Monday, November 28, 2011

VRT Rule Update for 11/28/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 15 new rules and made modifications to 637 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, botnet-cnc, dns, exploit, file-identify, ftp, icmp, imap, multimedia, netbios, pop3, scada, smtp, specific-threats, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.2 RC's output warnings

Beginning in Snort 2.9.2, if you are using an output method that is being depreciated in a future version of Snort, we are going to warn you on startup.

Examples of these depreciated output methods that you will be warned about are:
spo_database (Direct to database output method, or commonly referred to as the "database output method")
spo_aruba (Aruba output plugin)
spo_prelude (Prelude output plugin)

These output plugins will be totally removed in Snort version 2.9.3.

We are not depreciating "unified1" as an output method in 2.9.3, but we do have plans for it's EOL as well.

We suggest moving to unified2 as an output method, and also to barnyard2 (if you are still using the original barnyard)

Snort 2.9.2 RC has been released

Following up to our beta back on October 28th, we are happy to announce that Snort 2.9.2 has reached the "Release Candidate" or "RC" stage.

Available for download here:  http://www.snort.org/snort-downloads

Feedback can be submitted here:  snort-beta [at] sourcefire.com

Release notes are as follows, things in bold are new to the RC:

[*] New Additions
* SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors
to support writing rules for detecting attacks for control systems.
New rule keywords are supported, and DNP3 leverages Stream5 PAF
support for TCP reassembly. See the Snort Manual, README.dnp3 and
README.modbus for details of the configurations and new rule
options.


* GTP decoding and preprocessor. Updated the Snort packet decoders
and added a preprocessor to support detecting attacks over GTP (GPRS
Tunneling Protocol). Snort's GTP support handles multiple versions
of GTP and has a rich configuration set. See the Snort Manual and
README.GTP for details.


* Updates to the HTTP preprocessor to normalize HTTP responses that
include javascript escaped data in the HTTP response body. This
expands Snort's coverage in detecting HTTP client-side attacks.
See the Snort Manual and README.http_inspect for configuration
details.


* Added Protocol-Aware Flushing (PAF) support for FTP.

[*] Improvements
* Updates to Stream preprocessor to be able to track and store
"stream" data for non TCP/UDP flows. Also improvements to handle
when memory associated with a blocked stream is released and usable
for other connections.


* Updates to dce_stub_data to make it act the same as file_data
and pkt_data rule option keywords in how it interacts with
subsequent content/pcre/etc rule options.


* Updates to how Snort handles and processes signals received
from the OS.



* Enabled logging of normalized JavaScript to unified2 without the
use of the --enable-sourcefire configuration option.


* Improved handling of gaps and overlaps for "first" and "vista"
policies in Stream5.



* Added support for signal handler customization. At compile-time,
Snort can be customized to use different signal numbers.
This allows problems with overlapping signals to be fixed on a
per-platform basis, which is especially helpful for the BSDs.
See the Snort Manual for more details.

Tuesday, November 22, 2011

Snort Rules EOL Versions are now posted

As requested by many members of the community, a chart for the End-of-life for Snort rule versions is now  posted on our EOL Policy page:  http://www.snort.org/vrt/rules/eol_policy.

Please note that "TBD" in the chart stands for "To Be Determined".

Snort 2.8.6.1 EOL, seriously

Last month we mistakenly announced the EOL of Snort 2.8.6.1, and the community let us know.
http://blog.snort.org/2011/10/snort-2861-isnt-eol-yet.html

November 23, 2011 marks the end of life for Snort 2.8.6.1 rule support.  So there will be one more Snort rule build will be the last version built with this support in it.

The current version of Snort is 2.9.1.2 and is available for download here: http://www.snort.org/snort-downloads?

Tuesday, November 15, 2011

VRT Rule Update for 11/15/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 23 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, botnet-cnc, chat, dns, dos, exploit, file-identify, misc, oracle, policy, smtp, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 10, 2011

VRT Rule Update for 11/10/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 41 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the dns,
exploit, file-identify, misc, multimedia, specific-threats and web-misc
rule sets to provide coverage for emerging threats from these
technologies


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 8, 2011

VRT Rule Update for 11/08/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 51 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory MS11-083:
The Microsoft Windows implementation of the TCP/IP networking stack contains a programming error that may allow a remote attacker to execute code or cause a Denial of Service (DoS) on an affected system.

A previously released rule will detect attacks targeting this vulnerability and is included in this release with updated reference information. It is identified with GID 1, SID 19678.

Microsoft Security Advisory MS11-085:
The Microsoft Windows Address Book component contains a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs when the application attempts to process a malicious Windows Address Book Library file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20541 and 20542.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 7, 2011

VRT Rule Update for 11/07/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 6 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of a vulnerability affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory (2639658):
The Microsoft Windows TrueType font parsing engine contains a vulnerability that may allow a remote attacker to execute code on an affected system. A succesful exploitation of this vulnerability may allow the attacker to execute code in kernel mode. This vulnerability is also related to the Duqu malware.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 20539.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 4, 2011

VRT Rule Update for 11/04/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 8 new rules and made modifications to 531 additional rules.

There were no changes made to the snort.conf in this release.

Phase 2 of the file-identify.rules rollout was done in this release.  For more information, please see the post here:

http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, file-identify, multimedia, specific-threats, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 2, 2011

VRT Rule Update for 11/02/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 99 new rules and made modifications to 423 additional rules.

There were two changes made to the snort.conf in this release.

The addition of the FILE_DATA_PORTS variable

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]


As well as the inclusion of the file-identify.rules category

include $RULE_PATH/file-identify.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, chat, deleted, dos, exploit, file-identify, ftp, misc, multimedia, policy, specific threats, spyware-put, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

This release introduces the file-identify.rules category. The purpose of this category is to standardize the structure of rules that set a flowbit used to identify file downloading activities. A new port variable, FILE_DATA_PORTS, accompanies this category and contains a ports list used by these rules to identify the download of file types.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Introducing the file-identify rule category.

This week we are introducing a new category into the VRT ruleset.  It's named "file-identify".

Instead of rehashing everything we wrote here, I'll just point you over to the post on the VRT Blog.

Please go here:  http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html