Thursday, May 31, 2012

VRT Rule Update for 05/31/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/31/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 2465 additional rules.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, dns, dos, exploit, file-identify, file-office, file-other, ftp, indicator-compromise, misc, netbios, policy, policy-other, scada, scan, specific-threats, spyware-put, sql, web-activex, web-cgi, web-client, web-coldfusion, web-frontpage and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, May 30, 2012

VRT Rule release for 05/30/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/30/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 27 new rules and made modifications to 3 additional rules.

The following changes were made to the snort.conf:

HTTP_PORTS now reads like:
portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]

Stream5's configuration now reads like:

preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 4848 5250 7907 7001 7145 7510 7802 7777 7779 \
7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
preprocessor stream5_udp: timeout 180


Finally http_inspect's configuration now reads like:


preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 200 \
small_chunk_length { 10 5 } \
ports { 80 81 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
normalize_utf \
unlimited_decompress \
normalize_javascript \
apache_whitespace no \
ascii no \
bare_byte no \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
utf_8 no \
u_encode yes \
webroot no


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the blacklist, dos, file-pdf and web-php rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, May 25, 2012

VRT Rule Update for 5/25/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 1055 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dos, exploit, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, misc, phishing-spam, policy, policy-multimedia, policy-other, scada, scan, shellcode, smtp, specific-threats, spyware-put, sql, web-activex, web-cgi, web-client, web-frontpage, web-iis and web-php rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.2.2 install on Windows (Video)

The below video is a very simple illustration on how to install Snort version 2.9.2.2 on Windows 7.  There are several steps that must be performed to convert Snort (which is designed to run on a Unix system) to Windows format, and this video illustrates them.  

I wouldn't use the setup that is performed here long term, but it's a good recommendation for people who want to see the functionality of Snort to see if it'll work in their environment.

Thursday, May 24, 2012

Daemonlogger native package now in OpenWRT trunk!

My patch for building Daemonlogger as a native OpenWRT package has been accepted into the mainline distribution and committed to trunk. Pre-built binary packages are now available for all supported
architectures in the nightly snapshots tree.

Unfortunately these packages only work on the latest trunk firmware builds at the moment, and the 3.2 kernel along with the extra software included in these builds does not leave enough free JFFS space or usable RAM to run daemonlogger effectively. I'm trying to convince the developers to include this in the next stable release of Backfire (10.03.2) based on the 2.6 kernel, but no luck yet.

For the time being you can still grab my binary package from my GitHub repository. This one *does* install and run cleanly on the current stable version of Backfire (10.03.1).

- Announcement: http://goo.gl/Wy5G8
- Downloads: https://github.com/vineyard/WRT-SPAN

Cheers,
Robert Vineyard

Tuesday, May 22, 2012

VRT Rule Update for 05/22/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 68 new rules and made modifications to 580 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Alexandre Menezes for contributing SIDs 22957 - 22960.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, chat, dos, exploit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, misc, oracle, policy-multimedia, policy-social, pua-p2p, pua-toolbars, scada, server-mail, shellcode, specific-threats, voip, web-activex, web-cgi, web-client, web-iis and web-php rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, May 21, 2012

Two Things you Should Know About Snort 2.9.3.0

Among many important changes in Snort 2.9.3.0 are the changes to flowbits and outputs.  The flowbits syntax was overhauled and now supports an OR operator.  Deprecated outputs such as database have been removed.  Also, now a dynamic output plugin feature that will make it easier to maintain your favorite outputs or create something new.

