Tuesday, October 30, 2012

Sourcefire VRT Certified Snort Rules Update for 10/30/2012, Rule Recategorization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/30/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 54 new rules and made modifications to 3416 additional rules.

There were no changes made to the snort.conf in this release.

ATTRIBUTION

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, dos, exploit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, nntp, os-linux, os-other, os-solaris, os-windows, protocol-ftp, protocol-voip, pua-other, rpc, server-apache, server-iis, server-mail, server-mssql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 25, 2012

Sourcefire VRT Certified Snort Rules Update for 10/25/2012, Rule Category Reorganization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/25/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 8 new rules and made modifications to 1942 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, file-identify, file-multimedia, file-other, file-pdf, os-solaris, os-windows, policy-spam, protocol-ftp, protocol-icmp, pua-adware, scan, server-apache, server-iis, server-mysql, server-oracle, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

A few Shared Object Platforms are now deprecated

As of today, the following Shared Object platform build environments are now deprecated as per our EOL policy:


FreeBSD-7-3/i386
FreeBSD-7-3/x86-64
Debian-5-0/i386
Debian-5-0/x86-64
Centos-4-8/i386

If you are using any of the above, please consider upgrading, as you will no longer be able to use precompiled Shared Object rules on your platform.  Text rules (the vast majority of the ruleset) are unaffected by this.

Wednesday, October 24, 2012

Snort 2.9.4 RC Now Available!

Snort 2.9.4 RC is now available on snort.org, at
https://www.snort.org/downloads in the Latest Release section.

Snort 2.9.4 includes changes for the following:

[*] New additions

 * Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

 * File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

 * Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

 * Logging of packet data that triggers PPM for post-analysis via Snort event

 * Decoding of IPv6 with PPPoE

[*] Improvements

 * Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

 * Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

 * Allow disabling of global thresholds via a count of -1

 * Prevent blocking duplicate SYNs when using inline normalization

 * Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

 * Allow active responses to packets without data (eg, a TCP SYN)

 * Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used.  The 'NOT' matching now happens within each of the individual rule option evaluation functions.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Tuesday, October 23, 2012

Sourcefire VRT Certified Snort Rules Update for 10/23/2012, Rule Category Reorganization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/23/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 67 new rules and made modifications to 667 additional rules.

There following changes were made to the snort.conf in this release:
include $RULE_PATH/browser-plugins.rules 
include $RULE_PATH/indicator-shellcode.rules 
include $RULE_PATH/os-linux.rules 
include $RULE_PATH/os-solaris.rules 
include $RULE_PATH/os-windows.rules 
include $RULE_PATH/os-other.rules 
include $RULE_PATH/policy-spam.rules 
include $RULE_PATH/protocol-finger.rules 
include $RULE_PATH/protocol-ftp.rules 
include $RULE_PATH/protocol-icmp.rules 
include $RULE_PATH/protocol-imap.rules 
include $RULE_PATH/protocol-pop.rules 
include $RULE_PATH/protocol-services.rules 
include $RULE_PATH/protocol-voip.rules 
include $RULE_PATH/pua-adware.rules 
include $RULE_PATH/pua-other.rules 
include $RULE_PATH/server-apache.rules 
include $RULE_PATH/server-iis.rules 
include $RULE_PATH/server-mssql.rules 
include $RULE_PATH/server-mysql.rules 
include $RULE_PATH/server-oracle.rules 
include $RULE_PATH/server-other.rules 
include $RULE_PATH/server-webapp.rules

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: This release introduces the following new rule categories. 
Also, the Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, ddos, dns, dos, exploit, exploit-kit, file-flash, file-identify, file-multimedia, file-office, indicator-compromise, indicator-shellcode, malware-cnc, malware-other, os-linux, os-windows, protocol-finger, protocol-ftp, protocol-icmp, protocol-imap, protocol-pop, protocol-services, protocol-voip, scada, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.2 is now EOL


In accordance with our EOL policy:

Please see it here:
https://www.snort.org/eol

Snort version 2.9.1.2's ruleset from the VRT is now EOL'ed after today's release.  This was first announced back in July here: http://blog.snort.org/2012/07/2921-eol-notice.html, and re-noticed here: http://blog.snort.org/2012/10/snort-2912-is-eol-on-october-17th.html

Please be sure and upgrade to the latest version of Snort (2.9.3.1) available here: https://www.snort.org/downloads

Monday, October 22, 2012

Rule Category Reorganization Phase 3


Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s upcoming rule release, adding the following categories:

BROWSER-PLUGINS -- This category contains rules that look for, and control, the traffic of certain applications that are considered plugins to the browser.  ActiveX as an example.

INDICATOR-SHELLCODE -- This category contains detection for generic shellcode being found in traffic.  This category is largely a carry-over from the previous shellcode.rules category.

