Thursday, August 30, 2012

Rule Category Reorganization Phase 2

Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s newest rule release, adding the following categories:

APP-DETECT -- This category contains rules that look for, and control, the traffic of certain applications that generate network activity.

BROWSER-CHROME -- This category contains detection for vulnerabilities present in the Chrome browser. (This is separate from the “Webkit” category, as Chrome has enough vulnerabilities to be broken out into it’s own, and while it uses the Webkit rendering engine, there’s a lot of other features to Chrome.)

BROWSER-FIREFOX -- This category contains detection for vulnerabilities present in the Firefox browser, or products that have the “Gecko” engine. (Thunderbird email client, etc)

BROWSER-IE -- This category contains detection for vulnerabilities present in the Internet Explorer browser (Trident or Tasman engines)

BROWSER-WEBKIT -- This category contains detection for vulnerabilities present in the Webkit browser engine (aside from Chrome) this includes Apple’s Safari, RIM, Nokia, KDE, and Palm.

BROWSER-OTHER -- This category contains detection for vulnerabilities in other browsers not listed above. (Opera)

EXPLOIT-KIT -- This category contains rules that are specifically tailored to detect exploit kit activity (Blackhole, Phoenix, etc).

FILE-EXECUTABLE -- This category contains rules for vulnerabilities that are found or are delivered through executable files, regardless of platform.

FILE-FLASH -- This category contains rules for vulnerabilities that are found inside of flash files. Either compressed or uncompressed, regardless of delivery method or software being attacked.

FILE-IMAGE -- This category contains rules for vulnerabilities that are found inside of images files. Regardless of delivery method, software being attacked, or type of image file. (jpg, png, gif, bmp, etc)

FILE-MULTIMEDIA -- This category contains rules for vulnerabilities present inside of multimedia files (mp3, movies, wmv)

MALWARE-BACKDOOR -- This category contains rules that detection traffic destined to known listening backdoor command channels. If a piece of malicious software opens and port and waits for incoming commands for its control functions this type of detection should be placed here. A simple example would be detection for BackOrifice as it listens on a specific port and then executes the commands it was sent. Other examples would be SubSeven which is a VNC like application that allows the remote attacker to control the victims computer.

MALWARE-CNC -- This category contains known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.

MALWARE-TOOLS -- This category contains rules that deal with tools that can be considered malicious in nature. For example, LOIC.

MALWARE-OTHER -- This category contains rules that are malware related, but don’t fit into one of the other ‘malware’ categories.

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.