Flowbits Update

Flowbits are used to track detection state across multiple packets within a session.  To set a flowbit, use flowbits:set,bitname; (often followed by flowbits:noalert;) and to check a flowbit use flowbits:isset,bitname.  You can check multiple bits within flowbits:isset,bit1; flowbits:isset,bit2; etc. because multiple isset options form a logical AND as in "bit1&&bit2" if you know a little C syntax.  However, prior to 2.9.3.0, there was no easy way to check if at least one of multiple bits was set.  You may have resorted to writing rules like this:
( sid:10; flow:to_server; content:"A"; flowbits:set,bitA; flowbits:noalert; )
( sid:20; flow:to_server; content:"B"; flowbits:set,bitB; flowbits:noalert; )
( sid:30; flow:to_client; content:"C"; flowbits:isset,bitA; )
( sid:40; flow:to_client; content:"C"; flowbits:isset,bitB; )
Note that 2 rules, sids 30 and 40, were required to handle both possibilities.  This gets messier with more options.  Snort 2.9.3.0 fixes this with the addition of the logical OR:
( sid:11; flow:to_server; content:"A"; flowbits:set,bitA; flowbits:noalert; )
( sid:21; flow:to_server; content:"B"; flowbits:set,bitB; flowbits:noalert; )
( sid:31; flow:to_client; content:"C"; flowbits:isset,bitA|bitB; )
In this case sids 30 and 40 are replaced with a single rule, sid 31, which leverages the syntax "bitA|bitB", meaning bitA OR bitB.  For even greater flexibility, you can use the optional group as follows:
( sid:12; flow:to_server; content:"A"; flowbits:set,bitA,group; flowbits:noalert; )
( sid:22; flow:to_server; content:"B"; flowbits:set,bitB,group; flowbits:noalert; )
( sid:32; flow:to_client; content:"C"; flowbits:isset,any,group; )
Now if you add a new bit to the group, say bitC, you don't need to update sid 32.

Snort 2.9.3.0 adds lots of other tweaks to flowbits, like the AND notation "bitA&bitB".  So, be sure to review the manual for details.

Changes to Output Plugins

You may have noticed that the postgresql and mysql packages are not among the 2.9.3.0 beta files on Snort.org.  You may also have noticed that the source for the aruba, prelude, mysql, oracle, and mssql outputs are gone too.  Those outputs were deprecated because of resource constraints that did not allow time to test and maintain the outputs as well as lack of communication from the original developers.

However, in their place dynamic output plugin support was added.  For best performance, you will probably want to switch to unified2 logging as described on Snort.org, but you could convert the old outputs to the new plugin structure if that is best for your deployment.

To help you get going with your own custom output, you can start with the dynamic output example package (dox-1.0.4.tar.gz).  The README therein explains the 3 simple steps to build and test the dox plugin.  You can then modify the source to obtain the output when, where, and how you want it.

There are many other improvements to Snort included with version 2.9.3.0, including an awesome overhaul of the dcerpc2 preprocessor by Todd.  Check it out.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Friday, May 18, 2012

Snort 2.9.3 Beta Now Available

Snort 2.9.3 Beta is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Development Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
 * Updates to flowbit rule option to allow for OR and AND of individual bits within a single rule, and allow flowbits to be used in multiple groups.  See README.flowbits and the Snort manual for details.

 * Dynamic output plugin architecture to provide an API that developers can write their own output mechanisms to log alert and packet data from Snort.  Some output plugins have been removed as a result of this to be maintained by their respective authors.

 * Update to dcerpc2 preprocessor for improved accuracy and handling of different OSs for SMB processing.  See README.dcerpc2 and the Snort manual for details.

 * Updates to reputation preprocessor for handling of whitlelist and trustlists and zone information.  See README.reputation and the Snort manual for details.

 * Updates to the packet decoders to support pflog v4.

[*] Improvements
 * Update to return error messages through the control socket.

 * Updates to the processing of email attachments for better handling of non-encoded attachments, and improved memory management for attachment processing.

 * Improvements in HTTP Inspect for better performance with gzip decompression.  Also improvements for handling simple responses, encoded query strings, transfer encoding and chunk encoding processing.

 * Fix logging of multiple unified2 alerts with reassembled packets.

 * Compiler warning cleanup across multiple platforms.

 * Added 116:458 and 116:459 to cover fragmentation issues.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Thursday, May 17, 2012

VRT Rule Update for 05/17/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 814 additional rules.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dos, exploit, file-identify, file-office, file-pdf, indicator-compromise, phishing-spam, server-mail, smtp, specific-threats, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 15, 2012

Snort 2.9.2.3 has been released!