OS-LINUX -- This category contains detection for vulnerabilities present in the Linux family of Operating Systems.  Made to be enabled by those users that have any Linux OS on the network.

OS-SOLARIS  -- This category contains detection for vulnerabilities present in the Sun (now Oracle) Solaris OS.  Made to be enabled by those users that have any version of Solaris OS on the network.

OS-WINDOWS -- This category contains detection for vulnerabilities present in the Windows family of Operating Systems.  Made to be enabled by those users that have any version of Windows OS present on the network.  This is mutually exclusive of products from Microsoft like Office which is in the FILE-OFFICE category.

OS-OTHER -- This category contains detection for vulnerabilities in other Operating Systems not listed above.  Android, AIX, etc.

POLICY-SPAM -- This category contains rules that are specifically tailored to detect spam within emails.  Largely a carry-over from the present phishing-spam.rules category.

PROTOCOL-FINGER -- This category contains rules for vulnerabilities that are found or are delivered through the finger protocol.

PROTOCOL-FTP -- This category contains rules for vulnerabilities that are found or are delivered through the FTP protocol.

PROTOCOL-ICMP -- This category contains rules for vulnerabilities that are found inside, are delivered through, or information about the ICMP protocol.  Largely a carry-over from the present icmp.rules and icmp-info.rules categories.

PROCOTOL-IMAP -- This category contains rules for vulnerabilities present inside of or delivered by the ICMP protocol.

PROCOTOL-POP -- This category contains rules for vulnerabilities present inside of or delivered through the POP protocols.

PROTOCOL-SERVICES -- This category contains rules for vulnerabilities present inside of, or delivered through the "RServices" features.  Largely a carry-over from the present rservices.rules.

PROTOCOL-VOIP -- This category contains rules for vulnerabilities present inside of, or delivered through "VOIP" protocols or products.  Largely a carry-over from the present voip.rules categories, but all VOIP related products will be consolidated here for easy use.

PUA-ADWARE -- This category contains rules for the detection of Adware found in traffic.  Largely a carry over of the present spyware-put.rules category, but falling in line with the naming convention with our other products and for the easy consolidation into one category from multiple places.

PUA-OTHER -- This category will contain anything that is considered a "Potentially Unwanted Application" that does not fit into the other PUA categories.

SERVER-APACHE -- This category will contain rules for the detection of vulnerabilities present in the Apache Web Server family of products.

SERVER-IIS -- This category will contain rules for the detection of vulnerabilities present in the Microsoft IIS family of products.

SERVER-MSSQL -- This category will contain rules for the detection of vulnerabilities present in the Microsoft MSSQL family of products.

SERVER-MYSQL -- This category will contain rules for the detection of vulnerabilities present in the Oracle MySQL family of products.  Largely a carry-over from the present mysql.rules category.

SERVER-ORACLE -- This category will contain rules for the detection of vulnerabilities present in the Oracle Database.  Largely a carry-over from the present oracle.rules category.

SERVER-WEBAPP -- This category will contain rules for the detection of vulnerabilities present in "Web based Applications".

SERVER-OTHER -- This category will contain rules for the detection of vulnerabilities against servers not otherwise listed above.

To include these in your snort.conf please add the following lines to the rule section at the end, if you are using pulledpork in it's default mode, you shouldn't need to do anything:

include $RULE_PATH/browser-plugins.rules
include $RULE_PATH/indicator-shellcode.rules
include $RULE_PATH/os-linux.rules
include $RULE_PATH/os-solaris.rules
include $RULE_PATH/os-windows.rules
include $RULE_PATH/os-other.rules
include $RULE_PATH/policy-spam.rules
include $RULE_PATH/protocol-finger.rules
include $RULE_PATH/protocol-ftp.rules
include $RULE_PATH/protocol-icmp.rules
include $RULE_PATH/protocol-imap.rules
include $RULE_PATH/protocol-pop.rules
include $RULE_PATH/protocol-services.rules
include $RULE_PATH/protocol-voip.rules
include $RULE_PATH/pua-adware.rules
include $RULE_PATH/pua-other.rules
include $RULE_PATH/server-apache.rules
include $RULE_PATH/server-iis.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rules
include $RULE_PATH/server-oracle.rules
include $RULE_PATH/server-other.rules
include $RULE_PATH/server-webapp.rules

Updated default Snort.conf's are here: https://www.snort.org/configurations

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.

Thursday, October 18, 2012

Sourcefire VRT Certified Snort Rules Update for 10/18/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/18/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 237 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the bad-traffic, dos, file-flash, file-identify, malware-backdoor, malware-cnc, malware-other, multimedia, netbios and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 16, 2012

Sourcefire VRT Certified Snort Rules Update for 10/16/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/16/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 29 new rules and made modifications to 620 additional rules.

