Thursday, March 29, 2012

VRT Rule Update for 3/29/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 8 additional rules.

 There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the exploit, file-identify and web-client rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 27, 2012

Snort 2.9.2.2 has been released!


Snort 2.9.2.2 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.2.2 includes changes for the following:

* Updates to HTTP Inspect to handle normalization with large number of directories, eliminate false positives when chunks span multiple packets, and remove the upper limit on the gzip memcap.

* Update stream handling for TCP session cleanup with RSTs and other TCP state tracking.

* Update for active responses to fragmented IPv6 traffic and to the react page configuration.

* Updates to SIP preprocessor to limit false positives.

* Update for correct logging in unified2 when interface is passive.

* Add stats for SMTP preprocessor at termination.

* State tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

VRT Rule Update for 03/27/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 297 additional rules.

This rule release provides support for Snort 2.9.2.2 which has just been released.

There was one change made to the snort.conf in this release, just a modification to this line:
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, file-identify, misc, multimedia, netbios, phishing-spam, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 22, 2012

VRT Rule Release for 03/22/2012, MS12-020

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 218 additional rules.

There were no changes made to the snort.conf in this release.

 In VRT's rule release:
Synopsis:This release adds and modifies rules in several categories. 
Details:Microsoft Security Advisory MS12-020:Microsoft Windows Remote Desktop suffers from programming errors thatmay allow a remote attacker to execute code on a vulnerable system.A rule identified with GID 3, SID 21619 has been added in this releasein order to improve detection of attacks and to improve performance. 
This rule replaces the rules identified with GID 1, SIDs 21571, 21572and 21592. These rules have been deleted in this release. 
Additionally, the Sourcefire VRT has added and modified multiple rulesin the backdoor, chat, dns, dos, exploit, file-identify, imap, misc,netbios, policy, pop3, scada, shellcode, smtp, specific-threats, sql,web-activex, web-client and web-php rule sets to provide coverage foremerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 20, 2012

VRT Rule release for 03/20/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release. 

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the botnet-cnc, exploit, specific-threats, spyware-put, voip, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, March 19, 2012

Snort 2.9.0.5 EOL notice

So, now that I am back from the land of Mickey, I bring to you some news with my first post.

Next Tuesday we'll be EOL'ing Snort 2.9.0.5.

With the pending release of Snort 2.9.2.2 and in compliance with our End of Life Policy, Snort 2.9.0.5 has reached the end of the line.

For those of you that want to move directly to Snort 2.9.2.2, it should be out this week.  More information on that soon.  Thanks!

Friday, March 16, 2012

VRT Rule Release for 03/16/2012

Joel is still on vacation, I'm racking up another favor and expecting a suitable gift from Disneyland. We released another rule for MS12-020 today. The change logs can be found at http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-03-16.html

And the obligatory Joel Esler closing paragraph (if I have to keep doing this, there's a script and a template getting written).

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 15, 2012

VRT Rule Release for 03/15/2012

Joel is on vacation in Disneyland, hopefully Disney will not mistake him for one of Snow White's companions and he will be able to return next week. While he is out sunning himself, playing on the swing sets and strolling on the beach he asked me for a huge favor, he wanted me to keep everyone up to date on our rule issuances. So, here's what we just released today:

We added and modified multiple rules in the blacklist, botnet-cnc, dos, exploit, file-identify, policy, scada, specific-threats, web-activex and web-misc rule sets. In total, there were 15 new rule additions and 30 rule modifications.

Also, this release features a rule contribution by Nathan Fowler (check out the Snort mailing lists if you don't know who he is). GID 1, SID 21583 is brought to you courtesy of Nathan and his work on detecting the mis-doings of the Blackhole exploit kit. We appreciate the contribution and I'm sure you will too.

You can find the change logs at the usual place on snort.org here: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-03-15.html.

Also, he wanted me to add the following to the end of the post, so here it is:

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 13, 2012

VRT Rule Release for 3/13/2012, MS Tuesday

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Nathan Fowler for his contribution of the following rule:
21562 <-> BOTNET-CNC Trojan.Bredolab variant outbound connection

 In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation. 
Details: Microsoft Security Advisory MS12-017: The DNS protocol as implemented in Microsoft Windows systems may allow a remote attacker to cause a permanent Denial of Service (Dos) against an affected system. A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 13949. 
Microsoft Security Advisory MS12-020: Microsoft Windows RemoteDesktop suffers from programming errors that may allow a remote attacker to execute code on a vulnerable system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21570, 21571 and 21572. 
Microsoft Security Advisory MS12-021: Microsoft Visual Studio suffers from a programming error that may allow a remote attacker to elevate privileges on a vulnerable system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 21576. 
Microsoft Security Advisory MS12-022: Microsoft Expression Design suffers from a programming error that may allow a remote attacker to execute code on a vulnerable system. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 21566 and 21567. 
The Sourcefire VRT has also added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dns, dos, exploit, file-identify, misc, netbios, policy, scada, specific-threats, web-activex, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, March 12, 2012

Tracking Brazilian Banking Trojans with Snort and HTTP Inspect

Rodrigo Montoro put out this wonderful blog post about the detection of some Brazilian Trojan Banking Trojans with HTTP Inspect using suppressions.

