Monday, November 28, 2011

VRT Rule Update for 11/28/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 15 new rules and made modifications to 637 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, botnet-cnc, dns, exploit, file-identify, ftp, icmp, imap, multimedia, netbios, pop3, scada, smtp, specific-threats, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.2 RC's output warnings

Beginning in Snort 2.9.2, if you are using an output method that is being depreciated in a future version of Snort, we are going to warn you on startup.

Examples of these depreciated output methods that you will be warned about are:
spo_database (Direct to database output method, or commonly referred to as the "database output method")
spo_aruba (Aruba output plugin)
spo_prelude (Prelude output plugin)

These output plugins will be totally removed in Snort version 2.9.3.

We are not depreciating "unified1" as an output method in 2.9.3, but we do have plans for it's EOL as well.

We suggest moving to unified2 as an output method, and also to barnyard2 (if you are still using the original barnyard)

Tuesday, November 22, 2011

Snort Rules EOL Versions are now posted

As requested by many members of the community, a chart for the End-of-life for Snort rule versions is now  posted on our EOL Policy page:  https://www.snort.org/eol.

Please note that "TBD" in the chart stands for "To Be Determined".

Snort 2.8.6.1 EOL, seriously

Last month we mistakenly announced the EOL of Snort 2.8.6.1, and the community let us know.
http://blog.snort.org/2011/10/snort-2861-isnt-eol-yet.html

November 23, 2011 marks the end of life for Snort 2.8.6.1 rule support.  So there will be one more Snort rule build will be the last version built with this support in it.

The current version of Snort is 2.9.1.2 and is available for download here: https://www.snort.org/downloads

Tuesday, November 15, 2011

VRT Rule Update for 11/15/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 23 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, botnet-cnc, chat, dns, dos, exploit, file-identify, misc, oracle, policy, smtp, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 10, 2011

VRT Rule Update for 11/10/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 41 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the dns,
exploit, file-identify, misc, multimedia, specific-threats and web-misc
rule sets to provide coverage for emerging threats from these
technologies


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 8, 2011

VRT Rule Update for 11/08/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 51 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory MS11-083:
The Microsoft Windows implementation of the TCP/IP networking stack contains a programming error that may allow a remote attacker to execute code or cause a Denial of Service (DoS) on an affected system.

A previously released rule will detect attacks targeting this vulnerability and is included in this release with updated reference information. It is identified with GID 1, SID 19678.

Microsoft Security Advisory MS11-085:
The Microsoft Windows Address Book component contains a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs when the application attempts to process a malicious Windows Address Book Library file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20541 and 20542.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 7, 2011

VRT Rule Update for 11/07/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 6 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of a vulnerability affecting hosts using the Microsoft Windows operating system.

Details:
Microsoft Security Advisory (2639658):
The Microsoft Windows TrueType font parsing engine contains a vulnerability that may allow a remote attacker to execute code on an affected system. A succesful exploitation of this vulnerability may allow the attacker to execute code in kernel mode. This vulnerability is also related to the Duqu malware.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 20539.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 4, 2011

VRT Rule Update for 11/04/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 8 new rules and made modifications to 531 additional rules.

There were no changes made to the snort.conf in this release.

Phase 2 of the file-identify.rules rollout was done in this release.  For more information, please see the post here:

http://blog.talosintel.com/2011/11/say-hello-to-file-identify-category.html

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, file-identify, multimedia, specific-threats, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 2, 2011

VRT Rule Update for 11/02/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 99 new rules and made modifications to 423 additional rules.

There were two changes made to the snort.conf in this release.

The addition of the FILE_DATA_PORTS variable

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]


As well as the inclusion of the file-identify.rules category

include $RULE_PATH/file-identify.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, chat, deleted, dos, exploit, file-identify, ftp, misc, multimedia, policy, specific threats, spyware-put, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

This release introduces the file-identify.rules category. The purpose of this category is to standardize the structure of rules that set a flowbit used to identify file downloading activities. A new port variable, FILE_DATA_PORTS, accompanies this category and contains a ports list used by these rules to identify the download of file types.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Introducing the file-identify rule category.

This week we are introducing a new category into the VRT ruleset.  It's named "file-identify".

Instead of rehashing everything we wrote here, I'll just point you over to the post on the VRT Blog.

Please go here:  http://blog.talosintel.com/2011/11/say-hello-to-file-identify-category.html