Wednesday, December 28, 2011

VRT Rule Update for 12/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 4 additional rules.

The following changes were made to the snort.conf in this release, we suggest you use the most current snort.conf from the VRT tarball to upgrade, or use the snort.conf configuration download page found here: Snort.conf configuration page

Added a variable for GTP_PORTS

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]


Changed the rule path for the IP reputation preprocessor, you should modify this in your environment:

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


Added a configure line for the GTP preprocessor (v2.9.2.0), off by default.

# config enable_gtp


Added some new http_methods to the http inspect preprocessor (v2.9.2.0):

http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA }


Enabled javascript normalization by default in the http inspect preprocessor:

normalize_javascript


Added configurations for the modbus and dnp3 preprocessors:

# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }

# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc



In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the smtp,
specific-threats and web-client rule sets to provide coverage for
emerging threats from these technologies.
This release also provides coverage for a new FreeBSD telnetd overflow, this can be found in sids: 20812 and 20813.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 19, 2011

VRT Rule Update for 12/09/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 5169 additional rules.  This rule release also added support for Snort Version 2.9.2.0.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
attack-responses, bad-traffic, dns, dos, exploit, file-identify, ftp,
icmp, imap, misc, multimedia, netbios, nntp, p2p, policy, pop3, smtp,
snmp, specific-threats, sql, telnet, tftp, web-activex, web-cgi,
web-client, web-frontpage and web-misc rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sunday, December 18, 2011

Snort 2.9.0.5 EOL date has been posted

Last month we started publishing the EOL dates of the supported versions of Snort from the official Snort ruleset.

Posted here:
https://www.snort.org/eol

You will now see that the EOL date for Snort version 2.9.0.5 is set for 2012-03-13, that's March 13, 2012.

As always, any questions about the Snort EOL policy can be directed towards me: joel@snort.org and I'll get them answered for you.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 16, 2011

One Year of the Snort.org Blog

The other day passed the one year milestone of this blog being created.  So I thought I'd reflect a bit on how it's helped me, and ask you, the community, if it's done the same for you.

When I took over the Snort Community Manager position here at Sourcefire, I put out a news post that asked what the pain points were for the Snort project, suggestions on how to improve things, and whatever else people felt like writing me with.  (By the way, you can always write me at joel@snort.org.)  You all came up with some great stuff, and I've been implementing some of the ideas both in the community aspect (some people complained it was hard to find documentation and things like that) and in the engine itself (lots of improvements made, more coming).

One of the ideas that I wanted to bring to the table when I took over was to start a blog.  I wanted to start a Snort Blog, revive the ClamAV blog, and start a Sourcefire corporate blog.  The first two I accomplished quickly and the last was also implemented this year.  I wanted to have one place to get your news and information about Snort and one place to get your information about ClamAV.  If any changes were made to Snort.org, community happenings, improvements, etc.

This blog has allowed me to quickly and easily get information out to the community, as well as provide a forum for feedback to allow people to communicate easily with me.  The other thing it provides is to give a place for our developers to directly speak to you and explain new features of Snort (which we will be doing in the coming weeks about Snort 2.9.2).

But, let me hear from you.  What do you think?  Has the blog helped?  What can I do to make things better?  What suggestions do you have?

Snort-Devel Google Group

Just to let you all know, I've went ahead and transitioned the Snort-Devel Google Group.  I've taken everyone who was in the group and added them to the Snort-devel mailing list found here:

https://www.snort.org/community

The Snort-Devel Google Group has been locked and will reject any future attempts to post.

I'll move the other Groups as well soon.

Thank you, and have a Happy Holiday.

Wednesday, December 14, 2011

Snort 2.9.2 has been released!

Following up to our Release Candidate  back on November 28th, we are happy to announce that Snort 2.9.2 has now been released!

Available for download here:  https://www.snort.org/downloads

Over the coming weeks we'll have blog posts related to the new features of Snort 2.9.2.  Thanks for supporting Snort, and keep the suggestions, bug reports, and patches coming!

Release notes are as follows:

[*] New Additions
* SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors
to support writing rules for detecting attacks for control systems.
New rule keywords are supported, and DNP3 leverages Stream5 PAF
support for TCP reassembly. See the Snort Manual, README.dnp3 and
README.modbus for details of the configurations and new rule
options.


* GTP decoding and preprocessor. Updated the Snort packet decoders
and added a preprocessor to support detecting attacks over GTP (GPRS
Tunneling Protocol). Snort's GTP support handles multiple versions
of GTP and has a rich configuration set. See the Snort Manual and
README.GTP for details.


* Updates to the HTTP preprocessor to normalize HTTP responses that
include javascript escaped data in the HTTP response body. This
expands Snort's coverage in detecting HTTP client-side attacks.
See the Snort Manual and README.http_inspect for configuration
details.


* Added Protocol-Aware Flushing (PAF) support for FTP.

[*] Improvements
* Updates to Stream preprocessor to be able to track and store
"stream" data for non TCP/UDP flows. Also improvements to handle
when memory associated with a blocked stream is released and usable
for other connections.