The same concept could be applied with the IP Whitelisting technology in Snort now.  Either way, please read this great article!

http://blog.spiderlabs.com/2012/03/detecting-brazilian-trojan-bankers-with-snort-http_inspect.html

Friday, March 9, 2012

Rule Category Reorganization


Sometimes the new becomes old, sometimes the old becomes new.  But then sometimes, the old is just plain old.

Snort was started over 10 years ago.  Since the ability to write rules to Snort was added, its rules have been organized into categories in different files.  For years they have been added to and added to, but now there has come a time when the ruleset is a bit large that we want to and have to refocus it, add features, and clear the old cruft away.

That time is now.

What we are going to do over the next few months is slowly progress from our old categories (rule files) into a new set of categories.

Let me provide you a bit of background.  When we sat down and started discussing what a new ruleset would look like, we started thinking about what we wanted to accomplish with the ruleset.  What information we, as rule writers, wanted to convey to you, the end user.
How could we make your lives simpler and get more of value out of the rules.

What were our goals?
To communicate to the user the:
  • Intent of the rule
  • Impact of the rule
  • Target of the attack which the rule covers
  • Mechanism of attack that the rule covers
  • Technique of the attack or attacker that the rule covers

This is going to fan out over several parts, two of which have happened already:
  • File-identify

This rule category was created to be able to identify and track rules that deal with file (client) based attacks.  Centrally locating all rules that "set" flowbits based off of two things, the download method, and the detection of the file actually coming down through characteristics of the file itself.
We will continually expand in this category and have done so with every rule release.  All of these rules are enabled based on the "balanced" policy, which is now our standard default policy.  For other policies (for instance security) you should use a tool named PulledPork to fix everything for you.  The Sourcefire product also handles this "flowbit resolution" for you seamlessly, I say this to illustrate that Oinkmaster does not provide either of these functions unfortunately.

The second part of this project has been happening quietly in the background:
  • Cleanup

This is an on-going project to modernize our ruleset with newer keywords and functionality that did not exist before.  For instance, adding file_data to all the rules that need it for better decoding, (making the IDS harder to evade) and pointer placement.

Standardized naming across all rule message names.  For instance, not using "Microsoft IE" or "IE" or "Windows IE", but instead adopting a the naming sequence "Microsoft Internet Explorer", and "Microsoft Windows".  "Apple QuickTime" instead of just plain "quicktime".  This allows you to search the ruleset easily and turn on what is in your network through the use of easy pcre inside of the enablesid.conf file using PulledPork.   We even went so far as to get rid of things like "from_server" and move to "to_client" inside of the flow statement for easier readability.

We started this cleanup back in October and since then we've averaged over 600 changes per rule release.

The third portion of this project is our biggest.  We call it:

  • Rule re-categorization


Moving all rules from their old categories:

attack-responses.rules
backdoor.rules
bad-traffic.rules
blacklist.rules
botnet-cnc.rules
chat.rules
content-replace.rules
ddos.rules
deleted.rules
dns.rules
dos.rules
experimental.rules
exploit.rules
file-identify.rules
finger.rules
ftp.rules
icmp-info.rules
icmp.rules
imap.rules
info.rules
local.rules
misc.rules
multimedia.rules
mysql.rules
netbios.rules
nntp.rules
oracle.rules
other-ids.rules
p2p.rules
phishing-spam.rules
policy.rules
pop2.rules
pop3.rules
rpc.rules
rservices.rules
scada.rules
scan.rules
shellcode.rules
smtp.rules
snmp.rules
specific-threats.rules
spyware-put.rules
sql.rules
telnet.rules
tftp.rules
virus.rules
voip.rules
web-activex.rules
web-attacks.rules
web-cgi.rules
web-client.rules
web-coldfusion.rules
web-frontpage.rules
web-iis.rules
web-misc.rules
web-php.rules
x11.rules


Into a new set of categories.  The new set will not only make us more agile and able to add new categories as we expand in future years, more professional, but will also be simpler for the end user.

