2011

VRT Rule Update for 06/23/2011

The newest rule release for today from the VRT. In this release we introduce 10 new rules and make modifications to 1,158 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, finger, ftp, multimedia, netbios, nntp, pop3, rpc, smtp, specific-threats, spyware-put, voip, web-activex, web-cgi, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 21, 2011

VRT Rule Update for 06/21/2011

The newest rule release for today from the VRT. In this release we introduce 26 new rules and make modifications to 9 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the netbios, policy, shellcode, specific-threats and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

VRT Rule Update for 06/20/2011, Adobe Flash Player Vulnerabilities

The newest rule release for today from the VRT. In this release we introduce 7 new rules and make modifications to 7 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Adobe Security Bulletin APSB11-18:
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on an affected system via the use of ActionScript.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19262 through 19264.

The Sourcefire VRT has added and modified multiple rules in the ftp, shellcode and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 16, 2011

VRT Rule Update for 06/16/2011, Adobe Flash Player Vulnerabilities

The newest rule release for today from the VRT. In this release we introduce 4 new rules and make modifications to 5 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Adobe Security Bulletin APSB11-18:
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19257.

The Sourcefire VRT has also added and modified multiple rules in the exploit, specific-threats and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 14, 2011

VRT Rule Update for 06/14/2011, MS Tuesday, Adobe Reader, and Acrobat

The newest rule release for today from the VRT. In this release we introduce 77 new rules and make modifications to 9 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Advisory MS11-037:
The Microsoft implementation of MIME HTML (MHTML) contains programming errors that may allow a remote attacker to execute code on an affected system via a cross-site scripting attack.

A previously released rule will detect attacks targeting this vulnerability and is included in this release with updated reference information, it is identified with GID 1, SID 18335.

Microsoft Security Advisory MS11-038:
Microsoft Windows contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The error occurs when parsing specially crafted WMF data.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19184.

Microsoft Security Advisory MS11-039:
The Microsoft .NET Framework contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19185.

Microsoft Security Advisory MS11-040:
The TMG Firewall Client contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 19187.

Microsoft Security Advisory MS11-041:
The Adobe Font Driver included in the Microsoft Windows Operating System contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted font file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19188.

Microsoft Security Advisory MS11-042:
The Microsoft Distributed File System (DFS) contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19189 and 19221.

Microsoft Security Advisory MS11-043:
The Microsoft client implementation of the Server Message Block (SMB) protocol contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19199.

Microsoft Security Advisory MS11-045:
Microsoft Excel contains programming errors that may allow a remote attacker to execute code on an affected system via a specially crafted Excel file.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19200, 19222, 19225, 19227 and 19229 through 19232.

Microsoft Security Advisory MS11-046:
The Microsoft Windows Operating System contains a programming error that may allow an attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 18691.

Microsoft Security Advisory MS11-048:
The Microsoft implementation of the Server Message Block (SMB) protocol contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19191.

Microsoft Security Advisory MS11-049:
Microsoft Visual Studio contains a programming error that may allow a remote attacker to retrieve the content of local XML files via the use of a specially crafted XML file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19234.

Microsoft Security Advisory MS11-050:
Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system or use a cross-site scripting attack against the user.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19235 through 19246.

Additionally, a previously released rule will also detect attacks targeting these vulnerabilities and is included in this release with updated reference information. It is identified with GID 3, SID 17767.

Microsoft Security Advisory MS11-051:
The Microsoft Certification Service contains a programming error that may allow a remote attacker to use a cross-site scripting attack against the client using the service.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19186.

Microsoft Security Advisory MS11-052:
Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system via the use of specially crafted Vector Markup Language (VML) in a URL.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19241 and 19242.

Adobe Security Bulletin APSB11-16:
Adobe Reader and Acrobat contain programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19247 through 19255.

The Sourcefire VRT has also added and modified multiple rules in the bad-traffic, blacklist, dos, exploit, netbios, oracle, policy, smtp, specific-threats, sql, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, June 13, 2011

Snort 2.9.1 beta has been released!

As noted this weekend in our post here, the Snort 2.9.1 beta has been released along with a new version of DAQ (0.6).  The beta is available for download on our Snort-downloads site.

One thing to pay attention to is that Snort 2.9.1 does require an additional dependency as noted in the release notes.

NOTE: Snort 2.9.1 requires pkg-config be installed for some
of its autoconf processing. See details below.



It is available for download here, if your system does not already have it.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Saturday, June 11, 2011

Snort 2.9.1 beta coming soon!

Hope you all are enjoying the weekend.  We wanted to put out a heads-up for those of you that follow Snort's development closely, of our 2.9.1-beta will be coming very soon.  We'll be doing a breakdown of some of the newest features of Snort 2.9.1 upon it's release along with a webcast.  This release fixes a ton of bugs that the community has been asking about recently.

We'll post again when the beta release is out, with download links, and an email address about where to provide us feedback.

So without further ado, here's the release notes for the 2.9.1 beta:


[*] New Additions
* HTTP aware TCP reassembly support within HTTP Inspect and Stream5, allowing Snort to more intelligently inspect HTTP requests and responses. See README.stream5 subsection related to Protocol Aware Flushing (PAF).

* SIP preprocessor to identify SIP call channels and provide rule access via new rule option keywords. See the Snort Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in Base64, Quoted Printable, and uuencode formats, and updates to SMTP preprocessor for decoding email attachments encoded as Quoted Printable and uuencode formats. See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Add support for reading large pcap files.

[*] Improvements
* Logging of HTTP URL (host and filename), SMTP attachment filenames and email recipients when Snort generates events on related traffic.

* Updates to give shared library rules direct access to gzip decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include the HTTP header names themselves in the buffer. This change may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords and added a pkt_data rule option keyword that sets the buffer to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C' and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script for portability and improved checks for library dependencies.

* Many updates and improvements to the Snort documentation. Special thanks to all of the contributors from the Snort community for working with us and making the documentation more accurate and usable.

* Updates to the sensitive data preprocessor for handling HTTP traffic and reducing false positives.


* Updates to Snort's config parsing to give more meaningful error messages relating to snort.conf errors and configuration display at startup.

* Updates to Snort's active response packets whether via response keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.

* Updates to the statistics Snort prints to console or syslog at exit for different preproessors.

* To facilitate easier building of Snort on many of the different platforms supported, Snort now uses pkg-config to check for certain library locations. Obtain pkg-config from freedesktop.org.

Thursday, June 9, 2011

VRT Rule Update for 06/09/2011

The newest rule release for today from the VRT. In this release we introduce 5 new rules and make modifications to 25 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, netbios, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 7, 2011

VRT Rule Update for 06/07/2011

The newest rule release for today from the VRT. In this release we introduce 13 new rules and make modifications to 7 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, netbios, oracle, policy, rpc, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, June 6, 2011

VRT Rule Update for 06/02/2011

The newest rule release for today from the VRT. In this release we introduce 32 new rules and make modifications to 11 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, dos, exploit, netbios, policy, specific-threats, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!