* Updates to dce_stub_data to make it act the same as file_data
and pkt_data rule option keywords in how it interacts with
subsequent content/pcre/etc rule options.


* Updates to how Snort handles and processes signals received
from the OS.


* Enabled logging of normalized JavaScript to unified2 without the
use of the --enable-sourcefire configuration option.


* Improved handling of gaps and overlaps for "first" and "vista"
policies in Stream5.


* Added support for signal handler customization. At compile-time,
Snort can be customized to use different signal numbers.
This allows problems with overlapping signals to be fixed on a
per-platform basis, which is especially helpful for the BSDs.
See the Snort Manual for more details.

Google Groups, Mailing Lists, and Forums, redux

Snort Community --

A year ago I asked the Snort Community which route would be preferable to take with methods of interaction within the community, the three options presented were Google Groups, Forums (as they were), or Mailing lists.  People voted in the vast majority for Google Groups.

The original intention for the Google Groups was to collapse the Forums and the Mailing lists and consolidate everything in to the Google Groups structure so we could have both a web-based forum and an email based forum for interacting with the rest of the Snort Community as well as the developers and maintainers of Snort, the official Snort ruleset, and all the projects that surround this large community.

Unfortunately this isn't working out for many reasons. 

  1. Shortly after we did this, Google separated "Google" accounts and "Google Business" accounts.  Making it nearly impossible to use a public Google Groups forum with a private Google Business account.  It is possible to do, but it takes a lot of work and isn't worth the trouble.
  2. We found that you can only add 10 members to a Google Group at a time, if you add too many, Google thinks you are spamming and they close the Group.  Well, with over 7000 members between the three lists, that would take quite some time to complete.
  3. We have 10+ years of history on the Snort Mailing lists, and I don't want to abandon that.


So moving forward, what I intend to do is lock the Google Groups, and move the members of the 3 Google groups over to the respective Snort Mailing list and subscribe everyone.  In the subscribe email, i'll provide instructions on where to log in and change your delivery method (some people prefer digest-mode) or even unsubscribe if you don't wish to receive email.  I'll move Snort-Devel first, Snort-Sigs, then Snort-Users.

This will provide the community with one place to ask and receive answers to questions.

I'm interested in hearing your feedback.

Tuesday, December 13, 2011

VRT Rule Update for 12/13/2011, Microsoft Tuesday Coverage

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 76 new rules and made modifications to 661 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory MS11-087:
A vulnerability exists in the way that Microsoft Windows systems
process TrueType font files that may allow a remote attacker to execute
code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20735.

Microsoft Security Advisory MS11-089:
Microsoft Office contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20724 and 20734.

Microsoft Security Advisory MS11-090:
A vulnerability exists in the way that Microsoft Internet Explorer
handles ActiveX objects that may allow a remote attacker to execute
code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 20704 through 20716.

Microsoft Security Advisory MS11-091:
Microsoft Publisher contains programming errors that may allow a remote
attacker to elevate privileges on an affected host.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20719 through 20721.

Microsoft Security Advisory MS11-093:
The Microsoft Windows Object Linking and Embedding (OLE) framework
contains a vulnerability that may allow a remote attacker to execute
code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20717.

Microsoft Security Advisory MS11-094:
Microsoft PowerPoint contains programming errors that may allow a
remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 20700 through 20703
and SID 20722.

Microsoft Security Advisory MS11-096:
A vulnerability exists in Microsoft Excel that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 20718.

Microsoft Security Advisory MS11-099:
Microsoft Windows contains programming errors that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting these vulnerabilities is included in
this release and is identified with GID 1, SID 20699.

Additionally, previously released rules will also detect attacks
targeting this vulnerability and are included in this release with
updated reference information. They are identified with GID 1, SIDs
18208 and 18209.

The Sourcefire VRT has added and modified multiple rules in the
backdoor, bad-traffic, blacklist, botnet-cnc, chat, ddos, dns, dos,
exploit, file-identify, ftp, imap, misc, multimedia, mysql, netbios,
oracle, p2p, phishing-spam, policy, pop3, rservices, specific-threats,
spyware-put, sql, telnet, voip, web-activex, web-cgi, web-client,
web-iis and web-php rule sets to provide coverage for emerging threats
from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 9, 2011

Snort 2.9.1.2 Installation Guide on Mac OS X just posted!

Thanks to Christoph Murauer for an excellent guide to installing Snort 2.9.1.2 on Mac OS X!

Check out Christoph's Snort 2.9.1.2 install guide here.

Thanks to all of our Snort community contributors on their documentation, if you'd like to contribute some documentation and have it hosted on http://snort.org/docs, please feel free to contact me at joel@snort.org, and if we put your guides/whitepapers up on the site, we'll send you some Snort swag!

As always Snort.org makes no warranty or edits to submitted documentation, and we'd like to thank the contributors of the documentation for their time.

The argument 'mime' to 'file_data' rule option is deprecated.