Snort 2.9.2.3 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

 * Update to GTP preprocessor to better handle GTPv1 data.

 * Update to DNP3 preprocessor to add stricter checking on
   packets before processing by dnp3.  Improved checking
   on reassembly buffer

 * Update to PCRE rule option processing to prevent issues
   seen w/ libpcre-8.30 and certain rules.

 * Update to dcerpc2 to not abort reassembly if target-based
   protocol is undefined.

Please submit bugs, questions, and feedback to bugs@snort.org.

Friday, May 11, 2012

VRT: PHP-CGI vulnerability - exploits in the wild and Snort coverage

VRT: PHP-CGI vulnerability - exploits in the wild and Snort coverage:

Just wanted to call our Snort.org blog subscribers out to this article by Alex Kirk over on our VRT Blog.  This article deals with the PHP-CGI vulnerability and which Snort rules you need to enable in order to protect your network from it.

Take a look!

Thursday, May 10, 2012

VRT Rule Update for 05/10/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 819 new rules and made modifications to 554 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, dos, file-office, file-other,
indicator-compromise, misc and specific-threats rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

2012 Snort Scholarship is now open!

Annually, Sourcefire provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.  The winners also receive a 10,000 credit to use toward any training courses or certification exam in the Sourcefire Security Education Program.

To be eligible, you must meet the legal criteria found here on our website, sign up for the scholarship here, and following that, on or about May 31, 2012, two winners will be selected.

For further information, please see the links above, also found linked here.

Tuesday, May 8, 2012

VRT Rule Release for 05/08/2012, MS Tuesday

Sorry for the delay in getting the blog post up, we've been really busy today planning some great things for the future! Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory MS12-029:
The Microsoft RTF importer contains programming errors that may allow a
remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 22089.

Microsoft Security Advisory MS12-030:
Microsoft Excel contains programming errors that may allow a remote
attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22076, 22077, 22078,
22081, 22091, 22092, 22093 and 22094.

Microsoft Security Advisory MS12-031:
Microsoft Visio contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 22075.

Microsoft Security Advisory MS12-034:
Microsoft Office contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22085, 22086, 22087
and 22090.

Microsoft Security Advisory MS12-035:
The Microsoft .NET Framework contains programming errors that may allow
a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22079 and 22080.

Additionally, the Sourcefire VRT has added and modified multiple rules
in the bad-traffic, botnet-cnc, file-identify, file-office, file-other,
server-mail and web-client rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, May 4, 2012

VRT Rule Update for 05/04/2012, #2 (Adobe 0day coverage)

In this release we introduced 9 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

This second release of the day provides coverage for CVE-2012-0779, which is discussed here on Adobe's site. Included in this update is more generic coverage for the attack vector surrounding this attack that is being seen in the wild. The "INDICATOR-OBFUSCATION" rules below may very well catch a ton of additional exploit methods other than the Adobe attack referenced above.

Since the usual link on Snort.org isn't currently working, I'm posting the sid and rule msg's here:


22066(1) "POLICY Microsoft Office Word ScriptBridge OCX controller attempt"
22067(1) "MISC Adobe Flash malformed error response"
22068(1) "SPECIFIC-THREATS Adobe Flash systemMemoryCall RTMP query"
22069(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"
22070(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"
22071(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"
22072(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"
22073(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"
22074(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the indicator-obfuscation, misc and specific-threats rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

VRT Rules Update for 5/4/2012, PHP 0day, lots of malware

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

We'd also like to thank Eoin Miller for his contributions to this rule pack.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, exploit, file-identify, file-office,
file-other, specific-threats and web-php rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, May 2, 2012

VRT Rule Update for 05/02/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 100 new rules and made modifications to 163 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, chat, dns, dos, exploit,
file-identify, file-office, file-other, file-pdf, misc, mysql, netbios,
oracle, policy, server-mail, smtp, specific-threats, web-activex,
web-cgi, web-client and web-misc rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!