Thursday, July 28, 2011

VRT Rule Update for 7/28/2011

Welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 11 new rules and make modifications to 6 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, July 27, 2011

Barnyard2 sets up a Google Group!

Greetings everyone,

The barnyard2 team want to announce the creation of two Google groups that will be used ease the way for users to report issue or find answers and discuss about barnyard2 related topics.

barnyard2-users and barnyard2-devel.

barnyard2-users@googlegroups.com (for users problems and issues)
barnyard2-devel@googlegroups.com (for development updates, fixes, patches, comments, and more)

We strongly encourage you to join if you have any issues/commenst/questions related to barnyard2.

We would also like to launch a special invitation to UI developers that are willing to improve the future of the database schema and the handling of unified2 EXTRA_DATA event type.

Any comments or question can also be directed to

Ian Firns firnsy@securixlive.com
Eric Lauzon beenph@gmail.com

Eager to see you arround in the barn *wink wink*

Update:  Here is the direct link to the barnyard2 group: http://groups.google.com/groups/dir?lnk=nhpsfg&q=barnyard2.  Thanks Jason!

-The barnyard2 team.

SQueRT 0.9.0 has been released!

Big UI changes with this release.

## CHANGELOG:

* tabbed interface
* date ribbon
* CSS/JS fixes and cleanup
* Bunch of new stuff

## New pictures are here:

http://www.squertproject.org/screenshots

## Demo server:

Is currently down until a new hosting provider can be found.

## You can download it here:

http://www.squertproject.org/download

--Paul Halliday

Tuesday, July 26, 2011

VRT Rule Update for 7/26/2011

Welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 31 new rules and make modifications to 6 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Oracle Database Server (CVE-2011-0799):
Oracle Database Server contains a programming error that may allow a remote, unauthenticated attacker to access data residing on an affected system. The attack vector is an SQL injection vulnerability using the Oracle Warehouse Builder User account.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19599 and 19600.

Oracle Sun Products Suite (CVE-2011-2260):
The Oracle GlassFish Server component in the Oracle Sun Products Suite contains a programming error that may allow a remote attacker to execute a cross-site scripting attack.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19605.

Additionally, the Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, netbios, specific-threats, spyware-put and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, July 25, 2011

Nick Moore's Webcast Slides are posted

This past week's webcast was not recorded, however, I have posted the slides for the presentation, and they are available at the Snort Webcast Series Link.

I am going to try and get future webcasts recorded for easy playback, sorry for any inconvenience.

Nick's webcast was on the basics of Snort tuning, a "101" class.  Nick talks about the importance of variables, rule tuning, and lots of other goodies.

Snorby 2.3.1 has been released!

Snorby 2.3.1 ships with a large amount of bug fixes, design and,
user experience improvements. A new version of Insta-Snorby will be released
later tonight bundled with the latest versions of snorby, openfpc and, snort.

Source Code: https://github.com/Snorby/snorby
Website: http://www.snorby.org

Source Changes Since 2.2.7:

# Snorby 2.3.1

* Numerous UI enhancements.

# Snorby 2.3.0 (codename: fixme)

* Backend
* Cache logic now processes in chunks to prevent blowing the stack
* Fixed issues with daily cache not processing when events return nil
* Epic amounts of other bug fixes

* UI/UX
* Admin menu move to sub menu bar for UX reasons.
* Change hotkeys that conflict with macosx bindings
* Box titles now built with css
* Content headers now built with css and window menus now align correctly.
* Flash message now covers only the top header.

Tuesday, July 19, 2011

VRT Rule Update for 7/19/2011

Welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 22 new rules and make modifications to 24 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, policy, spyware-put and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Register for Nick Moore's Webcast -- Snort Monthly Webcast

Thank you for attending the webcast, the slides will be posted shortly.

Snort 2.9.1 RC is now available, including IP reputation preprocessor!

Snort 2.9.1 RC is now available on snort.org, at
https://www.snort.org/downloads in the Latest Development Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

****
NOTE: Snort 2.9.1 requires pkg-config be installed for some of its autoconf processing.  See details below.
****

Snort 2.9.1 introduces the following new capabilities:

* Protocol aware reassembly support for HTTP and DCE/RPC preprocessors.  Updates to Stream5 allowing Snort to more intelligently inspect HTTP and DCE/RPC requests and responses. See README.stream5 subsection related to Protocol Aware Flushing (PAF).

* SIP preprocessor to identify SIP call channels and provide rule access via new rule option keywords.  Also includes new preprocessor rules for anomalies in the SIP communications. See the Snort Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in Base64, Quoted Printable, and uuencode formats, and updates to SMTP preprocessor for decoding email attachments encoded as Quoted Printable and uuencode formats.  See the Snort Manual, README.pop, README.imap, and README.SMTP for details.

* Support for reading large pcap files.

* Logging of HTTP URL (host and filename), SMTP attachment filenames and email recipients to unified2 when Snort generates events on related traffic.

* IP Reputation preprocessor, allowing Snort to blacklist or whitelist packets based on their IP addresses. This preprocessor is still in an experimental state, so please report any issues to the Snort team.  See README.reputation for more information.

Additionally, the following updates and improvements have been made:

* Updates to give shared library rules direct access to gzip decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include the HTTP header names themselves in the buffer.  This change may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords and added a pkt_data rule option keyword that sets the buffer to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C' and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script for portability and improved checks for library dependencies. To facilitate easier building of Snort on many of the different platforms supported, Snort now uses pkg-config to check for
certain library locations.  Obtain pkg-config from freedesktop.org.

* Many updates and improvements to the Snort documentation.  Special thanks to all of the contributors from the Snort community for working with us and making the documentation more accurate and usable.

* Updates to the sensitive data preprocessor for handling HTTP traffic and reducing false positives.

* Updates to Snort's config parsing to provide more meaningful error messages relating to snort.conf errors and configuration display at startup.

* Updates to Snort's active response packets whether via response keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data. Additional HTTP Inspect alerts for evasion attempts such as small chunks and excessive whitespace in folded headers.

* Updates to the statistics Snort prints to console or syslog at exit for different preproessors.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Happy Snorting!
The Snort Release Team

Thursday, July 14, 2011

VRT Rule Update for 7/14/2011 - A Malware Update

The newest rule release for today from the VRT. In this release we introduce 84 new rules and make modifications to 1 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, policy, spyware-put and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 12, 2011

VRT Rule Update for 7/12/2011, MS Tues

The newest rule release for today from the VRT. In this release we introduce 23 new rules and make modifications to 5 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Advisory MS11-054:
The Microsoft Windows Operating System contains a programming error
that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 19467 through 19469.

Microsoft Security Advisory MS11-055:
Microsoft Visio contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19465 and 19466.

Microsoft Security Advisory MS11-056:
The Microsoft Client/Server Runtime Subsystem (CSRSS) contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19460 through 19464.


A complete list of new and modified rules is provided in a separate file on the Sourcefire Customer Support Site.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Saturday, July 9, 2011

VRT Rule Update for 7/7/2011

The newest rule release for today from the VRT. In this release we introduce 41 new rules and make modifications to 10 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, exploit, scada, specific-threats, sql, web-cgi and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 7, 2011

VRT Rule Update for 7/6/2011

The newest rule release for today from the VRT. In this release we introduce 3 new rules and make modifications to 26 more.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the specific-threats and web-client rule sets to provide coverage for emerging threats in these categories.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!