Tuesday, July 24, 2012

Sourcefire VRT Certified Snort Rules Update for 07/24/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/24/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, bad-traffic, blacklist, botnet-cnc, exploit, file-identify,
file-office, file-pdf, indicator-compromise, policy, scan, spyware-put,
web-client and web-php rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, July 23, 2012

Snort 2.9.3.0 Ubuntu install guide has been posted

Thanks again to David Gullett for producing his awesome installation guide for Ubuntu 12.04 for Snort 2.9.3.

We recommend that you use the Snort.conf provided here:
http://www.snort.org/vrt/snort-conf-configurations/
which is updated with each rule pack.

Once again, thanks David Gullett for his document, it's posted on http://www.snort.org/docs as always!

Friday, July 20, 2012

Installation Documentation for OpenSuSE 11.4, 12.1, and FreeBSD 8.2 posted

William Parker, one of the many of the Snort community submitted these three pieces of documentation for hosting on Snort.org.

The Installation Documentation for OpenSuSE 12.1
and
The Installation Documentation for FreeBSD 8.2
and
The Installation Documentation for OpenSuSE 11.4

We'd like to thank Mr. Parker for his efforts and recognize the significant time and dedication it takes to compile this information and put it out to the community.  Thank you community for all the efforts you do, and we'd like to especially thank Mr. Parker for his efforts.   Please address all questions regarding the installation documentation either directly to Mr. Parker, or the Snort.org Users mailing list.

As always, our documentation can be found on http://www.snort.org/docs

I've had some questions recently where the "translated" documents are. They've all been removed as many of them were ancient (Out of good conscience I can't let you install Snort 2.0.1), so I'm now accepting any new translation documents that people would like to submit. Tips for the format and installation command lines for the software can be found in any of the english guides.

Snort 2.9.3.0 on Debian install guide has been posted

Thanks to Jason Weir, I just posted his Snort 2.9.3.0 Install Guide for Debian 6.0.5.

You may find his updated guide at http://www.snort.org/docs.  We'd like to thank Jason Weir and the rest of the Snort community with their constant support, guides, bug reports, false positive reports, and participation in the mailing lists.

You all are fantastic!

Thanks Jason!

Sourcefire VRT Certified Snort Rules Update for 07/19/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/19/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 110 new rules and made modifications to 35 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Mark Parsons for his contributions, research, and providing traffic captures for the development of sids 23492 and 23493.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, botnet-cnc, chat, dos, exploit, file-identify, file-office,
file-other, file-pdf, ftp, policy, smtp, specific-threats, web-client
and web-php rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 19, 2012

2.9.2.1 EOL Notice

As always, when we release a new version of Snort (yesterday's 2.9.3.0 release), I need to update the EOL notices on the website for versions that are going to die soon.

So, I've went ahead and done that.  http://www.snort.org/vrt/rules/eol_policy

2.9.1.2 will EOL on October 17, 2012
2.9.2.1 is EOL now (actually EOL'ed last month, we've just now removed it)
2.9.2.2 will EOL on August 15, 2012
2.9.2.3 is now the current minus one
2.9.3.0 is now the current version

Please see the above link for further details, and be sure and upgrade soon!

Wednesday, July 18, 2012

Database output is dead. R.I.P.

Last June (2011) we gave you a heads up (and several reminders since) that in Snort 2.9.3.0, we were going to remove the spo_database output module as well as Aruba and Prelude outputs.

For those of you that originally compiled Snort like: ./configure --enable-mysql

Or, if you look in your snort.conf and your "output" lines look like this:
output database: alert
AND/OR
output database: log


this will affect YOU.

Our recommendation is that after you upgrade to Snort 2.9.3.0, you move to full unified2 logging and use barnyard2 to read those unified2 files and input them into your mysql database.

You can find more information about barnyard2 here:
https://github.com/firnsy/barnyard2
http://www.securixlive.com/barnyard2/

As always questions can be asked on the Snort Mailing Lists!  Thank you!

Snort 2.9.3.0 has been released!

Snort 2.9.3.0 is now available on snort.org, at http://www.snort.org/snort-downloads/in the Latest Release section.


[*] New additions
* Update to flowbit rule option to allow for OR and AND of individual bits within a single rule, and allow flowbits to be used in multiple groups. See README.flowbits and the Snort manual for details.

* Dynamic output plugin architecture to provide an API that developers can write their own output mechanisms to log alert and packet data from Snort.

* Update to dcerpc2 preprocessor for improved accuracy and handling of different OSs for SMB processing. See README.dcerpc2 and the Snort manual for details.

* Updates to reputation preprocessor for handling of whitlelist and trustlists and zone information. See README.reputation and the Snort manual for details.

[*] Improvements

* Updates to http_inspect client PAF handling and server flow_depth handling.

* Logging updates to the smtp preprocessor.

* Added detailed documentation of unified2 logging configuration and logging.

* Removed --enable-decoder-preprocessor-rules configure option and hardened preprocessor and decoder rule event code. To enable old behavior such that specific preprocessor and decoder rules don't have to be explicitly added to snort.conf, add "config autogenerate_preprocessor_decoder_rules" to your snort.conf.

* Fixed SMTP mempool allocation for significant memory savings. Also tweaked memory required per stream5 session tracker.

* Force exact versioning match of running dynamic engine and dynamic engine used to build SO rules.

* User can now query reputation pp for routing table and management information.