Obviously all the new categories are not created yet.  We have a base set of names that we are going to start with, but we know for a fact that once we get into moving these rules, new categories will need to be created.

For example, we are going to create a series of rules based off of protocols, so that you may enable or disable them based upon your network needs.  The rules contained in here will not be software related, but related to vulnerabilities in the protocol itself.

PROTOCOL-FTP (protocol-ftp.rules)
PROTOCOL-FINGER (protocol-finger.rules)
PROTOCOL-RSERVICES (protocol-rservices.rules)
PROTOCOL-ICMP (protocol-icmp.rules)
PROTOCOL-IMAP (protocol-imap.rules)
PROTOCOL-POP3 (protocol-pop3.rules)
PROTOCOL-RPC (protocol-rpc.rules)
PROTOCOL-SMTP (protocol-smtp.rules)
PROTOCOL-SNMP (protocol-snmp.rules)
PROTOCOL-OTHER (protocol-other.rules)

We'll create a series of categories based upon file type allowing us to consolidate all rules that cover attack vectors based on those file types from many different rule files into one:

FILE-PDF (file-pdf.rules)
FILE-OFFICE (file-office.rules)
FILE-IMAGE (file-image.rules)
FILE-MULTIMEDIA (file-multimedia.rules)
FILE-FLASH (file-flash.rules)
FILE-JAVA (file-java.rules)
FILE-EXECUTABLE (file-executable.rules)
FILE-OTHER (file-other.rules)

You notice that we always have an "OTHER" at the end of the series.  This is our category where rules that just don't fit in any of the other categories will go, until there is a sufficient amount of them to warrant their own category.
For example, PDF wasn't a gigantic threat 5-8 years ago.  Maybe 10 or so rules that covered PDF files.  Now it'll have it's own category as we have hundreds.

Along the way we'll be revisiting every single rule for syntax, cleanliness, and speed.  If there are some quick optimizations we can make, then we'll make them.  I made several just the planning process for the first category.

Speaking of the first category, the first one we'll be breaking out is POLICY.  When looking through the policy.rules category, it looks like it'll be broken out in the following:

POLICY-SOCIAL
POLICY-MULTIMEDIA
POLICY-OTHER
INDICATOR-OBFUSCATION
INDICATOR-COMPROMISE
PUA-TOOLBARS
PUA-P2P
SERVER-MAIL
FILE-PDF
FILE-OFFICE
FILE-FLASH
FILE-OTHER

The good news is, if you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected.  These products will handle the transition just fine.  The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules. We will also notify you of any changes that will be made to the snort.conf to incorporate these changes.  

With each category that we transition, we'll do a blog post about it so that you are well aware before, during, and after the transition.

We will not be deleting the old category names until they are completely empty and local.rules will stay as is.

There are two more parts to this project that will begin after this transition is complete, introducing new functionality and intelligence into the ruleset that exists absolutely no where else in any product.  These two projects involve a total revamp of the classification and priority system, and finally additions to the metadata system within the rules.  These modifications are in addition to the significant changes we have set for the Snort engine itself in 2012.

If there are any questions, please contribute to the thread on the Snort-users mailing list here:
https://lists.sourceforge.net/lists/listinfo/snort-users

An exciting year is here!  Stay tuned!

Thursday, March 8, 2012

VRT Rule Release for 03/08/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Nick Randolph for his submission of the following sid(s):
21515 <-> WEB-MISC Tomcat Web Application Manager access
21516 <-> WEB-MISC JBoss JMX console access
21517 <-> WEB-MISC JBoss admin-console access

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

We are ready to Barbeque!

Just delivered to Sourcefire HQ!

Tuesday, March 6, 2012

VRT Rule Release for 03/06/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 44 new rules and made modifications to 38 additional rules.

 There were no changes made to the snort.conf in this release.

 The VRT would like to thank Nathan Fowler for his updates to the following rule:
1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the botnet-cnc, dos, exploit, file-identify, netbios, policy, scada, specific-threats, tftp, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 1, 2012

VRT Rule update for 03/01/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 415 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to acknowledge the following rule writer(s) for their contributions:
Nathan Fowler --
21492 - SPECIFIC-THREATS Blackhole landing page with specific structure - catch qq In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, ddos, dns, dos, exploit, file-identify, finger, ftp, icmp, icmp-info, misc, netbios, nntp, policy, rpc, rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put, telnet, tftp, web-cgi, web-client, web-coldfusion, web-frontpage, web-iis, web-misc and x11 rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!