The following changes were made to the snort.conf in this release:
The following line was updated from:
config event_queue: max_queue 8 log 3 order_events content_length
to
config event_queue: max_queue 8 log 5 order_events content_length

The following ports were added to http_inspect, the HTTP_PORTS variable, and stream5:
383
8300
50002


The example snort.confs that the VRT recommends that you use can be found here:
https://www.snort.org/configurations

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-firefox, ddos, exploit, exploit-kit, indicator-compromise, malware-backdoor, malware-cnc, malware-other, misc, netbios and web-iis rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, October 15, 2012

SkyDogCon in Nashville coming up!

Highlighting this as we have one of our own speaking on some of the Exploit Kit detection and research we've been focusing on recently.

Alex Kirk from the Vulnerability Research Team (VRT)!

If you are in the area, be sure and attend!

An excerpt from SkyDogCon's own website:

As the process of owning systems and dragging them into botnets becomes ever more commercialized, exploit kits have emerged as a favorite of attackers; their point-click-own nature means even non-technical people with a little cash can control your PC today. This talk will examine how some popular exploit kits work, from lure through payload; and discuss detection and prevention methodologies, with a focus on IDS/IPS. Live examples from the wild will be used throughout.
Alex Kirk is a senior researcher with the Sourcefire Vulnerability Research Team (VRT), and the head of that group's Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program, which is designed to increase direct collaboration between Sourcefire customers, the Snort user community, and the VRT in the interests of improved detection and coverage. In his 8 years with the VRT, Alex has become one of the world's leading experts on Snort rules, and has honed skills in reverse engineering, network traffic analysis, and systems security. He recently contributed a pair of Snort-related chapters to "Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century," and is a regular contributor to the widely-read VRT blog (http://vrt-blog.snort.org). His current major technical project at Sourcefire involves automated collection of network data generated by malicious binaries, including Android packages, and analysis of that data for detection purposes.

Thursday, October 11, 2012

Sourcefire VRT Certified Snort Rules Update for 10/11/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/11/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 45 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, dos, exploit, exploit-kit, file-flash, file-identify, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, scan and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 9, 2012

Sourcefire VRT Certified Snort Rules Update for 10/09/2012, MS Tuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/09/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 16 additional rules.

The following changes were made to the snort.conf:

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555] 

now reads:

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,55555] 

(Addition of 9060)

The port was also added to stream5 and http_inspect's configuration lines.

I have updated the example snort.conf's, they can be found here: https://www.snort.org/configurations

In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of multiple vulnerabilities affecting products from Microsoft Corporation. 
Details: Microsoft Security Bulletin MS12-064: Microsoft Word contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24353, 24354, 24357 and 24358. 
Microsoft Security Bulletin MS12-065: Microsoft Works contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24351 and 24352. 
Microsoft Security Bulletin MS12-066: A vulnerability in the Microsoft HTML sanitization component may allow an attacker to elevate privileges. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 23136 and 23137. 
Microsoft Security Bulletin MS12-069: The Microsoft implementation of Kerberos may allow a remote attacker to cause a Denial of Service (DoS) against an affected system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 24360. 
Microsoft Security Bulletin MS12-070: A vulnerability in Microsoft SQL Server may allow a remote attacker to elevate privileges. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24355 and 24356.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Some VRT Shared Object rule platforms are being EOL'ed

As always, this is a EOL notification for the following platforms:
They are all EOL and are no longer supported with updates.

Debian-5-0/x86-64
Debian-5-0/i386
Centos-4-8/i386
Ubuntu 8.4 i386
Ubuntu 8.4 x86-64 
  

We have also be adding support for the following:
OpenSUSE-11-4/x86-64
OpenSUSE-11-4/i386

The official page has been updated to reflect these changes:

Thursday, October 4, 2012

Sourcefire VRT Certified Snort Rules Update for 10/04/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/04/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 43 new rules and made modifications to 33 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, dos, exploit, exploit-kit, file-multimedia, file-other, indicator-compromise, malware-cnc, malware-other, netbios, sql, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.2 is EOL on October 17th!


In accordance with our EOL policy:

Please see it here:
https://www.snort.org/eol

Snort version 2.9.1.2's ruleset from the VRT will be EOL'ed as of October 17th.  This was first announced back in July here: http://blog.snort.org/2012/07/2921-eol-notice.html.

Please be sure and upgrade to the latest version of Snort (2.9.3.1) available here: https://www.snort.org/downloads

Tuesday, October 2, 2012

Sourcefire VRT Certified Snort Rules Update for 10/02/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/02/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 43 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contributions in rule: 24265

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-webkit, dns, exploit, exploit-kit, file-multimedia, file-office, file-other, file-pdf, icmp, malware-cnc, malware-other, voip, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!