* Update to return error messages through the control channel.

* Updates to the processing of email attachments for better handling of non-encoded attachments, and improved memory management for attachment processing.

* Improvements in HTTP Inspect for better performance with gzip decompression. Also improvements for handling simple responses, encoded query strings, transfer encoding and chunk encoding processing.

* Updates to the packet decoders to support pflog v4.

* Fix logging of multiple unified2 alerts with reassembled packets.

* Compiler warning cleanup across multiple platforms.

* Added 116:458 and 116:459 to cover fragmentation issues.

[*] Deletions
* Removed all database outputs.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Sourcefire VRT Certified Snort Rules Update for 07/17/2012, Snort 2.9.3.0 rules included

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/17/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 91 new rules and made modifications to 61 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, botnet-cnc, dos, exploit, file-identify, file-office,
file-other, netbios, policy, scada, specific-threats, spyware-put,
web-activex, web-client and web-misc rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 12, 2012

Sourcefire VRT Certified Snort Rules Update for 07/12/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/12/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 75 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, botnet-cnc, dos, exploit, file-identify, file-office,
file-other, netbios, policy, scada, specific-threats, spyware-put,
web-activex, web-client and web-misc rule sets to provide coverage for
emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 10, 2012

Sourcefire VRT Certified Snort Rules Update for 07/10/2012, Microsoft Tuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/10/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 54 new rules and made modifications to 27 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Bulletin MS12-043:
Microsoft Internet Explorer contains programming errors that may allow
a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 23142 through 23146
and 23286 through 23304.

Microsoft Security Bulletin MS12-044:
Microsoft Internet Explorer suffers from a programming error that may
allow a remote attacker to execute code or cause a Denial of Service
(DoS) on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 23278.

Microsoft Security Bulletin MS12-045:
Microsoft Internet Explorer contains a programming error that may allow
a remote attacker to execute code on an affected system with the
privilege of the current user.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 23280.

Microsoft Security Bulletin MS12-046:
Microsoft Word suffers from a programming error that may allow a remote
attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 23315 and 23316.

Microsoft Security Bulletin MS12-048:
A vulnerability exists in the way that Microsoft Windows systems
attempt to open certain file types that may allow a remote attacker to
execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 23314.

Microsoft Security Bulletin MS12-050:
Microsoft SharePoint contains a programming error that may allow a
remote attacker to execute a cross-site scripting attack against a
client.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 23279, 23281 and
23282.

Previously released rules identified with GID 1, SIDs 23136 and 23137
will also detect attacks targeting this vulnerability.

Additionally, the Sourcefire VRT has added and modified multiple rules
in the botnet-cnc, dos, file-identify, file-office, file-other,
file-pdf, netbios, specific-threats, web-activex and web-misc rule sets
to provide coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 5, 2012

Sourcefire VRT Certified Snort Rules Update for 07/03/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/03/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 18 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, dos, exploit, file-identify, file-pdf,
indicator-compromise, netbios, server-mail, shellcode,
specific-threats, spyware-put, sql, web-activex and web-misc rule sets
to provide coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, July 4, 2012

redBorder IPS announcement

From Jaime Nebrera:

I would like to take the opportunity to present redBorder IPS, a new Ruby on Rails based Open Source project around our venerable Snort.
redBorder IPS is a self contained Linux distribution with two different roles:

As a Manager provides the following capabilities in a centralized manner:


  • Event view and storage, based on Snorby with a few enhancements
  • Hierarchical management of multiple sensor configurations (basic networking services, basic Snort configuration) based on Chef with our own recipes and web front end
  • Very powerful rule management system (configuration, inheritance, updating, multiple feeds, …)
  • SNMP monitoring for generic system capabilities (CPU Load, RAM usage, …) as well as specific Snort parameters (Alerts, KPPS, CPU, …)
  • Advanced user management with roles, inheritance and auditing


As a Sensor provides the following capabilities:


  • Customized and hardened CentOS 6.2 system with all needed packets
  • Latest Snort & pf_ring versions
  • IPS mode running on top of pf_ring with specific performance enhancements and capability to drop packets within pf_ring itself
  • New IDS Forwarding mode running on top of pf_ring reflecting the packets at kernel level and sending a copy to Snort maintaining the capability to drop packets within pf_ring
  • IDS mode running on top of clustered pf_ring
  • In all cases, we have sponsored the enhancement of Snort DAQ to be able to analyze multiple segments from the same Snort instance and load balance between all available cores, thus granting better hardware usage
  • Support for Bypass (Fail to wire) cards from Silicom



We would like to thank Sourcefire team for Snort, Dustin Webber for Snorby, the seed we needed to accomplish in time our daunting task, Luca Deri and Alfredo Cardigliano from ntop.org for their great job porting DAQ to the latest pf_rinf and some performance and clustering enhancements, Opscode team for Chef and Silicom team for their support and experience managing their great cards. Without all of them this project would not have been possible.

Of course, we would also want to give a huge thank you to Produban and Nextel, the two sponsors of all of the developments done up to now. Without them, and without their approval to release this contributions to the public this project would not exist.

All of this is available at the project website, www.redborder.net.

--

We love the fact that such a large community of IPS configurations (especially load balanced!) is springing up around Snort.  This community is awesome!

Sourcefire of course warns you that using this is at your own risk and your milage may vary.  We think all projects surrounding Snort are a great addition to the community.