TL;DR:   This hurts nothing.  Ignore it.  Read the below to learn why it's there.

A lot of people have been seeing this warning, Googling it, asking about it, and wondering what it means when it's displayed on Snort startup.

Prior to Snort version 2.9.1, we had the operator "mime" added to the "file_data" keyword to have it properly set the pointer for mime attachments in an email.  However, when Snort version 2.9.1 was released, we added the "mime" operator into the file_data keyword itself.  This makes it simpler for the rule author to be able to write one rule, and Snort will correctly set the pointer for http, smtp, ftp, smb, pop3, and imap protocols.

We will still include this keyword within the official Snort ruleset distributed by the VRT so long as we distribute rulesets for Snort version 2.9.0.5.  If you are using Snort >=2.9.1, you can safely ignore this warning.  After the EOL for Snort 2.9.0.5 has been reached (90 days after the release of Snort 2.9.2), we'll remove the mime operator from the ruleset, and this warning will go away.

Wednesday, December 7, 2011

VRT Rule Update for 12/07/2011, Adobe CVE-2011-2462 coverage

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 67 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, bad-traffic, botnet-cnc, chat, exploit, file-identify,
icmp-info, nntp, policy, rpc, scada, smtp, snmp, specific-threats,
telnet, web-client and web-php rule sets to provide coverage for
emerging threats from these technologies.
Protection is also included in this rule release for Adobe Reader CVE-2011-2462.  Sid 1:20659 can be used against this threat.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

If you are having problems with your flowbits

Some people have been experiencing a problem with their Snort downloads during the recent file-identify.rules transition.

During this transition we added a feature to the flowbit "set" rules called a "flowbit group". The intention of the flowbit group is, if a flowbit is set on a certain stream, and another flowbit comes along on the same stream and sets a flowbit it will unset the first flowbit.

This is EXTREMELY helpful for things like http pipelined streams where multiple downloads are done over a single stream and would result in the occasional false positive.

While we received zero false negative or false positive reports as a result of the flowbit group being in the file-identify ruleset, we decided to go back to the original method of flowbit "set" and "unset".  Unfortunately, this affected people that wrote custom rules that either checked or set a flowbit with the same flowbit name as ours, it also identified a minor restart bug that affected users of OpenSource Snort (not Sourcefire product) in Snort version 2.9.1.2 (It's fixed in 2.9.2).  This bug was basically a -HUP would not reload the presence of a flowbit group (or lack thereof).

So, in order for people to go into their rulesets and remove the fileidentify flowbit group name, you can either manually edit the rule files and remove ",fileidentify" from the rules, or you can use this quick bash script that I wrote and have not tested.


The error that some may see is:

sp_flowbits.c(510) Flowbits already belongs to a group

This error either means you are setting a flowbit with your custom rule that is the same name as a flowbit that we have in the system without the flowbit group added to it (and ours does), or, it means that you have a custom rule that is the same name as a flowbit that we have in the system and ours does not.


So this script should fix the problem either way by totally removing the fileidentify flowbit group.

First, decend into your rules/ directory where you keep your rules, and create and run this shell script:

#!/bin/sh
for x in `ls *.rules`
do
    sed -i -e 's/\,fileidentify//' $x
done


This will remove the fileidentify flowbit group from all the rules, and Snort will function as it was before.

Tuesday, December 6, 2011

VRT Snort.conf example files

Earlier today a Snort community member was asking where the most current snort.conf example files are that we (the VRT) use to test our rules with.

As the snort.conf that is contained inside the etc/ directory of the Snort tarball is a snapshot in time (at the time of the tarball release), it's necessary to occasionally update the snort.conf in order to take advantage of updated settings for the preprocessors and include new rule files.

So, in order to provide the latest functionality for all our users, the snort.conf files that are contained within the subscriber tarball are now listed https://www.snort.org/configurations here.

Also, we've included the automatically generated gen-msg.map and sid-msg.map file so that people may use those as well if you don't use a tool like PulledPork to automatically generate these files.

To stay current on the discussions surrounding all things Snort, we recommend you subscribe to the Snort Mailing lists found here: https://www.snort.org/community

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 1, 2011

VRT Rule Update for 12/01/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 36 new rules and made modifications to 773 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the attack-responses, backdoor, bad-traffic, botnet-cnc, deleted, dos, exploit, file-identify, netbios, oracle, rservices, scada, smtp, specific-threats, spyware-put, web-activex, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

Note:
The fileidentify flowbit group has been removed. This could lead to your local rules no longer working. You must modify local rules using this flowbit group before you can use them in policies.

For example, if you have a rule that uses the fileidentify flowbit group with the following set of options:

flowbits:set,http.mpeg,fileidentify;

You must remove the fileidentify group name for the rule to continue working. The modified rule would then contain the following:

flowbits:set,http.mpeg;

We are also starting to change the names of flowbits to more accurately represent what we are attempting to detect.  For instance, we are changing the names from "http.jpeg" to "file.jpeg".

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!